[{"id":3762075,"new_policy":"TomTom is committed to maintaining the highest level of security for our products, services, and users. We appreciate your efforts in identifying and reporting potential security vulnerabilities in our systems and applications. \n\nThis policy outlines our commitment to working with security researchers to resolve vulnerabilities responsibly.\n\n#In-Scope:\n\n- *.tomtom-global.com\n- *.tomtomgroup.com\n- *.tomtom.com\n- **GitHub Organization:** [tomtom-international](https://github.com/tomtom-international)  \n  - Public repositories only  \n  - Archived repositories are excluded  \n\n| Included in GitHub Repositories | Excluded from GitHub Repositories |\n| ------------- | ------------- |\n| Source code in all public repositories| Private repositories|\n| Configuration and deployment files | Production infrastructure |\n| Dependencies and third-party integrations | Third-party dependencies hosted elsewhere |\n| Documentation that may contain security-sensitive information | Archived repositories |\n\n#Out of Scope:\nThe following vulnerabilities are generally considered out of scope for our program:\n\n| **Category** | **Description** |\n|--------------|-----------------|\n| Social engineering | Phishing, vishing, or other social engineering attacks. |\n| Physical security | Access to buildings or data centers. |\n| Denial of service (DoS) | Attacks that aim to disrupt service availability. |\n| Spamming | Sending unsolicited messages. |\n| Password brute-forcing | Automated attempts to guess passwords. |\n| Clickjacking without impact | Reports of clickjacking without a clear security impact. |\n| CSRF on low-impact forms | CSRF on forms with minimal security impact (e.g., contact forms). |\n| Self-XSS | Vulnerabilities that require the user to execute the attack themselves. |\n| Missing security headers without impact | Missing headers (e.g., X-Frame-Options) without a clear security consequence. |\n| Best practice suggestions | General security advice or recommendations. |\n| Third-party library issues | Vulnerabilities in libraries or frameworks, unless related to our implementation. |\n| Outdated software versions | If a newer, patched version is available. |\n| Publicly known vulnerabilities | Vulnerabilities that have already been disclosed. |\n| Email not verified for account registration | Cases where email verification is not enforced. |\n| Insufficient session logout | Session issues without demonstrable impact on user security. |\n| Weak password policy | Reports about missing complexity requirements (e.g., length, special characters). |\n| Open redirections without impact | Open redirections without direct impact on account compromise or data disclosure. |\n| Destructive testing on repositories | Any testing that could damage or alter repository content or functionality. |\n\n#What You Can Expect From Us:\n\n- We will acknowledge receipt of your report within 5 business days.\n- We will investigate your report and keep you informed of our progress.\n- We will work with you to understand and validate the vulnerability.\n- We will remediate the vulnerability in a timely manner.\n\n#What We Expect From You:\n\n- Do not publicly disclose the vulnerability before we have had a reasonable time to address it.\n- Do not exploit the vulnerability beyond what is necessary to demonstrate its existence.\n- Do not access or modify any user data without explicit permission.\n- Do not use attacks on physical security, social engineering, distributed denial of service or spam;\n- Do not attack third-party applications, systems, or products\n- Act in good faith and with the intention of improving our security.\n\n#Disclosure Policy:\nPlease do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization. Follow HackerOne's disclosure guidelines: https://www.hackerone.com/disclosure-guidelines\n\nThank you for your interest and help in protecting the security of TomTom's products and services.\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-08-29T08:48:50.625Z"},{"id":3762074,"new_policy":"TomTom is committed to maintaining the highest level of security for our products, services, and users. We appreciate your efforts in identifying and reporting potential security vulnerabilities in our systems and applications. \n\nThis policy outlines our commitment to working with security researchers to resolve vulnerabilities responsibly.