Security Policy

AutoDataMine is operated by Tortone Systems LLC d/b/a AutoDataMine. We take security seriously and follow a coordinated-disclosure model for vulnerability reports.

Supported versions

AutoDataMine is a hosted SaaS product. We operate one production version. Security fixes are applied to the live deployment.

Reporting a vulnerability

Email security@autodatamine.com with:

• A description of the vulnerability
• Steps to reproduce
• Affected components or URLs
• Your assessment of impact
• Whether you've notified anyone else

We will acknowledge receipt within 24 hours and aim to respond with our assessment within 5 business days.

Safe harbor

We will not pursue legal action against good-faith researchers who:

- Do not access more data than necessary to demonstrate the issue - Do not alter, exfiltrate, or destroy data - Do not degrade service for other users - Give us a reasonable window to remediate before public disclosure (typically 90 days) - Do not publicly disclose the vulnerability before we have had a chance to address it

Out of scope

- Findings from automated scanners without manual verification of exploitability - Denial-of-service attacks - Social engineering of AutoDataMine staff or dealerships - Physical attacks - Issues in third-party software we use that have been responsibly reported to the upstream vendor (please report there first)

Bounty

We do not currently offer a paid bug bounty. We will publicly credit researchers (with your permission) when we disclose fixed issues.

Encryption

PGP public key for security@autodatamine.com: to be published at https://autodatamine.com/.well-known/pgp-key.txt (to be added).

Related documents

• Privacy Policy: https://autodatamine.com/privacy
• Subprocessors: https://autodatamine.com/subprocessors
• security.txt: https://autodatamine.com/.well-known/security.txt