Locus works closely with security researchers to identify and fix any security vulnerabilities in our infrastructure and products. If you believe you have found a security issue, we encourage you to notify us and work with us on the lines of this disclosure policy.
Let us know as soon as you discover a potential security issue. Depending on the severity, these issues will be given the appropriate priority. Do not publicly disclose part, or all of the vulnerability until we have had a chance to investigate and remediate it with you.
Notify us on firstname.lastname@example.org. If you believe you have found a vulnerability that affects confidential information (such as customer data, source-code, credentials etc.), or personally identifiable information, please confirm the potential issue with our team prior to attempting to gain access to the information or downloading any confidential data.
In case if you discovered any personally identifiable information, do not disclose any such information to any third party.
Do not retain any personally identifiable information discovered, in any medium. Any personally identifiable information discovered must be permanently destroyed or deleted from your device and storage.
Attacks that are expressly out of scope include:
Denial of Service
Social-engineering / phishing Locus staff
Physical security testing of Locus premises or data centers
Attacks that destroy or corrupt data, information or infrastructure, or put our customers, or the public at large at risk
Attacks that misrepresent Locus to other parties
Attacks on third party services
Locus will acknowledge receipt of a security report before the end of the following business day, and will then work with you to remediate any vulnerabilities. We publicly acknowledge security researchers who follow this responsible disclosure policy depending on the severity of the vulnerability reported, and may include them in our private bounty program which has additional scope, access, and rewards.
In case you are uncertain of the rules of engagement, or anything else related to how to work with us on security issues, please write to us on email@example.com beforehand. It’s always better to seek clarification first.
Locus will not entertain any bug reports where additional details or disclosure are contingent on commercial reward. We would consider this a (rather unethical) commercial penetration test solicitation, not good faith security research. However, Locus will issue appreciative rewards based on the CVSS rating of the vulnerability. It is advised to include CVSS rating along with the PoC report.
Locus typically only considers “High” or “Medium” severity issues. Here is an indicative list of issues that are not considered:
Issues found through automated testing
“Scanner output” or scanner-generated reports
Presence of banner or version information
OPTIONS / TRACE HTTP method enabled
XML-RPC presence / issues
Publicly-released bugs within 3 days of their disclosure
“Advisory” or “Informational” reports such as user enumeration
Vulnerabilities requiring physical access to a system
Denial of Service (DoS and DDoS) attacks
Default web-server pages
Spam or social engineering techniques, including:
SPF, DKIM,DMARC issues
Hyperlink injection in emails
IDN homograph attacks
Issues relating to password policy
Version number information disclosure
Clickjacking / frame-redressing
CSRF-able actions that do not require authentication (or a session) to exploit
Issues on 3rd-party subdomains / domains of services we use. (Please report those issues to the appropriate service.)
Reports related to the following security-related headers:
Strict Transport Security (HSTS)
XSS mitigation headers (X-Content-Type and X-XSS-Protection)
Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)
Schedule a meeting with Locus
How can Locus help manage your logistics?
Locus’ proprietary geocoding engine converts the fuzziest of the addresses into precise geographical coordinates thereby helping your on-ground executives locate addresses easily.
Digitize all your operational variables such as fleets, delivery persons, etc to come up with the best route plan every day.
Track your orders in real-time with the Locus Live Dashboard. Locus’ last-mile delivery app Locus On The Road (LOTR) helps delivery partners process orders.
Visualize and tweak your scheduled plans via three key metrics— geography, time, & vehicle(fleet)—with a birds-eye view of your entire operations.
Build your own reports and analyze important parameters that you need to make key decisions.