\n\n#In-Scope:\n\n- *.tomtom-global.com\n- *.tomtomgroup.com\n- *.tomtom.com\n- **GitHub Organization:** [tomtom-international](https://github.com/tomtom-international)  \n  - Public repositories only  \n  - Archived repositories are excluded  \n\n| Included in GitHub Repositories | Excluded from GitHub Repositories |\n| ------------- | ------------- |\n| Source code in all public repositories| Private repositories|\n| Configuration and deployment files | Production infrastructure |\n| Dependencies and third-party integrations | Third-party dependencies hosted elsewhere |\n| Documentation that may contain security-sensitive information | Archived repositories |\n\n#What You Can Expect From Us:\n\n- We will acknowledge receipt of your report within 5 business days.\n- We will investigate your report and keep you informed of our progress.\n- We will work with you to understand and validate the vulnerability.\n- We will remediate the vulnerability in a timely manner.\n\n#What We Expect From You:\n\n- Do not publicly disclose the vulnerability before we have had a reasonable time to address it.\n- Do not exploit the vulnerability beyond what is necessary to demonstrate its existence.\n- Do not access or modify any user data without explicit permission.\n- Do not use attacks on physical security, social engineering, distributed denial of service or spam;\n- Do not attack third-party applications, systems, or products\n- Act in good faith and with the intention of improving our security.\n\n#Out of Scope Vulnerabilities:\nThe following vulnerabilities are generally considered out of scope for our program:\n\n| **Category** | **Description** |\n|--------------|-----------------|\n| Social engineering | Phishing, vishing, or other social engineering attacks. |\n| Physical security | Access to buildings or data centers. |\n| Denial of service (DoS) | Attacks that aim to disrupt service availability. |\n| Spamming | Sending unsolicited messages. |\n| Password brute-forcing | Automated attempts to guess passwords. |\n| Clickjacking without impact | Reports of clickjacking without a clear security impact. |\n| CSRF on low-impact forms | CSRF on forms with minimal security impact (e.g., contact forms). |\n| Self-XSS | Vulnerabilities that require the user to execute the attack themselves. |\n| Missing security headers without impact | Missing headers (e.g., X-Frame-Options) without a clear security consequence. |\n| Best practice suggestions | General security advice or recommendations. |\n| Third-party library issues | Vulnerabilities in libraries or frameworks, unless related to our implementation. |\n| Outdated software versions | If a newer, patched version is available. |\n| Publicly known vulnerabilities | Vulnerabilities that have already been disclosed. |\n| Email not verified for account registration | Cases where email verification is not enforced. |\n| Insufficient session logout | Session issues without demonstrable impact on user security. |\n| Weak password policy | Reports about missing complexity requirements (e.g., length, special characters). |\n| Open redirections without impact | Open redirections without direct impact on account compromise or data disclosure. |\n| Destructive testing on repositories | Any testing that could damage or alter repository content or functionality. |\n\n#Disclosure Policy:\nPlease do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization. Follow HackerOne's disclosure guidelines: https://www.hackerone.com/disclosure-guidelines\nThank you for your interest and help in protecting the security of TomTom's products and services.\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-08-29T08:43:24.299Z"},{"id":3761900,"new_policy":"TomTom is committed to maintaining the highest level of security for our products, services, and users. We appreciate your efforts in identifying and reporting potential security vulnerabilities in our systems and applications. This policy outlines our commitment to working with security researchers to resolve vulnerabilities responsibly.\n\n#In-Scope Assets:\n\n- *.tomtom-global.com\n- *.tomtomgroup.com\n- *.tomtom.com\n- **GitHub Organization:** tomtom-international\n- **URL:** https://github.com/tomtom-international/*\n- **Coverage:** All public repositories in the organization excluding archived repositories\n\n#What's Included in GitHub Repositories:\n\nSource code in all public repositories\nConfiguration and deployment files\nDependencies and third-party integrations\nDocumentation that may contain security-sensitive information\n\n#What's Excluded from GitHub Repositories:\n\nPrivate repositories\nProduction infrastructure\nThird-party dependencies hosted elsewhere\n\n#Priority Vulnerabilities:\n**High:** Remote Code Execution (RCE), SQL Injection, Authentication Bypass, Exposed Secrets\n**Medium:** Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Insecure Direct Object References, Vulnerable Dependencies\n**Low:** Information Disclosure, Missing Security Headers\n\n#What You Can Expect From Us:\n\nWe will acknowledge receipt of your report within 5 business days.