Responsible Disclosure

CarMax is committed to the security of our services and our customers’ information.  For additional details please see CarMax’s Responsibility Reports. If you are a security researcher and have discovered a security vulnerability in one of our services, we appreciate your help in disclosing it to us in a responsible manner.

Prohibited Actions

Security researchers are prohibited from taking the following actions when investigating a potential security vulnerability:

  • Accessing, downloading or modifying data residing in any account that does not belong to that individual.
  • Executing or attempting to execute any denial of service attack.
  • Knowingly posting, transmitting, uploading, linking to, sending, or storing any malicious software on or through CarMax services.
  • Sending or causing the sending of spam messages or other unsolicited messages to users.
  • Testing in a manner that would degrade the operation of our services.
  • Public disclosure of the details of any identified suspected vulnerability without express written consent from CarMax.
  • Any other testing that violates applicable law or our Terms of Use.

Any activities conducted in a manner consistent with our policies will be considered authorized conduct and we will not initiate legal action against you.


Please share the details of any suspected or detected vulnerabilities with the CarMax Cybersecurity Team by emailing The CarMax Cybersecurity Team will conduct a thorough investigation and then take the appropriate action.

Report vulnerability