Public Vulnerability Reporting Policy

Valid from: 17.06.2020
Owner: Tarmo Randel, Information Security Manager

Introduction

It is Bolt’s goal to offer the best and most secure products and services. We value the work of security researchers who spend time and effort helping us to make our platform and apps more secure.

If you have found a vulnerability or other security issues in our service platform or application, please reach out to us. We also run managed bug bounty program to reward external contributions that help us keep our users safe.

Basic rules and expectations

Don't do anything that could cause harm to yourself or others.
Do respect the privacy of our users.
We do not tolerate extortion.
Do not publicly disclose finding without our consent.
Be respectful when interacting with Bolt staff, we may not answer you immediately because of the workload, but we do respond.
Only the first reporter of unknown vulnerability can collect fame or bounty.
We do not use Paypal/cryptocurrency to reward findings.
We do not reward findings while the planned security test of our applications is ongoing.

Legal

Always obey your local laws. We explicitly reject criminal activity in any form.

Disclosure guidelines

Test only systems in Scope.
Describe the prerequisites that need to be met to exploit the vulnerability.
Describe the tested system state.
If possible, provide Proof-of-Concept code
When searching for vulnerabilities, please try to be as little intrusive as possible. Use only harmless payloads in your exploits.
Do not disrupt our services with intent and make a good-will effort to not disrupt our services by accident.
Use test accounts and don’t compromise other users accounts, data or privacy.
Do not use or report findings from automated scanning tools.
Do not start DoS attacks or try to generate high loads in general. If you think our servers have a specific problem in handling high loads you can discuss that theoretically with us and we try to reproduce your findings in a non-productive environment.

The scope

Bolt driver application; iOS, Android and Web.
Bolt rider application; iOS, Android and Web.
Bolt Food applications.
*.bolt.eu
*.taxify.eu

Non-qualifying vulnerabilities

Clickjacking on pages with no data modification actions.
Unauthenticated/logout/login CSRF.
Attacks requiring MITM or physical access to a user's device.
Previously known vulnerable libraries without a relevant Bolt related working PoC.
SSL/TLS configuration best practice misses or non-TLS communication.
Any activity that could lead to the disruption of service (DoS).
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
SPF, DKIM, DMARC issues.
Cookie flags.
XSS (or a behaviour) where you can only attack your own account.
XSS on pages where admins are intentionally given full HTML editing capabilities.
Reflected file download.
Physical security of the Bolts offices and employees.

Exclusions

Social engineering of Bolt staff.
Knowingly posting, transmitting, uploading, linking to, sending or storing any malicious software.
Third party applications or websites or services that integrate with, or link to the services of Bolt.
Being a worker or partner of Bolt.

Timeline

We try to answer your mail with in two business days and please send your mail in English. After our first answer we will evaluate your findings and an we will contact you within a week.

Disclosure

Please refrain from publishing technical details of any vulnerability you find to give us an opportunity to fix it. We try to work out a disclosure timeline with you.
Before submitting a report, please read our Disclosure Guidelines above.
You can submit any vulnerability in our systems and products to the email mentioned in security.txt with, or without, using our PGP key

