Responsible Disclosure Policy

Purpose
PurposeScopeThird-party bugsHow to reportWhat we are looking forWhat we are not looking forVulnerability Reporting AgreementArrival does not permit the following types of security researchArrival security team commitmentRewardsPGP Key

Purpose

At Arrival, the safety and security of our customers and users has always been a top priority. We are dedicated to improving our products continuously, focusing on changing market needs, technologic breakthrough, as well as evolving threat surface and new attack vectors. This Responsible Disclosure Policy is in place to identify new vulnerabilities and security issues in the relevant hardware, software or services provided and maintained by Arrival and to address them in a timely manner.

Scope

You can report a vulnerability or security issue in any Arrival product or service, excluding end-of-life Arrival products and services.
Reporting a vulnerability in good faith and by academical or private research is possible through our Responsible Disclosure Policy and will not be penalised. Targeted, malicious or persistent attacks, however, are strictly forbidden and will be reported to the relevant authorities in accordance with the relevant laws.

Third-party bugs

If issues reported to us affect a third-party library, external project, or another vendor, Arrival reserves the right to forward details of the issue to that party without further discussion with the researcher. We will do our best to coordinate and communicate with researchers through this process.

How to report

You can submit a vulnerability or security issue report by contacting us at [email protected]
Do not send any issue information in an unencrypted email. Instead, send it encrypted using PGP.
PGP key, and fingerprint: 020B 618B 8AEA B155 9718 9CC0 58AA 1FAA E605 6E0D

What we are looking for

Please send us the following information over a secure channel to be able to address the issue:
  • Arrival product or service affected, including version numbers if applicable;
  • Steps to reproduce the vulnerability/security issue including technical details as well as supporting evidence, e.g. logs, screenshots, pictures, exploit code;
  • Vulnerability/security issue type, e.g. spoofing, tampering, remote code execution, information disclosure, denial of service, elevation of privilege;
  • If you are reporting a cross-site scripting (XSS), your exploit should at least pop up an alert in the browser. It is much better if the XSS exploit shows user’s authentication cookie;
  • For a cross-site request forgery (CSRF), use a proper CSRF case when a third party causes the logged in victim to perform an action;
  • For a SQL injection, we want to see the exploit extracting database data, not just producing an error message;
  • HTTP request / response captures or simply packet captures are also very useful to us;
  • Make sure the bug is exploitable by someone other than the user (e.g. “self-XSS”).
Please include only information necessary for Arrival to analyse the vulnerability/security issue properly, i.e. do not submit any personal or sensitive personal information. All your personal data will be processed in accordance with Arrival’s Privacy Policy.

What we are not looking for

  • Descriptive error messages (e.g. application or server errors);
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages;
  • Banner disclosure on common/public services;
  • Disclosure of known public files or directories, (e.g. robots.txt);
  • Clickjacking and issues only exploitable through clickjacking;
  • CSRF on forms that are available to anonymous users (e.g. the contact form);
  • Logout Cross-Site Request Forgery (logout CSRF);
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality;
  • Lack of Secure and HTTPOnly cookie flags;
  • Lack of Security Speedbump when leaving the site;
  • Weak Captcha / Captcha Bypass;
  • Username enumeration via Login Page error message;
  • Username enumeration via Forgot Password error message;
  • Login or Forgot Password page brute force and account lockout not enforced;
  • OPTIONS / TRACE HTTP method enabled;
  • SSL Attacks such as BEAST, BREACH, Renegotiation attack;
  • SSL Forward secrecy not enabled;
  • SSL Insecure cipher suites;
  • The Anti-MIME-Sniffing header X-Content-Type-Options;
  • Missing HTTP security headers, specifically.

Vulnerability Reporting Agreement

Please review these terms before you test and/or report a vulnerability. Arrival pledges not to initiate legal action against researchers for penetrating or attempting to penetrate our systems as long as they adhere to this policy.

Arrival does not permit the following types of security research

Whilst we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited:
  • Performing actions that may negatively affect Arrival, its personnel or its customers;
  • Do not compromise the safety of the vehicle or expose others to an unsafe condition;
  • Accessing, or attempting to access, data or information that does not belong to you;
  • Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you;
  • Conducting any kind of physical or electronic attack on Arrival personnel, property or data centers;
  • Social engineering any Arrival service desk, employee or contractor;
  • Conduct vulnerability testing of participating services using anything other than test accounts;
  • Violating any laws or breaching any agreements in order to discover vulnerabilities.

