Vulnerability Disclosure Policy

Effective Date: September 1, 2025

Security is Our Shared Responsibility

At AutoCents™, we take the security and integrity of our platform and customer data very seriously. We welcome reports of security vulnerabilities from security researchers, users, and the public, and we are committed to responding responsibly.

Responsible Disclosure

We work with security researchers to identify and fix vulnerabilities before they can be exploited by malicious actors.

Quick Response

We acknowledge reports within 24 hours and provide regular updates throughout the investigation and remediation process.

Recognition

We recognize and appreciate contributions from researchers who help us improve our security posture.

Our Security Commitments

Safe Harbor: We provide legal protection for good-faith security research
Clear Scope: We clearly define what vulnerabilities are in-scope for reporting
Timely Response: We respond to reports within 24 hours and provide regular updates
Coordinated Disclosure: We work with researchers on responsible disclosure timelines
Recognition: We acknowledge qualifying reports and may provide public recognition
Continuous Improvement: We use vulnerability reports to strengthen our security

Ready to Report a Vulnerability? Send your report to security@speedlimit.com with detailed information about the issue you've discovered.

Table of Contents

Reporting & Scope

Guidelines & Protection

Recognition & Legal

Contact

Report Vulnerability

If you believe you have discovered a security vulnerability in AutoCents that is in-scope (see below), please report it as soon as possible to our security team. To submit a report, send an email to:

security@speedlimit.com

Include the following in your report:

  • A clear and comprehensive summary of the vulnerability and its potential impact.
  • Step-by-step reproduction instructions (with environment details: browser, OS, etc.).
  • Proof-of-concept code or screenshots, if available.
  • Any relevant URLs, endpoints, API methods involved.
  • Your contact information, so we can follow up.

In-Scope

Vulnerabilities or issues in the following systems/components are in-scope:

Web Application & APIs

  • The AutoCents web application and its subdomains
  • AutoCents APIs and integrations (where applicable)

Authentication & Authorization

  • Account access, authentication, authorization, and permission escalations
  • Data exposure vulnerabilities (including personally identifiable information, or "PII," or other sensitive data)

Security Vulnerabilities

  • Injection vulnerabilities (SQL, cross-site scripting, cross-site request forgery, etc.)
  • Privilege escalation, cross-tenant data isolation, security misconfigurations

CVSS Score Requirement:

Note: To qualify for acknowledgement or recognition, the reported vulnerability should have a CVSS base score of 4.0 or higher.

Out-of-Scope

The following are not in scope (we may choose not to act on reports of these issues, though you may report them nonetheless):

Third-Party Issues

  • Issues in third-party services or dependencies that are outside of our direct control
  • Social engineering, phishing, spam, or attacks targeting AutoCents employees unless they allow us to duplicate or defend against them

Physical & DoS Attacks

  • Physical attacks, or vulnerabilities requiring physical access to hardware
  • Denial-of-Service (DoS) or resource exhaustion attacks (unless such attack reveals another in-scope vulnerability)

Low Impact Issues

  • Theoretical vulnerabilities without proof of concept or reproducibility
  • Minor issues with low impact (e.g., missing security headers, minor UI defects) that do not compromise data security or user safety

Researcher Guidelines

When submitting a report, we ask that you:

Testing Boundaries

  • • Only test vulnerabilities on your own account or with explicit permission
  • • Avoid accessing, modifying, or deleting data that is not yours, except to the minimal extent required to demonstrate the issue
  • • Limit the scope of your testing, and work in good faith to avoid service disruption or other negative impacts

Responsible Disclosure

  • • Maintain the confidentiality of the vulnerability until we have had a reasonable opportunity to address it
  • • Do not carry out attacks or exploits beyond what is necessary to demonstrate the vulnerability
  • • Work with us to coordinate disclosure timelines

Safe Harbor

Legal Protection for Researchers

AutoCents will not pursue legal action against anyone who, in good faith:

  • Reports vulnerabilities through this policy,
  • Complies with the guidelines laid out here,
  • Does not violate applicable laws, and
  • Does not intentionally harm or expose user data beyond what is required to demonstrate the vulnerability.

Important Note:

This safe harbor applies only to the extent permitted by applicable law. If you are uncertain whether your testing would violate this policy or local law, contact us first at security@speedlimit.com for clarity.

Response & Disclosure Timeline

We aim to handle vulnerability reports as follows:

StageTarget Timeframe
Acknowledgement of receiptWithin 24 hours of receiving your report
Initial validationWithin 3 business days
Regular status updatesAt least every 7 days while issue is under investigation
Resolution of critical/severe vulnerabilitiesAs quickly as possible, targeted within 30 calendar days (or sooner if feasible)
Coordinated public disclosureOnce the issue is remediated, subject to mutual agreement (if applicable)

Rewards / Recognition

Recognition Program

At this time, AutoCents does not offer financial bounties for vulnerability reports. However, we do recognize and appreciate contributions from researchers.

For qualifying reports (CVSS 4.0+), we may provide non-monetary acknowledgments such as:

  • Public recognition on our website
  • Security researcher hall of fame
  • Certificate of appreciation
  • Subject to your consent

Changes to This Policy

We may update this Vulnerability Disclosure Policy periodically. When we do, we will:

  • Post the revised version here with a new Effective Date
  • Notify security researchers of significant changes
  • Maintain backward compatibility where possible

Stay Updated

We encourage security researchers to review this page from time to time to stay informed of any changes to our vulnerability disclosure process.

Governing Law

This policy is governed by the laws of the State of New Hampshire, United States. Any legal actions or disputes arising from this policy shall be subject to those laws.

Jurisdiction

Any disputes or legal matters related to this vulnerability disclosure policy will be resolved in the courts of New Hampshire, United States.

Contact Us

If you have questions or concerns about this policy, or about whether a vulnerability is in scope, you can reach out:

Nitron Digital LLC dba Speedlimit.com

Email: security@speedlimit.com
Security Team: security@speedlimit.com
📍Mailing Address: 923 Elm St, Suite 23
🏢Nitron Digital LLC dba Speedlimit.com
🌍Manchester, New Hampshire, USA

Response Time: We typically respond to security inquiries within 24 hours. For urgent security matters, please mark your email as "URGENT" in the subject line.