Avaliku haavatavuse aruandluspoliitika

Kehtivuse algus: 17.06.2020
Omanik: Tarmo Randel, teabeturvalisuse juht

Sissejuhatus

Bolti eesmärk on pakkuda parimaid ja turvalisimaid tooteid ja teenuseid. Hindame turvalisuse uurijate tööd, kes kulutavad aega ja vaeva, et aidata meil oma platvormi ja rakendusi turvalisemaks muuta.

Kui oled meie teenindusplatvormis või rakenduses avastanud turvaaugu või muid turbeprobleeme, võta ühendust turbemeeskonnaga (security@bolt.eu). Käivitame ka hallatud veahaldusprogrammi, lisateabe saamiseks võta ühendust turbemeeskonnaga.

Peamised reeglid ja ootused

  • Ära tee midagi, mis võiks kahjustada ennast või teisi.
  • Austa meie kasutajate privaatsust.
  • We do not tolerate extortion.
  • Do not publicly disclose finding without our consent.
  • Be respectful when interacting with Bolt staff, we may not answer you immediately because of the workload, but we do respond.
  • Only the first reporter of unknown vulnerability can collect fame or bounty.
  • We do not use Paypal/cryptocurrency to reward findings.
  • Me ei tee järeldusi, kui rakenduste kavandatud turvakontroll on pooleli.

Juriidiline info

Always obey your local laws. We explicitly reject criminal activity in any form.

Avalikustamissuunised

  • Kontrollige ainult reguleerimisalasse kuuluvaid süsteeme.
    • Describe the prerequisites that need to be met to exploit the vulnerability.
    • Describe the tested system state.
    • If possible, provide Proof-of-Concept code
  • When searching for vulnerabilities, please try to be as little intrusive as possible. Use only harmless payloads in your exploits.
  • Do not disrupt our services with intent and make a good-will effort to not disrupt our services by accident.
  • Use test accounts and don’t compromise other users accounts, data or privacy.
  • Do not use or report findings from automated scanning tools.
  • Do not start DoS attacks or try to generate high loads in general. If you think our servers have a specific problem in handling high loads you can discuss that theoretically with us and we try to reproduce your findings in a non-productive environment.

The scope

  • Bolt driver application; iOS, Android and Web.
  • Bolt rider application; iOS, Android and Web.
  • Bolt Food applications.
  • *.bolt.eu
  • *.taxify.eu

Mittekvalifitseeruvad haavatavused

  • Clickjacking on pages with no data modification actions.
  • Unauthenticated/logout/login CSRF.
  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a relevant Bolt related working PoC.
  • SSL/TLS configuration best practice misses or non-TLS communication.
  • Any activity that could lead to the disruption of service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
  • SPF, DKIM, DMARC issues.
  • Cookie flags.
  • XSS (or a behaviour) where you can only attack your own account.
  • XSS on pages where admins are intentionally given full HTML editing capabilities.
  • Reflected file download.
  • Bolti kontorite ja töötajate füüsiline turvalisus.

Exclusions

  • Social engineering of Bolt staff.
  • Knowingly posting, transmitting, uploading, linking to, sending or storing any malicious software.
  • Third party applications or websites or services that integrate with, or link to the services of Bolt.
  • Being a worker or partner of Bolt.

Timeline

We try to answer your mail with in two business days and please send your mail in English. After our first answer we will evaluate your findings and an we will contact you within a week.

Disclosure

  • Please refrain from publishing technical details of any vulnerability you find to give us an opportunity to fix it. We try to work out a disclosure timeline with you.
  • Before submitting a report, please read our Disclosure Guidelines above.
  • Meie süsteemide ja toodete turvaaukude kohta saad saata meili aadressile security@bolt.eu, võid PGP-võtit kasutada, aga ei pea