Arrival security team commitment

We ask that you do not share or publicise an unresolved vulnerability with/to third parties. If you responsibly submit a vulnerability report, the Arrival security team and associated development organizations will use reasonable efforts to:
  • Respond in a timely manner, acknowledging receipt of your vulnerability report;
  • Provide an estimated time frame for addressing the vulnerability report;
  • Notify you when the vulnerability has been fixed;
  • We are happy to thank every individual researcher who submits a vulnerability report helping us improve our overall security posture at Arrival.
Please note that by submitting a vulnerability report to us, you grant us a perpetual, worldwide, royalty-free, irrevocable and non-exclusive license and right, to use, modify, and incorporate your submission or any parts thereof into our products, services, or test systems without any further obligations or notices to you.
We would be thankful for any further relevant technical information that you may have, especially if reproduction is tricky. If we cannot reproduce it, we cannot reward you. However, there is no need to describe the security impact of your finding - we understand security risks and we can figure that out. We only need technical details.

Rewards

We maintain flexibility with our reward system; rewards are based on severity, impact, and report quality;
We do have specific things we are (and are not) looking for - so check What we are looking for;
If you report several issues that are duplicates in different parts of the service (e.g. the same code running on different nodes or platforms), or part of a larger issue, these may be combined into one and only one reward may be possible;
If someone else has already reported the finding earlier, we will let you know after the issue has been fixed. If several researchers report the same issue, we only reward the sender of the first report that provides us with enough technical details to reproduce the finding. We know that this would give us a loophole to claim that everything’s been already previously found, but trust us, we want to be fair;
A reward will not be provided if the finding becomes known by anyone else other than you or us, in any way, before it is fixed;
You can always keep tracking of how your issue is progressing. Contact Arrival Security team for this: [email protected]

