Public Vulnerability Reporting Policy

Valid from: 30.05.2025
Owner: Tarmo Randel, Information Security Manager

Introduction

It is Bolt’s goal to offer the best and most secure products and services. We value the work of security researchers who spend time and effort helping us to make our platform and apps more secure.

If you have found a vulnerability or other security issues in our service platform or application, please submit it to our bug bounty program on Bugcrowd.


Basic rules and expectations

  • Don't do anything that could cause harm to yourself or others.
  • Do respect the privacy of our users.
  • We do not tolerate extortion.
  • Do not publicly disclose findings without our consent.
  • Be respectful when interacting with Bolt staff, we may not answer you immediately because of the workload, but we do respond.
  • Only the first reporter of unknown vulnerability can collect fame or bounty.
  • We do not use Paypal/cryptocurrency to reward findings.
  • We do not reward findings while the planned security test of our applications is ongoing.


Legal

Always obey your local laws. We explicitly reject criminal activity in any form.


Disclosure guidelines

  • Test only systems in the Scope (provided below) and avoid systems out-of scope.
  • Please provide the details we need to reproduce the vulnerability.
    • Describe the prerequisites that need to be met to exploit the vulnerability
    • Describe the tested system state
    • Provide video or screenshots showing the steps for reproducing the vulnerability and the impact of the vulnerability on targeted system
    • If possible, provide Proof-of-Concept code
  • When searching for vulnerabilities, please try to be as little intrusive as possible. Use only harmless payloads in your exploits.
  • Do not disrupt our services with intent and make a good-will effort to not disrupt our services by accident.
  • Use test accounts and don’t compromise other users accounts, data or privacy.
  • Do not use or report findings from automated scanning tools.
  • Do not start DoS attacks or try to generate high loads in general. If you think our servers have a specific problem in handling high loads you can discuss that theoretically with us and we try to reproduce your findings in a non-productive environment.


The scope

  • Bolt driver application; iOS, Android and Web.
  • Bolt rider application; iOS, Android and Web.
  • Bolt Food applications.
  • *.bolt.eu
  • *.taxify.eu


Out of the scope

  • Infrastructure test sites, there are no applications and there is no relation to our live services:
    • *.test.taxify.eu
    • *.test.bolt.eu


Non-qualifying vulnerabilities

  • Abuse of authentication workflows through automated or high-volume interaction without demonstrated high-impact.
  • Clickjacking on pages with no data modification actions.
  • Unauthenticated/logout/login CSRF.
  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a relevant Bolt related working PoC.
  • SSL/TLS configuration best practice misses or non-TLS communication.
  • Any activity that could lead to the disruption of service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
  • SPF, DKIM, DMARC issues.
  • Cookie flags.
  • XSS (or a behavior) where you can only attack your own account.
  • XSS on pages where admins are intentionally given full HTML editing capabilities.
  • Reflected file download.
  • Physical security of the Bolts offices and employees.
  • Third-party bugs*

* If issues reported to our bug bounty program affect a third-party library, external project, or another vendor, Bolt reserves the right to forward details of the issue to that party without notification to the researcher.


Exclusions

  • Social engineering of Bolt staff.
  • Knowingly posting, transmitting, uploading, linking to, sending or storing any malicious software.
  • Third party applications or websites or services that integrate with, or link to the services of Bolt.
  • Being a worker or partner of Bolt.
  • *.test.bolt.eu, used for infrastructure tests, no functional applications/data
  • *.test.taxify.eu, used for infrastructure tests, no functional applications/data


Disclosure

  • Please refrain from publishing technical details of any vulnerability you find to give us an opportunity to fix it. We try to work out a disclosure timeline with you. 
  • Before submitting a report, please read our Disclosure Guidelines above.
  • You can submit any vulnerability in our system and product to our bounty program on Bugcrowd.