Copy

mQINBGCjtK0BEADGNeA4XO5lNE2exBRcie8Q6R8Hc/+gmk7sMUTGC7gFNqv6maXU 0Yq4Ba7KoDwG4cbMiydBBxAac57Fw6FpuOjEOMZRCXnR8PTPaqu+odeV5LCfSVER 3ANAP1QGIEQLtzDgzRyN1z157dgLabLH212WK92LiWQOv1clxx1OSsakwLnyrpw/ BCv/AdLIGmnplyqRc+UOBLtatsGnMO0NGD3NHX871h0T9HFMyVwdrOOco/dfNLyi a+drJ171BUjy5eoeppPrZPbpNIihYGtuAWIt3iAJgnGh6BTKkoCoSSqtUE8gLp7x zQOoBJ+2QWFutMzrRqqlz6aTn4hYT5/yKHRD2r847uHatL09a7XeTJl+ifg1Dz32 zdSaUzfItg94tX9tO5Tcf1eGKDD+O23nyuRA38bEBUHi8MBNzMgveH5xun8N+JXX WkpteCRzjv7Nu9VlGsb72khdQKldbHeyDL328LqLo0lIJPHUNh4b+wjbLlVOjGMb 4HUtKqeVcbeRa6KqSAHx2FU6dQxdKYKme3OaLAA+aJOHfgtweZ08ft5yvaVkFeRY MEmKWlm4wGxlPck4YIwxFEYJ6Le1aYCt1e9qM4ass4voUjKENlURJMbSMwI8Xc0b BgYy8207k5wKeHCkE6XcLz1OlcYBAqhz1v03qHjSZGRcr5RUHRWXYS1/gQARAQAB tCVCb2x0IFNlY3VyaXR5IFRlYW0gPHNlY3VyaXR5QGJvbHQuZXU+iQJUBBMBCAA+ FiEEvZ1U7zTi6uWnEWnnei+ktvdJFYEFAmCjtK0CGwMFCQWjmoAFCwkIBwIGFQoJ CAsCBBYCAwECHgECF4AACgkQei+ktvdJFYHDfxAAtWmIXAnSuh4K5VFMbOQ9cjGH hJSf+/v+4J7kMvb1XQ43wqUM4B76rGdGHHH425mpXPxJP5OOMNrIAbUdwuT/QRvO bLBbelcu8zT20iFvaGuXYtwm/hJFZ7Bi3ZvM4RSeIeHT9GjE0V03yRO4Rb0EzxV5 q+CDN0ACh0UDSZktNFyu6qEfVkr6tAyxVDVBJRQ0jjCmeMtcUFQ3STxyz3EpP52s 2iLGa5WmCUgG8ft3+IGlu0CeU+2XQL6XT6vLU4h4BsLXTlY1TwXiceCDwdu0DNrb /axvzPyfCo8pK96qmZ7TlNqKwqv36bRbEfxN9CPfEfSQqEe0YH5b3LgWVEe8vdRG 39xhc/FJn8oTIo9sGSM/0ciCVH07D2xYn4pGJPzGEYasWYW/dML2ygjtSfAlLExT Mqaa90BwwugNVMulxqCPHE4eEoowB07HV0y2477c9IO5aHlq1VVqDGxTEyTZK0l/ ApUxuw/UUVW9wF1YH7mIl68DEo90WzDFL8SQXcTgxVMp2Ezxrv1HKccK3Xz9H1YD 95DJZVNlgrSd6ycAEUaaVapI2VBpRBSQrmcSZj8g3/9dx4jnF2zRcmso4vFNKLnS SGli2iZTAqyVp9jM+h3jeAuNVz1ncjlbsSlvAZl0gS39TJHA/ak7G70EQYgjVDk+ /JICkDfnn5a7OZ5nKiS5Ag0EYKO0rQEQAPjq9vVY4/4EZHLvuPjgTntvFcwF4iNA KaUAAIwbN1EUhvPTpQDioOG9Aa42jYA4r3vS8qom7rmh+9gMHx9hg48L0mlMHtK+ erpUzuG4rMlc8IMGLB7ntFzZoNMymlq2btEJX0B6ayEVD0WjTxdfaMo7jexY8hEM H+IIUNnaBkN0PNY2P0OaRhTqGvnVNPGpgBaMldCroRt/0AvCGzZIjGV3XUtmnfnu g7FnFCKY59kl5WKuvf/2pO7HGPkhJsNxAnV5CmLqT3hrTMO9B30Cr5jXg0yt7XZl 9fQAWmNY7KX7rimcRxGRJlCanswTY5yDoEVQRqtZdGZSopa6arYJSitJF+3m0Goe N9hjoh2nfS3rD49tkjH6Vy4I7BeNMGB/tZ/DHhW+saJpdkl1gEe2sUal8rqomXMU cb/dEQihx3GATGOGxn923jvJDSCLxx6IZgnpEwYLjYBnVCtgnga5/OTykON2Ge1d UOA+IAcEg6edWGKLtKWUERo/zRvCLzMBgsEpMV9Y7VVW4usVjgfMPxwj7RtkeusA 3If6wDnyaKDEtN7SlKeR84erJWHytE2PdJl7DVZvffhJWDMZdRtlx8dddqPhc0S3 Rj6IM3jLfYsy+nPtJLyLsLXm0UVxIaPGIvC1+Vkvoag28xzPe6/WQeQJVC0eYUxv YiDkoKGVXCZhABEBAAGJAjwEGAEIACYWIQS9nVTvNOLq5acRaed6L6S290kVgQUC YKO0rQIbDAUJBaOagAAKCRB6L6S290kVgbGYEACdeodHvPPqNfhX/JfNjjgOzl8L HaJC7RyYD6Vo6aJcta7PaiAlhnntlNoMd/1UciFkdHE0p+4AxBBUZxNlAPparELK VhEp1GS7GhrwMxQQAstrdd2qjLuSVsNpKFtp7VMW0v/QKGnDDSctGNusCw/fDEx1 rHNhrB+wbUFDY86BW1i8l22m72UJ/STQaisOF8mO5eVmpuFKEq+v6jgPPrjIE7VR lYFfsFYBOrPKixNtjIfqU9jBBszW2rwLqebI1PSj3vQkFbOKTWhpHYePwq3y2pR1 dDIHIn1mJrksenqBwOvSr/mtYsBkiSrYoejZJ5qUAKHMfHN7YrVXZuAPStCUdyVk xg03GC2Mu0RNozDqM5rinioJwvSsn7DmlqD7+RyxByN2+Q2PKiPElcP0j75X0PbB YNJl6IyJNCevkp/BCrUXyb80Y8RJleoMv2rX85ZF54yz847doYHmi1htYmF6KQwf 6JDacedmSdGatLr8+d/290xTsJnCS2Q55RosvOVPUUZLzmh4bcjBM2bGkMzUUcOw jAjIZymC6aISckrvbEatJ6hPsBlM4SohaojOelUTakUkHXyw79WqERPyvZQqvvrS ofauS2MjHlS2YTNvLa6tJZjIBm09etCmmNJP8Pa7I9kPZTHhhQc4k3CdDvlaAv+J mkfhjRaYJGv2HdZvHQ== =6K8u