Locus_Supply_Chain_Optimization_Logo
bg-pattern-image bg-pattern-image bg-pattern-image

Responsible Vulnerability Disclosure Policy

Last updated on Dec 18, 2020

  • Locus works closely with security researchers to identify and fix any security vulnerabilities in our infrastructure and products. If you believe you have found a security issue, we encourage you to notify us and work with us on the lines of this disclosure policy.
  • Let us know as soon as you discover a potential security issue. Depending on the severity, these issues will be given the appropriate priority. Do not publicly disclose part, or all of the vulnerability until we have had a chance to investigate and remediate it with you.
  • Notify us on ​security@locus.sh. If you believe you have found a vulnerability that affects confidential information (such as customer data, source-code, credentials etc.), or personally identifiable information, please confirm the potential issue with our team prior to attempting to gain access to the information or downloading any confidential data.
  • In case if you discovered any personally identifiable information, do not disclose any such information to any third party.
  • Do not retain any personally identifiable information discovered, in any medium. Any personally identifiable information discovered must be permanently destroyed or deleted from your device and storage.
  • Attacks that are expressly out of scope include:
    • Denial of Service
    • Spam
    • Social-engineering / phishing Locus staff
    • Physical security testing of Locus premises or data centers
    • Attacks that destroy or corrupt data, information or infrastructure, or put our customers, or the public at large at risk
    • Attacks that misrepresent Locus to other parties
    • Attacks on third party services
  • Locus will acknowledge receipt of a security report before the end of the following business day, and will then work with you to remediate any vulnerabilities. We publicly acknowledge security researchers who follow this responsible disclosure policy depending on the severity of the vulnerability reported, and may include them in our private bounty program which has additional scope, access, and rewards.
  • In case you are uncertain of the rules of engagement, or anything else related to how to work with us on security issues, please write to us on security@locus.sh beforehand. It’s always better to seek clarification first.
  • Locus will not entertain any bug reports where additional details or disclosure are contingent on commercial reward. We would consider this a (rather unethical) commercial penetration test solicitation, not good faith security research. However, Locus will issue appreciative rewards based on the CVSS rating of the vulnerability. It is advised to include CVSS rating along with the PoC report.
  • Locus typically only considers “High” or “Medium” severity issues. Here is an indicative list of issues that are not considered:
    • Issues found through automated testing
    • “Scanner output” or scanner-generated reports
    • Presence of banner or version information
    • OPTIONS / TRACE HTTP method enabled
    • XML-RPC presence / issues
    • Publicly-released bugs within 3 days of their disclosure
    • “Advisory” or “Informational” reports such as user enumeration
    • Vulnerabilities requiring physical access to a system
    • Denial of Service (DoS and DDoS) attacks
    • Missing CAPTCHAs
    • Default web-server pages
    • Brute-force attacks
    • Spam or social engineering techniques, including:

      • SPF, DKIM,DMARC issues
      • Content injection
      • Hyperlink injection in emails
      • IDN homograph attacks
      • RTL Ambiguity
    • Content Spoofing
    • Issues relating to password policy
    • Full-path disclosure
    • Version number information disclosure
    • Clickjacking / frame-redressing
    • CSRF-able actions that do not require authentication (or a session) to exploit
    • Issues on 3rd-party subdomains / domains of services we use. (Please report those issues to the appropriate service.)
    • Reports related to the following security-related headers:

      • Strict Transport Security (HSTS)
      • XSS mitigation headers (X-Content-Type and X-XSS-Protection)
      • X-Content-Type-Options
      • Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)
/assets/img/logo/locus-white.svg

Schedule a meeting with Locus

How can Locus help manage your logistics?

  • Locus’ proprietary geocoding engine converts the fuzziest of the addresses into precise geographical coordinates thereby helping your on-ground executives locate addresses easily.
  • Digitize all your operational variables such as fleets, delivery persons, etc to come up with the best route plan every day.
  • Track your orders in real-time with the Locus Live Dashboard. Locus’ last-mile delivery app Locus On The Road (LOTR) helps delivery partners process orders.
  • Visualize and tweak your scheduled plans via three key metrics— geography, time, & vehicle(fleet)—with a birds-eye view of your entire operations.
  • Build your own reports and analyze important parameters that you need to make key decisions.

Join Industry Leaders:

$100 M+
Logistics costs reduced
100+ Years
Planning time saved
6300 + Tonnes
GHG emissions reduced

Schedule a demo

By clicking submit, you are providing us with your consent to communicate via email or phone, regarding the demo you have requested.