Responsible Disclosure at Cruise

In the spirit of our mission to safely connect people with the places, things, and experiences they care about, the Security team at Cruise is committed to addressing any issues identified by the broader security community. If you believe you have discovered a vulnerability in our platform or applications, please reach out to disclosure@getcruise.com.

You should include the following details in your email: 

  • Vulnerability details, including a potential impact description

  • How the issue was originally identified, and steps we can take to verify it

  • Where relevant, screenshots or a code sample will help us remediate the issue quickly

  • Any files with sensitive information should be encrypted with our GPG key

Terms on Responsible Disclosure

  • Never put the safety of our users (like customers, riders, and Cruise employees) or the integrity of our fleet in jeopardy!

  • Cruise vehicles are not in scope for vulnerability disclosure, and should never be the subject of external security research. This policy is to ensure the continued safety of all our users. 

  • Any issues identified with privately-owned GM vehicles can be reported here, in accordance with GM guidelines on research and disclosure.

  • Act in good faith when a vulnerability is discovered, and throughout the disclosure process. We ask that you:

    • Do not use identified vulnerabilities for further information gathering or exploitation of any Cruise applications or systems.

    • Do not access any Cruise user’s data, except data associated with your own account(s) or with accounts that you have explicit permission to access. 

    • In the case of incidental exposure of data that you do not have permission to access, do not save, store, copy, or transfer the data in any form. Report the issue immediately to disclosure@getcruise.com.

    • Do not publicly disclose any identified vulnerabilities without prior consent from Cruise.

  • Disclosure of vulnerabilities to Cruise should be unconditional. Do not use knowledge of a vulnerability to extort Cruise or make compensation / ransom requests. 

  • Follow all applicable laws during vulnerability identification and disclosure, including all applicable export control, sanctions and embargo laws and regulations.

Safe Harbor

  • Cruise agrees not to pursue civil action against researchers who act in good faith and who follow the Terms on Responsible Disclosure (“Terms”) outlined above. Research activities conducted in good faith and consistent with the Terms will be considered “authorized” conduct under the Computer Fraud and Abuse Act. If the Terms are met, we will not bring a Digital MIllennium Copyright Act claim against you for circumventing the technological measures we have used to protect the applications in scope.

  • If legal action is initiated by a third party against you and you have complied with Cruise’s Responsible Disclosure Terms, we will, if asked, state that your actions were conducted in accordance with these Terms.

Read more about Security at Cruise on our Medium