Vulnerability Disclosure Program

1. PURPOSE

At Sonder, one of our founding principles is to “Improve Continuously” which directly translates into our information security program enabling the protection of our guests and customer data as a top priority.

The Sonder Security Team acknowledges the valuable role that honest, independent security researchers and bug reporters play in the overall security of connected systems. As a result, we encourage the responsible reporting of any vulnerability that may be present in our guest properties, mobile application, or company website and services. Sonder is committed to working with security researchers to verify and address potential vulnerabilities that are reported to us.

Please review these terms before you test and/or report a vulnerability to Sonder. We will provide a safe harbor to security researchers as long as they adhere to this policy and are acting in good faith.

If You Are a Current Customer/Guest

If you feel your account may have been compromised, or if you suspect fraudulent behavior, do not hesitate to contact the Sonder support team at https://www.sonder.com/help.

Testing Environments

All possible measures should be taken to avoid production systems and active guest units when performing vulnerability testing to ensure the safety of our guests. Any active and/or occupied guest units are strictly off-limits from vulnerability and penetration testing activities.

Reporting a Security Vulnerability

Please share details of the suspected vulnerability with the Sonder Security Team by sending an email to [email protected]. You can use our PGP Key to encrypt the email.

PGP Fingerprint: ABA7 E6FE 70A1 58E3 97E7 ECE9 7441 6D99 D6B3 BA52

Sharing of vulnerability details outside of our formal reporting process is not permitted and will not result in acceptance by Sonder of your vulnerability report.

Policy

We will investigate all legitimate reports and make every effort to quickly correct any vulnerability. We ask in return that you:

Program Rules

Sonder encourages the responsible and ethical discovery and reporting of vulnerabilities. The following conduct is expressly prohibited:

In Scope & Out of Scope Targets

All parts of our applications and services available to customers/guests are in scope and are our primary interest. Please have a look below for in scope targets.

Sonder uses a number of third-party providers and services. Our disclosure program does not give you permission to perform security testing on their systems. Vulnerabilities in third-party systems will be assessed on a case-by-case basis, and most likely will not be eligible for a reward. The following third-party systems are excluded:

Non-­Qualifying Vulnerabilities

Low severity, purely theoretical and best-practice issues do not qualify for submission. Here are some examples:

In Scope

Note: Please run whois lookup before you submit any issues on domains found from Subdomain Scanners.

Target

Criticality

Eligible for Reward

https://www.sonder.com

Critical

Yes

*.sonder.com

High

Yes (Refer note above)

https://apps.apple.com/us/app/sonder-taking-stay-further/id1422914567

High

Yes

https://play.google.com/store/apps/details?id=com.sonder.mahalo&hl=en_CA&gl=US

High

Yes

Recognition and Reward

Sonder is happy to thank security researchers who submit vulnerability reports and are helping us to improve our overall security posture at Sonder for our employees, customers, and guests. Sonder may offer up to $500 in SonderStays credits at the discretion of Sonder for new discoveries of a critical nature.