\nWe will investigate your report and keep you informed of our progress.\nWe will work with you to understand and validate the vulnerability.\nWe will remediate the vulnerability in a timely manner.\n\n#What We Expect From You:\n\nDo not publicly disclose the vulnerability before we have had a reasonable time to address it.\nDo not exploit the vulnerability beyond what is necessary to demonstrate its existence.\nDo not access or modify any user data without explicit permission.\nDo not use attacks on physical security, social engineering, distributed denial of service or spam;\nDo not attack third-party applications, systems, or products\nAct in good faith and with the intention of improving our security.\n\n#Out of Scope Vulnerabilities:\nThe following vulnerabilities are generally considered out of scope for our program:\n\n* **Social engineering:** Phishing, vishing, or other social engineering attacks.\n* **Physical security issues:** Access to buildings or data centers.\n* **Denial of service (DoS) attacks:** Attacks that aim to disrupt service availability.\n* **Spamming:** Sending unsolicited messages.\n* **Password brute-forcing:** Automated attempts to guess passwords.\n* **Clickjacking without demonstrable impact:** Reports of clickjacking without a clear security impact.\n* **Cross-Site Request Forgery (CSRF) on low-impact forms:** CSRF on forms with minimal security impact (e.g., contact forms).\n* **Self-XSS:** Vulnerabilities that require the user to execute the attack themselves.\n* **Missing security headers without demonstrable impact:** Missing headers (e.g., X-Frame-Options) without a clear security consequence.\n* **Best practice suggestions:** General security advice or recommendations.\n* **Vulnerabilities in third-party libraries or frameworks:** Unless the vulnerability is specifically related to our implementation.\n* **Vulnerabilities in outdated software versions:** If a newer, patched version is available.\n* **Publicly known vulnerabilities:** Vulnerabilities that have already been disclosed.\n* **Email Not Verified for Account Registration:** Instances where email verification is not enforced during the account registration process.\n* **Insufficient Session Logout:** Vulnerabilities related to sessions not ending or timing out as expected under certain conditions are excluded unless there is a demonstrable impact on user security.\n* **Weak Password Policy:** Reports of password policies that do not enforce specific complexity requirements, such as minimum character length or special characters, are out of scope.\n* **Open Redirections:** Vulnerabilities involving open redirections without any direct impact on account compromise or data disclosure are not in scope.\n* **Destructive testing on repositories:** Any testing that could damage or alter repository content or functionality.\n\n#Disclosure Policy:\nPlease do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization. Follow HackerOne's disclosure guidelines: https://www.hackerone.com/disclosure-guidelines\nThank you for your interest and help in protecting the security of TomTom's products and services.\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-08-26T14:22:01.708Z"},{"id":3761899,"new_policy":"TomTom is committed to maintaining the highest level of security for our products, services, and users. We appreciate your efforts in identifying and reporting potential security vulnerabilities in our systems and applications. This policy outlines our commitment to working with security researchers to resolve vulnerabilities responsibly.\n\n#In-Scope Assets:\n\n- *.tomtom-global.com\n- *.tomtomgroup.com\n- *.tomtom.com\n- **GitHub Organization:** tomtom-international\n- **URL:** https://github.com/tomtom-international/*\n- **Coverage:** All public repositories in the organization excluding archived repositories\n\n#What's Included in GitHub Repositories\n\nSource code in all public repositories\nConfiguration and deployment files\nDependencies and third-party integrations\nDocumentation that may contain security-sensitive information\n\n#What's Excluded from GitHub Repositories:\n\nPrivate repositories\nProduction infrastructure\nThird-party dependencies hosted elsewhere\n\n#Priority Vulnerabilities:\n**High:** Remote Code Execution (RCE), SQL Injection, Authentication Bypass, Exposed Secrets\n**Medium:** Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Insecure Direct Object References, Vulnerable Dependencies\n**Low:** Information Disclosure, Missing Security Headers\n\n#What You Can Expect From Us:\n\nWe will acknowledge receipt of your report within 5 business days.