Logo

Responsible Disclosure

C & C Auto Sales is committed to the security of our services and our customers’ information. If you are a security researcher and believe that you have discovered a security vulnerability involving C & C Auto Sales services or sites, we encourage you to securely disclose it to us in a responsible manner, as directed by this Responsible Disclosure Policy (the “Policy”). We appreciate your efforts in helping protect customer trust and make C & C Auto Sales more secure. C & C Auto Sales reserves all legal rights in the event of any non-compliance with this Policy.

Reporting

We encourage security researchers to share the details of any suspected vulnerabilities by submitting the form at the Contact page - (the “Form”) as directed. Each submission will be reviewed to determine if the finding is valid and not previously reported. In order for a security researcher to be considered for monetary compensation, security researchers must include information sufficient to permit the vulnerability noted in the Form to be reproduced. If you discover personally identifiable information while exploring a suspected security vulnerability, we ask that you cease your investigation and report the vulnerability that led to such discovery immediately. If you identify a vulnerability in accordance with the Policy and the Form, C & C Auto Sales commits to working with you to understand, validate and address the vulnerability appropriately per the assessed risk.

Compliance with this policy

By submitting a potential vulnerability via the Form:

  • You agree not to publicly disclose the vulnerability unless and until C & C Auto Sales agrees to a public disclosure.
  • You agree to keep all communication with C & C Auto Sales confidential.
  • You represent that your finding is original to you and that if you submit a third-party finding, you represent that you have the permission to do so.
  • You allow C & C Auto Sales and its subsidiaries the unconditional ability to use, distribute or disclose information provided in your report.
  • You agree that C & C Auto Sales, in its sole determination, may reward or recognize findings made in accordance with this Policy.

The Form is not intended to be used by, and this Policy is not directed to:

  • Employees of C & C Auto Sales; C & C Auto Sales’s subsidiaries, affiliates, or partners;
  • Vendors currently working with or for C & C Auto Sales or C & C Auto Sales’s subsidiaries, affiliates, or partners; or
  • Residents of countries on the United States Office of Foreign Assets Control’s (OFAC) Sanctions List.

In addition, to remain compliant with this Policy, security researcher(s) are prohibited from:

  • Accessing, downloading, or modifying data residing in an account that does not belong to the security researcher(s);
  • Executing or attempting to execute any “Denial of Service” or related attack against any C & C Auto Sales system or service;
  • Posting, transmitting, uploading, linking to, sending, or storing any malicious software on or to any C & C Auto Sales system or service;
  • Testing any suspected vulnerability in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, pyramid schemes, or any other form of unsolicited message;
  • Threatening or trying to extort C & C Auto Sales concerning the vulnerability;
  • Testing any suspected vulnerability in a manner that would degrade or negatively impact the operation of any C & C Auto Sales service or system; and/or
  • Testing third-party applications, websites, or services that integrate with or link to any C & C Auto Sales service or system.

Legal Safe Harbor

C & C Auto Sales will not take legal action against, or suspend or terminate the accounts of, researchers who discover and report security vulnerabilities in accordance with this Policy. We will waive any restrictions in our applicable Terms of Service that would prohibit your participation in C & C Auto Sales’s responsible disclosure program, so long as your participation is in accordance with the terms thereof, for the limited purpose of your security research under this Policy. We cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.

Don’t do anything illegal or unethical. You are responsible for complying with local laws, regulations, and any other restrictions.