Bug Bounty Program - BlaBlaCar
BlaBlaCar is the world leader in long-distance carpooling. We are an innovative and fast-growing company building a unique community of members to transform the way people travel! Since 2013, BlaBlaCar has grown exponentially and we’re now a community of over 40 millions members in more than 20 countries. Thus, we need to keep our member’s privacy and data secure.
Reward
Program
Hacktivity
Bug Bounty Program - BlaBlaCar
About the company
BlaBlaCar is the world's leading community-based travel network enabling over 26 million active members per year to share a ride across 21 countries.
Our technology fills empty seats on the road, connecting members looking to carpool or to travel by bus, making travel more affordable, sociable, and convenient.
Reporting & Disclosure Policy
BlaBlaCar believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our products or services, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
- Please avoid DDOSing us or causing a service disruption while testing our platform. And take care of not endangering the privacy or our members.
- Do not try to over exploit the bug and access internal data for further vulnerabilities. We will determine the severity and reward accordingly.
- If you find the same vulnerability several times, please create only one report and eventually use comments. You'll be rewarded accordingly to your findings.
Scopes of the program
In general BlaBlaCar and BlaBlaCar Daily websites and apps are part of this bug bounty. Please refer to the detailed list of scope if you have a doubt.
However, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code, we will reward you with a bounty.
Reward
Asset value | CVSS | CVSS | CVSS | CVSS |
---|---|---|---|---|
€100 | €200 | €1,000 | €3,000 |
Scopes
Scope | Type | Asset value | Expand rewards grid |
---|---|---|---|
https://edge.blablacar.(fr|de|co.uk|in|es|mx|be|hr|hu|it|nl|pl|br|pt|ro|ru|com|tr|com.ua)) | api | ||
Low Medium High Critical | |||
https://auth.blablacar.(fr|de|co.uk|in|es|mx|be|hr|hu|it|nl|pl|br|pt|ro|ru|com|tr|com.ua) | api | ||
Low Medium High Critical | |||
https://www.blablacar.(fr|de|co.uk|in|es|mx|be|hr|hu|it|nl|pl|br|pt|ro|ru|com|tr|com.ua) | web-application | ||
Low Medium High Critical | |||
https://m.blablacar.(fr|de|co.uk|in|es|mx|be|hr|hu|it|nl|pl|br|pt|ro|ru|com|tr|com.ua) | web-application | ||
Low Medium High Critical | |||
https://play.google.com/store/apps/details?id=com.comuto&hl=en | mobile-application-android | ||
Low Medium High Critical | |||
https://itunes.apple.com/fr/app/blablacar-trusted-carpooling/id341329033?l=en&mt=8 | mobile-application-ios | ||
Low Medium High Critical | |||
https://api.blablalines.com | api | ||
Low Medium High Critical | |||
https://daily.blablacar.fr | web-application | ||
Low Medium High Critical | |||
https://blablacardaily.com | web-application | ||
Low Medium High Critical | |||
https://play.google.com/store/apps/details?id=com.blablalines | mobile-application-android | ||
Low Medium High Critical | |||
https://apps.apple.com/fr/app/blablalines-covoiturage/id1225543288 | mobile-application-ios | ||
Low Medium High Critical |
Out of scopes
- Please note that https://dev.blablacar.com is hosted by a third party and thus is out of scope.
- Any website that is not listed explicitly in the scope.
- However, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code, we will reward you with a bounty.
- Finally, fraud related reports are out-of-scope if they do not exploit a security vulnerability. Therefore, fraud activity enabled by bug or incomplete business rules enforcement are out-of-scope. However, a fraud activity enabled by a CSRF exploit for example is valid.
Vulnerability types
Qualifying vulnerabilities
- Remote code execution (RCE)
- SQL Injection (SQLi)
- Cross-Site Scripting (XSS) with real security impact
- Insecure Direct Object Reference (IDOR) with real security impact
- Horizontal and vertical privilege escalation
- Broken authentication & session management
- Business Logic Errors vulnerability with real security impact
- Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA) with real security impact
- Cross-Site Requests Forgery (CSRF)/Cross-Origin Resource Sharing (CORS) with real security impact
- Open Redirect with real security impact
Non-qualifying vulnerabilities
- Reports without an accompanying proof-of-concept demonstrating vulnerability and security impact
- Security best practices without a real security impact
- Reports with attack scenarios requiring physical access to victim or social engineering attempts
- Reports that are theoretically possible but NOT having tangible exploits, evidence of similar kinds
- Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated
- Recently disclosed 0-day vulnerabilities
- Tabnabbing
- "Self" XSS
- "HTTP Host Header" XSS
- Missing cookie flags
- Missing security-related HTTP headers which do not lead directly to a vulnerability
- Mixed content warnings
- Clickjacking/UI redressing
- Lack of rate-limiting, brute-forcing or captcha issues
- Known CVEs without working PoC
- Open ports without real security impact
- Logout and other instances of low-severity Cross-Site Request Forgery
- Content spoofing without embedding an external link or JavaScript
- Denial of Service (DoS) attacks
- Expired certificate, best practices and other related issues for TLS/SSL certificates
- Expired certificate and other related issues for TLS/SSL certificates
- Missing HTTP Strict Transport Security Header (HSTS)
- Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM/DMARC)
- Password reset token leak on trusted third-party website via Referer header (eg Google Analytics, Facebook…)
- Presence of autocomplete attribute on web forms
- Protocol mismatch
- Blind SSRF without direct impact (e.g. DNS pingback)
- Crashing your own application
- Vulnerable/outdated software/libraries without demonstrable attack vector and PoC
- Finding your numeric user id in integer format instead of UUID4 or encrypted format
- Disclosure of information without security impact (Stack traces, path disclosure, directory listings, software versions, IP disclosure, 3rd party secrets etc.)
- Session expiration policies (no automatic logout, invalidation after a certain time or after a password change)
- Enumeration/account oracles: possibility to enumerate phone number, email, GUID, etc. and receive back a message indicating it exists
- Issues that require physical access to a victim’s computer/device
- Attacks requiring MITM or physical access to a user's device
- Password requirements policies (length / complexity / reuse)
- Any vulnerability on a Github repository that is "Archived"
- Ability to spam users (email / SMS / direct messages flooding)
- Vulnerabilities involving stolen credentials or physical access to a device
- Vulnerabilities affecting outdated browsers or mobile binaries - only exploits working on latest browser versions of Safari, FireFox, Chrome, Edge, IE and the versions of our application that are currently in the app stores will be accepted
- Lack of SSL Pining/ binary protection/ code obfuscation / jailbreak and root detection / anti-debugging controls/ etc
- Exploiting a generic Android or iOS vulnerability
- Lack of encryption on internal databases/preference files on mobile device
- Finding security issues on the iOS / Android apps in a non standard usage case (jailbroken/rooted phone, making backups, ...)
- Android vulnerabilities related to Task Hijacking (StrandHogg 1 and StrandHogg 2 - CVE-2020-0096)
- Exploits that are only possible on Android version 7 and below
- Exploits that are only possible on IOS version 10 and below
- File upload to OSS that cannot be further exploited other than as a file storage
- Message moderation bypass
Hunters collaboration
When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.
For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.