\nWe will investigate your report and keep you informed of our progress.\nWe will work with you to understand and validate the vulnerability.\nWe will remediate the vulnerability in a timely manner.\n\n#What We Expect From You:\n\nDo not publicly disclose the vulnerability before we have had a reasonable time to address it.\nDo not exploit the vulnerability beyond what is necessary to demonstrate its existence.\nDo not access or modify any user data without explicit permission.\nDo not use attacks on physical security, social engineering, distributed denial of service or spam;\nDo not attack third-party applications, systems, or products\nAct in good faith and with the intention of improving our security.\n\n#Out of Scope Vulnerabilities:\nThe following vulnerabilities are generally considered out of scope for our program:\n\n* **Social engineering:** Phishing, vishing, or other social engineering attacks.\n* **Physical security issues:** Access to buildings or data centers.\n* **Denial of service (DoS) attacks:** Attacks that aim to disrupt service availability.\n* **Spamming:** Sending unsolicited messages.\n* **Password brute-forcing:** Automated attempts to guess passwords.\n* **Clickjacking without demonstrable impact:** Reports of clickjacking without a clear security impact.\n* **Cross-Site Request Forgery (CSRF) on low-impact forms:** CSRF on forms with minimal security impact (e.g., contact forms).\n* **Self-XSS:** Vulnerabilities that require the user to execute the attack themselves.\n* **Missing security headers without demonstrable impact:** Missing headers (e.g., X-Frame-Options) without a clear security consequence.\n* **Best practice suggestions:** General security advice or recommendations.\n* **Vulnerabilities in third-party libraries or frameworks:** Unless the vulnerability is specifically related to our implementation.\n* **Vulnerabilities in outdated software versions:** If a newer, patched version is available.\n* **Publicly known vulnerabilities:** Vulnerabilities that have already been disclosed.\n* **Email Not Verified for Account Registration:** Instances where email verification is not enforced during the account registration process.\n* **Insufficient Session Logout:** Vulnerabilities related to sessions not ending or timing out as expected under certain conditions are excluded unless there is a demonstrable impact on user security.\n* **Weak Password Policy:** Reports of password policies that do not enforce specific complexity requirements, such as minimum character length or special characters, are out of scope.\n* **Open Redirections:** Vulnerabilities involving open redirections without any direct impact on account compromise or data disclosure are not in scope.\n* **Destructive testing on repositories:** Any testing that could damage or alter repository content or functionality.\n\n#Disclosure Policy:\nPlease do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization. Follow HackerOne's disclosure guidelines: https://www.hackerone.com/disclosure-guidelines\nThank you for your interest and help in protecting the security of TomTom's products and services.\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-08-26T14:21:31.928Z"},{"id":3761898,"new_policy":"TomTom is committed to maintaining the highest level of security for our products, services, and users. We appreciate your efforts in identifying and reporting potential security vulnerabilities in our systems and applications. This policy outlines our commitment to working with security researchers to resolve vulnerabilities responsibly.\n\n#In-Scope Assets:\n\n- *.tomtom-global.com\n- *.tomtomgroup.com\n- *.tomtom.com\n**GitHub Organization:** tomtom-international\n**URL:** https://github.com/tomtom-international/*\n**Coverage:** All public repositories in the organization excluding archived repositories\n\n#What's Included in GitHub Repositories\n\nSource code in all public repositories\nConfiguration and deployment files\nDependencies and third-party integrations\nDocumentation that may contain security-sensitive information\n\n#What's Excluded from GitHub Repositories:\n\nPrivate repositories\nProduction infrastructure\nThird-party dependencies hosted elsewhere\n\n#Priority Vulnerabilities:\n**High:** Remote Code Execution (RCE), SQL Injection, Authentication Bypass, Exposed Secrets\n**Medium:** Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Insecure Direct Object References, Vulnerable Dependencies\n**Low:** Information Disclosure, Missing Security Headers\n\n#What You Can Expect From Us:\n\nWe will acknowledge receipt of your report within 5 business days.\nWe will investigate your report and keep you informed of our progress.