Details

TomTom Vulnerability Disclosure Program

TomTom is committed to maintaining the highest level of security for our products, services, and users. We appreciate your efforts in identifying and reporting potential security vulnerabilities in our systems and applications.

This policy outlines our commitment to working with security researchers to resolve vulnerabilities responsibly.

In-Scope:

*.tomtom-global.com
*.tomtomgroup.com
*.tomtom.com
GitHub Organization: https://github.com/tomtom-international
- Public repositories only
- Archived repositories are excluded

Included in GitHub Repositories:

Source code in all public repositories
Configuration and deployment files
Dependencies and third-party integrations
Documentation that may contain security-sensitive information

Excluded from GitHub Repositories:

Private repositories
Production infrastructure
Third-party dependencies hosted elsewhere
Archived repositories

Out of Scope:

The following vulnerabilities are generally considered out of scope for our program:

Category	Description
Social engineering	Phishing, vishing, or other social engineering attacks.
Physical security	Access to buildings or data centers.
Denial of service (DoS)	Attacks that aim to disrupt service availability.
Spamming	Sending unsolicited messages.
Password brute-forcing	Automated attempts to guess passwords.
Clickjacking without impact	Reports of clickjacking without a clear security impact.
CSRF on low-impact forms	CSRF on forms with minimal security impact (e.g., contact forms).
Self-XSS	Vulnerabilities that require the user to execute the attack themselves.
Missing security headers without impact	Missing headers (e.g., X-Frame-Options) without a clear security consequence.
Best practice suggestions	General security advice or recommendations.
Third-party library issues	Vulnerabilities in libraries or frameworks, unless related to our implementation.
Outdated software versions	If a newer, patched version is available.
Publicly known vulnerabilities	Vulnerabilities that have already been disclosed.
Email not verified for account registration	Cases where email verification is not enforced.
Insufficient session logout	Session issues without demonstrable impact on user security.
Weak password policy	Reports about missing complexity requirements (e.g., length, special characters).
Open redirections without impact	Open redirections without direct impact on account compromise or data disclosure.
Destructive testing on repositories	Any testing that could damage or alter repository content or functionality.

Program Highlights:

Open Scope: Accepts reports for all owned assets based on impact, even if not listed in scope.
Gold Standard Safe Harbor: Adheres to Gold Standard Safe Harbor.
Top Response Efficiency: This program's response efficiency is above 90%.

What You Can Expect From Us:

We will acknowledge receipt of your report within 5 business days.
We will investigate your report and keep you informed of our progress.
We will work with you to understand and validate the vulnerability.
We will remediate the vulnerability in a timely manner.

What We Expect From You:

Do not publicly disclose the vulnerability before we have had a reasonable time to address it.
Do not exploit the vulnerability beyond what is necessary to demonstrate its existence.
Do not access or modify any user data without explicit permission.
Do not use attacks on physical security, social engineering, distributed denial of service or spam.
Do not attack third-party applications, systems, or products.
Act in good faith and with the intention of improving our security.

Disclosure Policy:

Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization. Follow HackerOne's disclosure guidelines: https://www.hackerone.com/disclosure-guidelines

Thank you for your interest and help in protecting the security of TomTom's products and services.

TomTom Vulnerability Disclosure Program

This policy outlines our commitment to working with security researchers to resolve vulnerabilities responsibly.

In-Scope:

*.tomtom-global.com

*.tomtomgroup.com

*.tomtom.com

GitHub Organization: https://github.com/tomtom-international

Public repositories only
Archived repositories are excluded

Included in GitHub Repositories:

Source code in all public repositories

Configuration and deployment files

Dependencies and third-party integrations

Documentation that may contain security-sensitive information

Excluded from GitHub Repositories:

Private repositories

Production infrastructure

Third-party dependencies hosted elsewhere

Archived repositories

Out of Scope:

The following vulnerabilities are generally considered out of scope for our program:

Category	Description
Social engineering	Phishing, vishing, or other social engineering attacks.
Physical security	Access to buildings or data centers.
Denial of service (DoS)	Attacks that aim to disrupt service availability.
Spamming	Sending unsolicited messages.
Password brute-forcing	Automated attempts to guess passwords.
Clickjacking without impact	Reports of clickjacking without a clear security impact.
CSRF on low-impact forms	CSRF on forms with minimal security impact (e.g., contact forms).
Self-XSS	Vulnerabilities that require the user to execute the attack themselves.
Missing security headers without impact	Missing headers (e.g., X-Frame-Options) without a clear security consequence.
Best practice suggestions	General security advice or recommendations.
Third-party library issues	Vulnerabilities in libraries or frameworks, unless related to our implementation.
Outdated software versions	If a newer, patched version is available.
Publicly known vulnerabilities	Vulnerabilities that have already been disclosed.
Email not verified for account registration	Cases where email verification is not enforced.
Insufficient session logout	Session issues without demonstrable impact on user security.
Weak password policy	Reports about missing complexity requirements (e.g., length, special characters).
Open redirections without impact	Open redirections without direct impact on account compromise or data disclosure.
Destructive testing on repositories	Any testing that could damage or alter repository content or functionality.

What We Expect From You:

Do not publicly disclose the vulnerability before we have had a reasonable time to address it.

Do not exploit the vulnerability beyond what is necessary to demonstrate its existence.

Do not access or modify any user data without explicit permission.

Do not use attacks on physical security, social engineering, distributed denial of service or spam.

Do not attack third-party applications, systems, or products.

Act in good faith and with the intention of improving our security.

Disclosure Policy:

Thank you for your interest and help in protecting the security of TomTom's products and services.