Banner object (1)

Hack and Take the Cash !

805 bounties in database
  Back Link to program      
Lime logo
Hall of Fame


100 $ 



For the initial prioritization and rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Reward Range

Last updated 5 Aug 2019 22:50:07 UTC

Technical severity | Reward range
p1 Critical | $2,100 - $2,500
p2 Severe | $1,000 - $1,250
p3 Moderate | $450 - $600
p4 Low | $100 - $200

P5 submissions do not receive any rewards for this program.


In scope

Target name | Type
<> | iOS
[]( | Android
<> | API
<> | API
<> | API
<> | Website | API
<> | API
* | API

Out of scope

Target name | Type
---|--- (hubspot) | Website (zendesk) | Website
<https://*> | Website

Active testing is only authorized on the targets listed as In-Scope. If you believe you've identified a serious vulnerability on a system outside the scope, feel free to report it or verify with

Target Information:

  • Lime is an urban transportation leader that offers mobility services, including scooters and bikes.

  • Major targets include

    • Rider Apps (available on iOS / Android)
    • Backend APIs that supports the application.
    • Web application that supports operation.
    • Through the app, users can access both rider functionality (using the scooters and other modes of transit) and juicer functionality (charging devices on behalf of Lime).
  • Do not engage in any behavior that is disruptive, accesses users private information, endangers users/the public, or is in anyway harmful. If you believe you have found a vulnerability that can cause any of these sorts of issues, please stop testing and report your findings.

  • Certain exclusions apply. Please refer to Out of Scope section below.

Out of Scope:

  • Cookie flags on
  • "secret" keys exposed in iOS/Android builds that we do not consider secret.
  • Email anti-spoofing configurations. (anything related, including but not limited to SPF, DKIM, DMARC)
  • *, * (unless user data is affected)
  • TLS/SSL protocol vulnerabilities
  • "clickjacking"
  • logout CSRF


  • You can self-register for the lime rider/juicer apps which are found on the App Store and Google Play.

Safe Harbor:

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

In Scope

Scope Type Scope Name










Out of Scope

Scope Type Scope Name
web_application (hubspot)

web_application (zendesk)



Firebounty have crawled on 2019-12-11 the programe Lime on the platform Bugcrowd.

FireBounty © 2015-2020

Legal notices