\nWe will work with you to understand and validate the vulnerability.\nWe will remediate the vulnerability in a timely manner.\n\n#What We Expect From You:\n\nDo not publicly disclose the vulnerability before we have had a reasonable time to address it.\nDo not exploit the vulnerability beyond what is necessary to demonstrate its existence.\nDo not access or modify any user data without explicit permission.\nDo not use attacks on physical security, social engineering, distributed denial of service or spam;\nDo not attack third-party applications, systems, or products\nAct in good faith and with the intention of improving our security.\n\n#Out of Scope Vulnerabilities:\nThe following vulnerabilities are generally considered out of scope for our program:\n\n* **Social engineering:** Phishing, vishing, or other social engineering attacks.\n* **Physical security issues:** Access to buildings or data centers.\n* **Denial of service (DoS) attacks:** Attacks that aim to disrupt service availability.\n* **Spamming:** Sending unsolicited messages.\n* **Password brute-forcing:** Automated attempts to guess passwords.\n* **Clickjacking without demonstrable impact:** Reports of clickjacking without a clear security impact.\n* **Cross-Site Request Forgery (CSRF) on low-impact forms:** CSRF on forms with minimal security impact (e.g., contact forms).\n* **Self-XSS:** Vulnerabilities that require the user to execute the attack themselves.\n* **Missing security headers without demonstrable impact:** Missing headers (e.g., X-Frame-Options) without a clear security consequence.\n* **Best practice suggestions:** General security advice or recommendations.\n* **Vulnerabilities in third-party libraries or frameworks:** Unless the vulnerability is specifically related to our implementation.\n* **Vulnerabilities in outdated software versions:** If a newer, patched version is available.\n* **Publicly known vulnerabilities:** Vulnerabilities that have already been disclosed.\n* **Email Not Verified for Account Registration:** Instances where email verification is not enforced during the account registration process.\n* **Insufficient Session Logout:** Vulnerabilities related to sessions not ending or timing out as expected under certain conditions are excluded unless there is a demonstrable impact on user security.\n* **Weak Password Policy:** Reports of password policies that do not enforce specific complexity requirements, such as minimum character length or special characters, are out of scope.\n* **Open Redirections:** Vulnerabilities involving open redirections without any direct impact on account compromise or data disclosure are not in scope.\n* **Destructive testing on repositories:** Any testing that could damage or alter repository content or functionality.\n\n#Disclosure Policy:\nPlease do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization. Follow HackerOne's disclosure guidelines: https://www.hackerone.com/disclosure-guidelines\nThank you for your interest and help in protecting the security of TomTom's products and services.\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-08-26T14:20:47.580Z"},{"id":3761897,"new_policy":"TomTom is committed to maintaining the highest level of security for our products, services, and users. We appreciate your efforts in identifying and reporting potential security vulnerabilities in our systems and applications. This policy outlines our commitment to working with security researchers to resolve vulnerabilities responsibly.\n\n#In-Scope Assets:\n\n(*).tomtom-global.com\n(*).tomtomgroup.com\n(*).tomtom.com\n**GitHub Organization:** tomtom-international\n**URL:** https://github.com/tomtom-international/*\n**Coverage:** All public repositories in the organization excluding archived repositories\n\n#What's Included in GitHub Repositories\n\nSource code in all public repositories\nConfiguration and deployment files\nDependencies and third-party integrations\nDocumentation that may contain security-sensitive information\n\n#What's Excluded from GitHub Repositories:\n\nPrivate repositories\nProduction infrastructure\nThird-party dependencies hosted elsewhere\n\n#Priority Vulnerabilities:\n**High:** Remote Code Execution (RCE), SQL Injection, Authentication Bypass, Exposed Secrets\n**Medium:** Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Insecure Direct Object References, Vulnerable Dependencies\n**Low:** Information Disclosure, Missing Security Headers\n\n#What You Can Expect From Us:\n\nWe will acknowledge receipt of your report within 5 business days.\nWe will investigate your report and keep you informed of our progress.\nWe will work with you to understand and validate the vulnerability.