PGP Key

-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBF+JWS4BEACbXh3tqdGxE39hRJTX3GMP/phaAnJphiBVFzXN7iC6Tw2tqWpH 4ODAOzjYx/kvAQylvocVUxXT4lCp8qtBj5l4QlP2eR/2nhj4LHNeuPNMQiQ98kaV x+sauG01ZE0UbN4glmisiPPzdZdaTE08AkrlAPyM53o+XoZpeIpeSqLXkWJxs9nb yc+eHfDqStbzEUA0kW12nbNyVOGRjKP//rmyR/zRIdTmEjiRJ54H0Gzj+7bI3+xq ssP3+JTM2datpsQnvOTRqOZBVEOPkTCLNrZBIk1PhqSFvSWDm8b9FxuwuAZN/GYt xnzOgSHS1/9+rah5M9XZjAHZVffhMDKDYT89MegJpZB6eeeVF1yCt+Tiamw+FoFe 21rBGtTUWfOqvZyPa9HBzo8LxqiF9+JebT4MJ7vxh7/ThqyVu1qFw95lhV1Hvrs6 kpLN2BVY5+PzdS6QJBranGT7LSDUGzJqK8scQYGxEWOYpzo14CPcIB7/LfWHKhQt yxDpShaPbSLl5Ysrmi35k+KroM+SQQkoTu86ee9fRbGZnUidVuAo/QA2RWqq4e15 3BYiacUlpgodFRBIKo2x7h5FSZtCHyObcOy3DMe+c9D70yjnIpEhZcxDvfGUFpOw tDOpCWhkVl2YMQCdGfxia5hS+/F8a6bG3VX+xPvXBOpuDSeluJvHhAVkOwARAQAB tCxBUlJJVkFMIFNlY3VyaXR5IFRlYW0gPHNlY3VyaXR5QGFycml2YWwuY29tPokC VAQTAQgAPhYhBAILYYuK6rFVlxicwFiqH6rmBW4NBQJfiVkuAhsDBQkHhh+ABQsJ CAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEFiqH6rmBW4NKnYP/iWAzmAN7Pcl40ZV +Ih5/8lMwOyi3Qs1uWSDeNm7byq/LkhY3PfWVPpOj9klzOZ9VHguAYSsUs5h13Ig YjtFK6t4z9pBndlScPMRjWOFlzCFG4dK5QndLcqBzg3P8v5jWS4B5v07vsjbv3wk YtX19mhbAoDF+QOf5CAG9iUpVqSJF9jrkVPsxf8Uwvos3H83+QLE3N5qoIcDA+ab 9tSkMyOCqrMu8kUqw3st7wkrYYMFvXEM39PweH/rzsKyGK0kM1NqFLwOrEvDlytk tYtI7qLh+IaJ4N0SPWTgi4vT0dZxDz948bHTJNwcJDGRU35PUYGKobiVzt5e7k21 Om00PQ7R8962v54Z49FexQuS6KSpTs1SmRWa1+89gFxTIxnWqBOEunrRB5UM7Hpu 6N68q1C5odlzsZUDnBZ1pb7lLLKNlyCQw43G4HCMKfcSpFYmdYt8/FLlm5DqA6p7 xRZysbcjFocoR70X8E0wAofJ30SCBLpKxBjnzbj10uHSu3WVS2z0kqA9F2ra8qIs 9+Sr8DUrOO3n72bC008qL0LBVV1c4J6OB0gnX+B7Luv9fhVdkRtg1y3pZzqlaEvc aR26TvI1VV7Lsnu+L06ZyHMD+Id2/k6fq0YOvDmTUl4aE+XT2guYV8o2U3cUH5fW xtGkfjM/gp460ygPmBzcr1Z4/2YvuQINBF+JWS4BEADBTPewHk6Ok14Dg8udI+fY NcTug0MPF3R9IezeYeuVAzLPVKL6h9gNkrIwubh8BN42hd+z3HZGv1eu5wPqOoY/ 0//rAHX0VqT9WAJpWomRMbZXFLDZUvOqsb5WztcY4JR0hDpxt1t0PJouFhMNq8+o UQYHXZDFQk463FriXFwYOxaHE0S52SFAh0vwjxvrqzOWNCx9VYIQabJnpr/s8iDy S7J57OMKkn+XLyehGrjQbGV/ZaLYpiryc4o7P4aBtuN93GKhP7aTR1Iq0hSclosl RpYckgFkRDVPJcHOdmV35py0OjLKERrSRP4CGtVbiFMlTR7kGq2IIoezfY33g9Re IIa1lFjXmaUdjIMWrnzZhhg5I15fSiVZT6JV5aF2EYvBgwSqXzfSKpmk3WJgKWI1 +kjpBaPU7XzMtT5ZtOvv8b7EFPNZ6fC+yOWrdGiASWscI1LtiGehfA+yZf88ZFNn oPoYtIO39VIURCjxI2cRnjeKxnE+TTmbAsfTp9Q493xRwWx3S5eoN6xd+6mTEDpj Lqtz5j8o6vqDt3REU9M+uoxjX6gyKpJ1Ovu4fIU0MdgOKmzjILxPtWnwOwO8JbpD zNBL4FMmBdfGJ/ap30V/1wOFRVpbdEvSZ0/2R4ONhGRHosZ5YBORrseZzQES2HLJ t/ZpIssQABx5O2UILHPKfwARAQABiQI8BBgBCAAmFiEEAgthi4rqsVWXGJzAWKof quYFbg0FAl+JWS4CGwwFCQeGH4AACgkQWKofquYFbg1LCg/+JwGdiGGHjl7QfxjN GAEEn6YVz3N2wFQ4wXXEQlU7idW4nCeiMrX1SieEnMYWf4ArEllm4aCYt3Rfp1XS 9pJbmBLhu796cxez94TzVJZun6sYTbOVWGYqVoZC/U3e6+5HMJcDieUlOttyIJc6 gB6Ok7fJGkSHzCN3RAbTqXzIT5K1MzqaNCuE33eM5sBY4GM+9+iSGn6DsfZbbNcI PvF9Aqo/gfgDxbm5uTNuh/tiyL0dfBsxIrNau/oVNjeW1+RQlLHpli2zefIAuVyH mCef9CEuHNkWHmTBRdbUbt/AwwQTg2a0XBzwB2j/UQ0Z6dTN5alO1Bk/0CKa+D3+ PGF0vhOy87v9l/7AH87HYZIPTGNlXQsqKZrU42HB7TWJBMU6vsqG4cd8HUd2+99A 4Jur5/E7WyGojMurR+UgPryYlFqLEP0JdI4ufZLCl/IKAXKLXm6norhsrTrIu9xL cnkzbDUtYd18VQoZ7YtkVGmWsypAHA222ZQqMSAGqi5vK7lY2yiCnL2M1NJ3KS/o 0hMve+WASAyap17tSi1mZNmcCttPMw1ZzhESwCR5+wEoTeTsuQib51A8FPXa+1f1 IG7SBCdpmYR65uuf5NbIULQlBjhU1LaJ8eudPl3yXisR004ororhtDme1vhmDpxE yxq5KA8fMro/I3KiYFgv546FLMs= =ukB7 -----END PGP PUBLIC KEY BLOCK-----
For press enquiries please contact:
Victoria Tomlinson
Arrival PR Contact
Victoria Tomlinson
, Chief of Communications
[email protected]