At Sonder, one of our founding principles is to “Improve Continuously” which directly translates into our information security program enabling the protection of our guests and customer data as a top priority.
The Sonder Security Team acknowledges the valuable role that honest, independent security researchers and bug reporters play in the overall security of connected systems. As a result, we encourage the responsible reporting of any vulnerability that may be present in our guest properties, mobile application, or company website and services. Sonder is committed to working with security researchers to verify and address potential vulnerabilities that are reported to us.
Please review these terms before you test and/or report a vulnerability to Sonder. We will provide a safe harbor to security researchers as long as they adhere to this policy and are acting in good faith.
If you feel your account may have been compromised, or if you suspect fraudulent behavior, do not hesitate to contact the Sonder support team at https://www.sonder.com/help.
All possible measures should be taken to avoid production systems and active guest units when performing vulnerability testing to ensure the safety of our guests. Any active and/or occupied guest units are strictly off-limits from vulnerability and penetration testing activities.
Please share details of the suspected vulnerability with the Sonder Security Team by sending an email to [email protected]. You can use our PGP Key to encrypt the email.
PGP Fingerprint: ABA7 E6FE 70A1 58E3 97E7 ECE9 7441 6D99 D6B3 BA52
Sharing of vulnerability details outside of our formal reporting process is not permitted and will not result in acceptance by Sonder of your vulnerability report.
We will investigate all legitimate reports and make every effort to quickly correct any vulnerability. We ask in return that you:
Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC)
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services
Give the Sonder Security Team a reasonable time to correct the issue before making any information public
Sonder encourages the responsible and ethical discovery and reporting of vulnerabilities. The following conduct is expressly prohibited:
When experimenting, please only attack test accounts you control. A PoC unnecessarily involving accounts of other guests or Sonder employees may be disqualified. It’s also best practice to tell us the accounts you are using for testing even when they are under your control;
Do not run automated scans without checking with us first;
Do not test the physical security of Sonder offices, employees, equipment, partners, vendors, or contractors;
Do not test using social engineering techniques (phishing, spear-phishing, pretexting, etc.);
Do not perform DoS or DDoS attacks. You are welcome and encouraged to look for vulnerabilities that can be leveraged for DoS or DDoS attacks, we just don’t want you actually exploiting the issue outside of a tightly controlled environment;
Do not, in any way, attack our end users/guests or engage in the trade of stolen user credentials;
Do not access, or attempt to access, data, information, or physical building units that do not belong to you;
Do not conduct vulnerability or penetration testing of occupied Sonder guest units, hotel rooms or buildings;
Do not violate any applicable law or breach any agreements in order to discover vulnerabilities, or otherwise utilizing unethical means to gain access and/or information;
Only the first reporter is eligible for receiving a reward (refer to the Recognition and Rewards section below).
Only the first reporter is eligible for receiving a reward (refer to the Recognition and Rewards section below).
All parts of our applications and services available to customers/guests are in scope and are our primary interest. Please have a look below for in scope targets.
Sonder uses a number of third-party providers and services. Our disclosure program does not give you permission to perform security testing on their systems. Vulnerabilities in third-party systems will be assessed on a case-by-case basis, and most likely will not be eligible for a reward. The following third-party systems are excluded:
Direct attacks against any part of AWS’s infrastructure
Cloudflare
Okta
Low severity, purely theoretical and best-practice issues do not qualify for submission. Here are some examples:
Descriptive error messages (e.g., Stack Traces, application or server errors)
Theoretical sub-domain takeovers with no supporting evidence
HTTP 404 codes/pages or other HTTP non-200 codes/pages
Information leakage, fingerprinting/banner disclosure on common/public services
Disclosure of known public files or directories, (e.g., robots.txt)
Clickjacking on a public page and issues only exploitable through clickjacking
CSRF on forms that are available to anonymous users (e.g., the contact form)
Logout Cross-Site Request Forgery (logout CSRF)
Presence of application or web browser 'autocomplete' or 'save password' functionality
Lack of Secure/HTTPOnly flags on non-sensitive Cookies
Cookies without proper expiration
Weak Captcha/Captcha Bypass
Forgot Password page brute force and account lockout not enforced
OPTIONS HTTP method enabled
Reflected file downloads
Missing Cache-control
Host Header Attack
Directory Listing
Missing HTTP security headers, (specifically OWASP list of useful HTTP headers)
SSL Issues (BEAST, BREACH, Renegotiation attack, Forward secrecy not enabled, weak ciphers)
Not performing rate limiting on non-login endpoints
Content spoofing
HPKP/HSTS preloading
Generic examples of Host header attacks without evidence of the ability to target a remote victim
Reports exploiting the behavior of, or vulnerabilities in, outdated browsers
SPF, DKIM, or DMARC settings & Email Spoofing
Mixed Content Scripting & Self XSS
EXIF Geolocation data
Open WordPress JSON API without an exploit
Password Reset token leakage (This is known and we will implement a fix)
Password policy
Google Maps API key
Note: Please run whois lookup before you submit any issues on domains found from Subdomain Scanners.
Target | Criticality | Eligible for Reward |
|---|---|---|
https://www.sonder.com | Critical | Yes |
*.sonder.com | High | Yes (Refer note above) |
https://apps.apple.com/us/app/sonder-taking-stay-further/id1422914567 | High | Yes |
https://play.google.com/store/apps/details?id=com.sonder.mahalo&hl=en_CA&gl=US | High | Yes |
Sonder is happy to thank security researchers who submit vulnerability reports and are helping us to improve our overall security posture at Sonder for our employees, customers, and guests. Sonder may offer up to $500 in SonderStays credits at the discretion of Sonder for new discoveries of a critical nature.