\nWe will remediate the vulnerability in a timely manner.\n\n#What We Expect From You:\n\nDo not publicly disclose the vulnerability before we have had a reasonable time to address it.\nDo not exploit the vulnerability beyond what is necessary to demonstrate its existence.\nDo not access or modify any user data without explicit permission.\nDo not use attacks on physical security, social engineering, distributed denial of service or spam;\nDo not attack third-party applications, systems, or products\nAct in good faith and with the intention of improving our security.\n\n#Out of Scope Vulnerabilities:\nThe following vulnerabilities are generally considered out of scope for our program:\n\n* **Social engineering:** Phishing, vishing, or other social engineering attacks.\n* **Physical security issues:** Access to buildings or data centers.\n* **Denial of service (DoS) attacks:** Attacks that aim to disrupt service availability.\n* **Spamming:** Sending unsolicited messages.\n* **Password brute-forcing:** Automated attempts to guess passwords.\n* **Clickjacking without demonstrable impact:** Reports of clickjacking without a clear security impact.\n* **Cross-Site Request Forgery (CSRF) on low-impact forms:** CSRF on forms with minimal security impact (e.g., contact forms).\n* **Self-XSS:** Vulnerabilities that require the user to execute the attack themselves.\n* **Missing security headers without demonstrable impact:** Missing headers (e.g., X-Frame-Options) without a clear security consequence.\n* **Best practice suggestions:** General security advice or recommendations.\n* **Vulnerabilities in third-party libraries or frameworks:** Unless the vulnerability is specifically related to our implementation.\n* **Vulnerabilities in outdated software versions:** If a newer, patched version is available.\n* **Publicly known vulnerabilities:** Vulnerabilities that have already been disclosed.\n* **Email Not Verified for Account Registration:** Instances where email verification is not enforced during the account registration process.\n* **Insufficient Session Logout:** Vulnerabilities related to sessions not ending or timing out as expected under certain conditions are excluded unless there is a demonstrable impact on user security.\n* **Weak Password Policy:** Reports of password policies that do not enforce specific complexity requirements, such as minimum character length or special characters, are out of scope.\n* **Open Redirections:** Vulnerabilities involving open redirections without any direct impact on account compromise or data disclosure are not in scope.\n* **Destructive testing on repositories:** Any testing that could damage or alter repository content or functionality.\n\n#Disclosure Policy:\nPlease do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization. Follow HackerOne's disclosure guidelines: https://www.hackerone.com/disclosure-guidelines\nThank you for your interest and help in protecting the security of TomTom's products and services.\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-08-26T14:18:23.807Z"},{"id":3761896,"new_policy":"TomTom is committed to maintaining the highest level of security for our products, services, and users. We appreciate your efforts in identifying and reporting potential security vulnerabilities in our systems and applications. This policy outlines our commitment to working with security researchers to resolve vulnerabilities responsibly.\n\n#In-Scope Assets:\n\n*.tomtom-global.com\n*.tomtomgroup.com\n*.tomtom.com\n**GitHub Organization:** tomtom-international\n**URL:** https://github.com/tomtom-international/*\n**Coverage:** All public repositories in the organization\n\n#What's Included in GitHub Repositories\n\nSource code in all public repositories\nConfiguration and deployment files\nDependencies and third-party integrations\nDocumentation that may contain security-sensitive information\n\n#What's Excluded from GitHub Repositories:\n\nPrivate repositories\nProduction infrastructure\nThird-party dependencies hosted elsewhere\n\n#Priority Vulnerabilities:\n**High:** Remote Code Execution (RCE), SQL Injection, Authentication Bypass, Exposed Secrets\n**Medium:** Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Insecure Direct Object References, Vulnerable Dependencies\n**Low:** Information Disclosure, Missing Security Headers\n\n#What You Can Expect From Us:\n\nWe will acknowledge receipt of your report within 5 business days.\nWe will investigate your report and keep you informed of our progress.\nWe will work with you to understand and validate the vulnerability.\nWe will remediate the vulnerability in a timely manner.\n\n#What We Expect From You:\n\nDo not publicly disclose the vulnerability before we have had a reasonable time to address it.