Responsible Disclosure at May
In the spirit of our mission, the Security team at May is committed to addressing any issues identified by the broader security community. If you believe you have discovered a vulnerability in our platform or applications, please reach out to [email protected].
You should include the following details in your email:
Vulnerability details, including a potential impact description
How the issue was originally identified, and steps we can take to verify it
Where relevant, screenshots or a code sample will help us remediate the issue quickly
Terms on Responsible Disclosure
Never put the safety of our users (like customers, riders, and May Mobility employees) or the integrity of our fleet in jeopardy!
May Mobility shuttles are not in scope for vulnerability disclosure, and should never be the subject of external security research. This policy is to ensure the continued safety of the public and May employees.
Act in good faith when a vulnerability is discovered, and throughout the disclosure process. We ask that you:
Do not use identified vulnerabilities for further information gathering or exploitation of any May Mobility applications or systems.
Do not access any May Mobility user’s data, except data associated with your own account(s) or with accounts that you have explicit permission to access.
In the case of incidental exposure of data that you do not have permission to access, do not save, store, copy, or transfer the data in any form. Report the issue immediately to [email protected], and we will provide you with safe harbor as described below.
Do not publicly disclose any identified vulnerabilities without prior consent from May Mobility.
Disclosure of vulnerabilities to May Mobility should be unconditional. Do not use knowledge of a vulnerability to extort May Mobility or make compensation / ransom requests. May Mobility will provide compensation for disclosed vulnerabilites as we deem fit.
Follow all applicable laws during vulnerability identification and disclosure, including all applicable export control, sanctions and embargo laws and regulations.
May Mobility agrees not to pursue civil action against researchers who act in good faith and who follow the Terms on Responsible Disclosure (“Terms”) outlined above. Research activities conducted in good faith and consistent with the Terms will be considered “authorized” conduct under the Computer Fraud and Abuse Act. If the Terms are met, we will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.
If legal action is initiated by a third party against you and you have complied with May Mobility’s Responsible Disclosure Terms, we will, if asked, state that your actions were conducted in accordance with these Terms.