Locus_Supply_Chain_Optimization_Logo
bg-pattern-image bg-pattern-image bg-pattern-image

Richtlinie zur verantwortungsbewussten Offenlegung von Schwachstellen

Zuletzt aktualisiert am April 20, 2021

  • Locus works closely with security researchers to identify and fix any security vulnerabilities in our infrastructure and products. If you believe you have found a security issue, we encourage you to notify us and work with us on the lines of this disclosure policy.
  • Let us know as soon as you discover a potential security issue. Depending on the severity, these issues will be given the appropriate priority. Do not publicly disclose part, or all of the vulnerability until we have had a chance to investigate and remediate it with you.
  • Notify us on ​security@locus.sh. If you believe you have found a vulnerability that affects confidential information (such as customer data, source-code, credentials etc.), or personally identifiable information, please confirm the potential issue with our team prior to attempting to gain access to the information or downloading any confidential data.
  • In case if you discovered any personally identifiable information, do not disclose any such information to any third party.
  • Do not retain any personally identifiable information discovered, in any medium. Any personally identifiable information discovered must be permanently destroyed or deleted from your device and storage.
  • Attacks that are expressly out of scope include:
    • Denial of Service
    • Spam
    • Social-engineering / phishing Locus staff
    • Physical security testing of Locus premises or data centers
    • Attacks that destroy or corrupt data, information or infrastructure, or put our customers, or the public at large at risk
    • Attacks that misrepresent Locus to other parties
    • Attacks on third party services
  • Locus will acknowledge receipt of a security report before the end of the following business day, and will then work with you to remediate any vulnerabilities. We publicly acknowledge security researchers who follow this responsible disclosure policy depending on the severity of the vulnerability reported, and may include them in our private bounty program which has additional scope, access, and rewards.
  • In case you are uncertain of the rules of engagement, or anything else related to how to work with us on security issues, please write to us on security@locus.sh beforehand. It’s always better to seek clarification first.
  • Locus will not entertain any bug reports where additional details or disclosure are contingent on commercial reward. We would consider this a (rather unethical) commercial penetration test solicitation, not good faith security research. However, Locus will issue appreciative rewards based on the CVSS rating of the vulnerability. It is advised to include CVSS rating along with the PoC report.
  • Locus typically only considers “High” or “Medium” severity issues. Here is an indicative list of issues that are not considered:
    • Issues found through automated testing
    • “Scanner output” or scanner-generated reports
    • Presence of banner or version information
    • OPTIONS / TRACE HTTP method enabled
    • XML-RPC presence / issues
    • Publicly-released bugs within 3 days of their disclosure
    • “Advisory” or “Informational” reports such as user enumeration
    • Vulnerabilities requiring physical access to a system
    • Denial of Service (DoS and DDoS) attacks
    • Missing CAPTCHAs
    • Default web-server pages
    • Brute-force attacks
    • Spam or social engineering techniques, including:

      • SPF, DKIM,DMARC issues
      • Content injection
      • Hyperlink injection in emails
      • IDN homograph attacks
      • RTL Ambiguity
    • Content Spoofing
    • Issues relating to password policy
    • Full-path disclosure
    • Version number information disclosure
    • Clickjacking / frame-redressing
    • CSRF-able actions that do not require authentication (or a session) to exploit
    • Issues on 3rd-party subdomains / domains of services we use. (Please report those issues to the appropriate service.)
    • Reports related to the following security-related headers:

      • Strict Transport Security (HSTS)
      • XSS mitigation headers (X-Content-Type and X-XSS-Protection)
      • X-Content-Type-Options
      • Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)
  • Turn-around time for “High”, “Medium” and “Low” risk vulnerabilities are 1-week, 2-weeks and 4-6 weeks respectively. Expect a response from us accordingly.
/assets/img/logo/locus-white.svg

Schedule a meeting with Locus

How can Locus help manage your logistics?

  • Die proprietäre Geokodierungs-Engine von Locus wandelt die unscharfsten Adressen in präzise geografische Koordinaten um und hilft so Ihren Führungskräften vor Ort, Adressen leicht zu finden.
  • Digitize all your operational variables such as fleets, delivery persons, etc to come up with the best route plan every day.
  • Track your orders in real-time with the Locus Live Dashboard. Locus’ last-mile delivery app Locus On The Road (LOTR) helps delivery partners process orders.
  • Visualize and tweak your scheduled plans via three key metrics— geography, time, & vehicle(fleet)—with a birds-eye view of your entire operations.
  • Erstellen Sie Ihre eigenen Berichte und analysieren Sie wichtige Parameter, die Sie für wichtige Entscheidungen benötigen.

Join Industry Leaders:

$100 M+
Logistikkosten reduziert
100+ Years
Planungszeit gespart
6300 + Tonnes
Treibhausgasemissionen reduziert

vereinbaren Sie eine Demo

Durch Klicken auf "Senden" erteilen Sie uns Ihre Einwilligung zur Kommunikation per E-Mail oder Telefon in Bezug auf die von Ihnen angeforderte Demo.

Bahasa IndonesiaFrançaisDeutschEnglish