\nDo not exploit the vulnerability beyond what is necessary to demonstrate its existence.\nDo not access or modify any user data without explicit permission.\nDo not use attacks on physical security, social engineering, distributed denial of service or spam;\nDo not attack third-party applications, systems, or products\nAct in good faith and with the intention of improving our security.\n\n#Out of Scope Vulnerabilities:\nThe following vulnerabilities are generally considered out of scope for our program:\n\n* **Social engineering:** Phishing, vishing, or other social engineering attacks.\n* **Physical security issues:** Access to buildings or data centers.\n* **Denial of service (DoS) attacks:** Attacks that aim to disrupt service availability.\n* **Spamming:** Sending unsolicited messages.\n* **Password brute-forcing:** Automated attempts to guess passwords.\n* **Clickjacking without demonstrable impact:** Reports of clickjacking without a clear security impact.\n* **Cross-Site Request Forgery (CSRF) on low-impact forms:** CSRF on forms with minimal security impact (e.g., contact forms).\n* **Self-XSS:** Vulnerabilities that require the user to execute the attack themselves.\n* **Missing security headers without demonstrable impact:** Missing headers (e.g., X-Frame-Options) without a clear security consequence.\n* **Best practice suggestions:** General security advice or recommendations.\n* **Vulnerabilities in third-party libraries or frameworks:** Unless the vulnerability is specifically related to our implementation.\n* **Vulnerabilities in outdated software versions:** If a newer, patched version is available.\n* **Publicly known vulnerabilities:** Vulnerabilities that have already been disclosed.\n* **Email Not Verified for Account Registration:** Instances where email verification is not enforced during the account registration process.\n* **Insufficient Session Logout:** Vulnerabilities related to sessions not ending or timing out as expected under certain conditions are excluded unless there is a demonstrable impact on user security.\n* **Weak Password Policy:** Reports of password policies that do not enforce specific complexity requirements, such as minimum character length or special characters, are out of scope.\n* **Open Redirections:** Vulnerabilities involving open redirections without any direct impact on account compromise or data disclosure are not in scope.\n* **Destructive testing on repositories:** Any testing that could damage or alter repository content or functionality.\n\n#Disclosure Policy:\nPlease do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization. Follow HackerOne's disclosure guidelines: https://www.hackerone.com/disclosure-guidelines\nThank you for your interest and help in protecting the security of TomTom's products and services.\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-08-26T14:16:34.925Z"},{"id":3744197,"new_policy":"TomTom is committed to maintaining the highest level of security for our products, services, and users. We appreciate your efforts in identifying and reporting potential security vulnerabilities in our systems and applications. This policy outlines our commitment to working with security researchers to resolve vulnerabilities responsibly.\n\n#What You Can Expect From Us\n\n* We will acknowledge receipt of your report within 5 business days.\n* We will investigate your report and keep you informed of our progress.\n* We will work with you to understand and validate the vulnerability.\n* We will remediate the vulnerability in a timely manner.\n\n#What We Expect From You\n\n* Do not publicly disclose the vulnerability before we have had a reasonable time to address it.\n* Do not exploit the vulnerability beyond what is necessary to demonstrate its existence.\n* Do not access or modify any user data without explicit permission.\n* Do not use attacks on physical security, social engineering, distributed denial of service or spam;\n* Do not attack third-party applications, systems, or products\n* Act in good faith and with the intention of improving our security.\n\n#Out of Scope Vulnerabilities\n\nThe following vulnerabilities are generally considered out of scope for our program:\n\n* **Social engineering:** Phishing, vishing, or other social engineering attacks.\n* **Physical security issues:** Access to buildings or data centers.\n* **Denial of service (DoS) attacks:** Attacks that aim to disrupt service availability.\n* **Spamming:** Sending unsolicited messages.\n* **Password brute-forcing:** Automated attempts to guess passwords.\n* **Clickjacking without demonstrable impact:** Reports of clickjacking without a clear security impact.