Here at Selly Automotive,  we are committed to ensuring the security of our customers and their data. Our company is now formalizing our policy for accepting vulnerability reports and encourage an open relationship with the community of ethical security researchers. We understand that what this community does is important in our efforts in ensuring safe cyberspace for our customers.

The leadership of Selly Automotive has developed this policy to reflect our values and commitment to cybersecurity.

CURRENT SCOPE

Selly Automotive’s Vulnerability Disclosure Program is currently covering the following platform and services:

• Selly Automotive - Web Platform (https://www.sellyserver.co)

While Selly Automotive develops various services across different platforms under its flagship product, we are asking that all ethical security researchers submit vulnerability reports only for the stated platform and services list. We intend to increase our scope as we build the capacity and experience in this process.

LEGAL POSTURE

Selly Automotive will not pursue legal actions against ethical security researchers who submit a vulnerability report through our Vulnerability Submission Form. We are openly accepting reports for the currently listed platform and services. Furthermore, we agree not to pursue legal actions against ethical security researchers who:

• Engage in the testing of our system or perform security research without harming Selly Automotive and its customers.
• Engage in the vulnerability testing of our system within the scope of our Vulnerability Disclosure Program.
• Test our platforms and services without affecting our customers, or received permission and consent from customers before engaging in vulnerability testing against their devices that have access to our platforms.
• Adheres to the laws of their location, the laws of the State of California, and the United States of America.
• Refrained from disclosing vulnerability details to the public before a mutually agreed timeframe expires.

HOW TO SUBMIT A VULNERABILITY REPORT

Please use this form to submit a vulnerability:

PREFERENCE, PRIORITIZATION, AND ACCEPTANCE CRITERIA

We expect you to:

• Submit a well-written report in English.
• Submit a proof-of-concept.
• Submit a report only for the scoped platform and service.

Expect us to:

• Respond to your submission within 3 business days.
• Send an expected remediation timeline as well as issues or challenges that may extend it.
• Enable an open dialogue between you and us to discuss the issue.
• Notification at every stage of our review process and remediation process.
• Credit after the vulnerability has been validated and fixed.