In the spirit of our mission to safely connect people with the places, things, and experiences they care about, the Security team at Cruise is committed to addressing any issues identified by the broader security community. If you believe you have discovered a vulnerability in our platform or applications, please reach out to firstname.lastname@example.org.
You should include the following details in your email:
Vulnerability details, including a potential impact description
How the issue was originally identified, and steps we can take to verify it
Where relevant, screenshots or a code sample will help us remediate the issue quickly
Any files with sensitive information should be encrypted with our GPG key
Protect Your Personal Information — Cruise LLC has learned that individuals with no connection to Cruise and no authority to make employment offers on behalf of Cruise have been using our name in an effort to capture personal information. Methods include initiating contact via SMS message, sending invitations to conduct fictitious hiring interviews through an app called Telegram, and/or sending emails from unauthorized domains such as “@getcruise.org” to make fraudulent offers of employment. We have no connection with these individuals, and Cruise does not use the Telegram app in any of its hiring.
Please note that Cruise LLC does not require prospective employees to pay any processing fees to secure employment and will never ask candidates to send us any money. Any legitimate Cruise email will come from the @getcruise.com domain.
If you receive outreach via SMS or Telegram from an individual claiming to represent Cruise LLC, or if you receive an email from an individual using an email with any domain other than @getcruise.com claiming to offer employment at Cruise LLC, please do not disclose any personal information, do not send any money, and contact email@example.com so we can take appropriate steps.
Never put the safety of our users (like customers, riders, and Cruise employees) or the integrity of our fleet in jeopardy!
Cruise vehicles are not in scope for vulnerability disclosure, and should never be the subject of external security research. This policy is to ensure the continued safety of all our users.
Any issues identified with privately-owned GM vehicles can be reported here, in accordance with GM guidelines on research and disclosure.
Act in good faith when a vulnerability is discovered, and throughout the disclosure process. We ask that you:
Do not use identified vulnerabilities for further information gathering or exploitation of any Cruise applications or systems.
Do not access any Cruise user’s data, except data associated with your own account(s) or with accounts that you have explicit permission to access.
In the case of incidental exposure of data that you do not have permission to access, do not save, store, copy, or transfer the data in any form. Report the issue immediately to firstname.lastname@example.org.
Do not publicly disclose any identified vulnerabilities without prior consent from Cruise.
Disclosure of vulnerabilities to Cruise should be unconditional. Do not use knowledge of a vulnerability to extort Cruise or make compensation / ransom requests.
Follow all applicable laws during vulnerability identification and disclosure, including all applicable export control, sanctions and embargo laws and regulations.
Cruise agrees not to pursue civil action against researchers who act in good faith and who follow the Terms on Responsible Disclosure (“Terms”) outlined above. Research activities conducted in good faith and consistent with the Terms will be considered “authorized” conduct under the Computer Fraud and Abuse Act. If the Terms are met, we will not bring a Digital MIllennium Copyright Act claim against you for circumventing the technological measures we have used to protect the applications in scope.
If legal action is initiated by a third party against you and you have complied with Cruise’s Responsible Disclosure Terms, we will, if asked, state that your actions were conducted in accordance with these Terms.
Authors: Chris Valasek & Charlie Miller
Author: Will Butler
Authors: Karl Isenberg & Mike Ruth
Authors: Mike Ruth & Brian Nuszkowski