Hertz Vulnerability Disclosure Program

Introduction

Welcome to the Hertz VDP! Join us in steering toward stronger security. -Hertz Security Team

Program Highlights

Open Scope Accepts reports for all owned assets based on impact, even if not listed in scope.

Gold Standard Safe Harbor Adheres to Gold Standard Safe Harbor.

Coordinated Vulnerability Disclosure Standard coordinated vulnerability disclosure practices.

Top Response Efficiency This program's response efficiency is above 90%.

Program Management Managed by HackerOne

• Average time to first response: 9 hours
• Average time to triage: 22 hours

Overview

Welcome to the Hertz Vulnerability Disclosure Program. As a global leader in vehicle rental services, Hertz is dedicated to providing exceptional customer experiences while safeguarding the security of our digital platforms. Our online systems and mobile applications power our operations across thousands of locations worldwide, making their protection a critical priority. We value the expertise of the security research community and invite you to help us strengthen our defenses by identifying vulnerabilities in our public-facing assets.

Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
• Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).
• Only interact with accounts you own or with explicit permission of the account holder.

Test Plan

Users are able to sign up for a free account through our websites:

• https://www.hertz.com
• https://www.dollar.com
• https://www.thrifty.com

Please use your hacker email alias when testing ([email protected])

Session Layer: HTTP Headers

Researchers should add headers to requests such as:

• "X-HackerOne-Research: [H1 username]"

Thanks for driving security with us—let's keep the road safe!