DealerMAX · partnermax · Trust
Dealer security and coordinated disclosure
How to report a security issue affecting the partnermax API, the dealer data plane, or the cross-network AI-citation surfaces.
Reporting channel
Send a written report to support@dealermax.app. Include:
- Steps to reproduce.
- Request / response samples with any secret material redacted.
- Your assessment of impact (severity, affected partners or dealers).
Process
- Acknowledgement — within 5 business days.
- Remediation — proportional to severity. We will keep you informed throughout.
- Coordinated public disclosure — up to 90 days from acknowledgement. Where a longer window is needed (for example, a multi-partner rollout) we will explain the timeline and revisit it with you.
Out of scope
- Denial-of-service testing against production. Use a
pmk_sand_*sandbox key for any rate-limit or load research. - Social engineering of staff, customers, or downstream dealers.
- Physical attacks against offices or infrastructure.
- Findings exclusively against third-party sub-processors — report those to the sub-processor directly (see subprocessors.json for the inventory).