Public Vulnerability Reporting Policy

Valid from: 17.06.2020
Owner: Tarmo Randel, Information Security Manager

Introduction

It is Bolt’s goal to offer the best and most secure products and services. We value the work of security researchers who spend time and effort helping us to make our platform and apps more secure.

If you have found a vulnerability or other security issues in our service platform or application, please submit it to our bug bounty program on Bugcrowd.

Basic rules and expectations

  • Don't do anything that could cause harm to yourself or others.
  • Do respect the privacy of our users.
  • We do not tolerate extortion.
  • Do not publicly disclose finding without our consent.
  • Be respectful when interacting with Bolt staff, we may not answer you immediately because of the workload, but we do respond.
  • Only the first reporter of unknown vulnerability can collect fame or bounty.
  • We do not use Paypal/cryptocurrency to reward findings.
  • We do not reward findings while the planned security test of our applications is ongoing.

Legal

Always obey your local laws. We explicitly reject criminal activity in any form.

Disclosure guidelines

  • Test only systems in Scope.
  • Describe the prerequisites that need to be met to exploit the vulnerability.
  • Describe the tested system state.
  • If possible, provide Proof-of-Concept code
  • When searching for vulnerabilities, please try to be as little intrusive as possible. Use only harmless payloads in your exploits.
  • Do not disrupt our services with intent and make a good-will effort to not disrupt our services by accident.
  • Use test accounts and don’t compromise other users accounts, data or privacy.
  • Do not use or report findings from automated scanning tools.
  • Do not start DoS attacks or try to generate high loads in general. If you think our servers have a specific problem in handling high loads you can discuss that theoretically with us and we try to reproduce your findings in a non-productive environment.

The scope

  • Bolt driver application; iOS, Android and Web.
  • Bolt rider application; iOS, Android and Web.
  • Bolt Food applications.
  • *.bolt.eu
  • *.taxify.eu

Non-qualifying vulnerabilities

  • Clickjacking on pages with no data modification actions.
  • Unauthenticated/logout/login CSRF.
  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a relevant Bolt related working PoC.
  • SSL/TLS configuration best practice misses or non-TLS communication.
  • Any activity that could lead to the disruption of service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
  • SPF, DKIM, DMARC issues.
  • Cookie flags.
  • XSS (or a behaviour) where you can only attack your own account.
  • XSS on pages where admins are intentionally given full HTML editing capabilities.
  • Reflected file download.
  • Physical security of the Bolts offices and employees.

Exclusions

  • Social engineering of Bolt staff.
  • Knowingly posting, transmitting, uploading, linking to, sending or storing any malicious software.
  • Third party applications or websites or services that integrate with, or link to the services of Bolt.
  • Being a worker or partner of Bolt.

Timeline

We try to answer your mail with in two business days and please send your mail in English. After our first answer we will evaluate your findings and an we will contact you within a week.

Disclosure

  • Please refrain from publishing technical details of any vulnerability you find to give us an opportunity to fix it. We try to work out a disclosure timeline with you. 
  • Before submitting a report, please read our Disclosure Guidelines above.
  • You can submit any vulnerability in our system and product to our bounty program on Bugcrowd.