\n* **Cross-Site Request Forgery (CSRF) on low-impact forms:** CSRF on forms with minimal security impact (e.g., contact forms).\n* **Self-XSS:**  Vulnerabilities that require the user to execute the attack themselves.\n* **Missing security headers without demonstrable impact:**  Missing headers (e.g., X-Frame-Options) without a clear security consequence.\n* **Best practice suggestions:** General security advice or recommendations.\n* **Vulnerabilities in third-party libraries or frameworks:** Unless the vulnerability is specifically related to our implementation.\n* **Vulnerabilities in outdated software versions:** If a newer, patched version is available.\n* **Publicly known vulnerabilities:** Vulnerabilities that have already been disclosed.\n* **Email Not Verified for Account Registration: **Instances where email verification is not enforced during the account registration process.\n* **Insufficient Session Logout:** Vulnerabilities related to sessions not ending or timing out as expected under certain conditions are excluded unless there is a demonstrable impact on user security.\n* **Weak Password Policy:** Reports of password policies that do not enforce specific complexity requirements, such as minimum character length or special characters, are out of scope.\n* **Open Redirections:** Vulnerabilities involving open redirections without any direct impact on account compromise or data disclosure are not in scope.\n\n# Disclosure Policy\nPlease do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\nFollow HackerOne's disclosure guidelines: https://www.hackerone.com/disclosure-guidelines\n\nThank you for your interest and help in protecting the security of TomTom’s products and services.\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-11-11T10:07:20.076Z"},{"id":3743787,"new_policy":"TomTom is committed to maintaining the highest level of security for our products, services, and users. We appreciate your efforts in identifying and reporting potential security vulnerabilities in our systems and applications. This policy outlines our commitment to working with security researchers to resolve vulnerabilities responsibly.\n\n#What You Can Expect From Us\n\n* We will acknowledge receipt of your report within 5 business days.\n* We will investigate your report and keep you informed of our progress.\n* We will work with you to understand and validate the vulnerability.\n* We will remediate the vulnerability in a timely manner.\n\n#What We Expect From You\n\n* Do not publicly disclose the vulnerability before we have had a reasonable time to address it.\n* Do not exploit the vulnerability beyond what is necessary to demonstrate its existence.\n* Do not access or modify any user data without explicit permission.\n* Do not use attacks on physical security, social engineering, distributed denial of service or spam;\n* Do not attack third-party applications, systems, or products\n* Act in good faith and with the intention of improving our security.\n\n#Out of Scope Vulnerabilities\n\nThe following vulnerabilities are generally considered out of scope for our program:\n\n* **Social engineering:** Phishing, vishing, or other social engineering attacks.\n* **Physical security issues:** Access to buildings or data centers.\n* **Denial of service (DoS) attacks:** Attacks that aim to disrupt service availability.\n* **Spamming:** Sending unsolicited messages.\n* **Password brute-forcing:** Automated attempts to guess passwords.\n* **Clickjacking without demonstrable impact:** Reports of clickjacking without a clear security impact.\n* **Cross-Site Request Forgery (CSRF) on low-impact forms:** CSRF on forms with minimal security impact (e.g., contact forms).\n* **Self-XSS:**  Vulnerabilities that require the user to execute the attack themselves.\n* **Missing security headers without demonstrable impact:**  Missing headers (e.g., X-Frame-Options) without a clear security consequence.\n* **Best practice suggestions:** General security advice or recommendations.\n* **Vulnerabilities in third-party libraries or frameworks:** Unless the vulnerability is specifically related to our implementation.\n* **Vulnerabilities in outdated software versions:** If a newer, patched version is available.\n* **Publicly known vulnerabilities:** Vulnerabilities that have already been disclosed.\n\n# Disclosure Policy\nPlease do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\nFollow HackerOne's disclosure guidelines: https://www.hackerone.com/disclosure-guidelines\n\nThank you for your interest and help in protecting the security of TomTom’s products and services.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-11-06T11:01:44.785Z"}]