Banner object (1)

Hack and Take the Cash !

821 bounties in database
  Back Link to program      
11/12/2019
Lime logo
Thanks
Gift
Hall of Fame
Reward

Reward

100 $ 

Lime

About Lime

Lime is an urban transportation leader that offers mobility services, including scooters and bikes.

Ratings and Rewards

For the initial prioritization and rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy.

However, in some cases, a vulnerability priority can be modified based on impact or risk. When an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal and make a case for a higher priority.

Reward Range

Last updated 13 Feb 2020 00:34:01 UTC

Technical severity | Reward range
---|---
p1 Critical | $2,100 - $5,000
p2 Severe | $1,000 - $1,250
p3 Moderate | $450 - $600
p4 Low | $100 - $200

P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name | Type
---|---
<https://apps.apple.com/us/app/lime/id1199780189> | iOS
<https://play.google.com/store/apps/details?id=com.limebike> | Android
<https://api.lime.bike> | API
<https://webviews.lime.bike> | API
<https://juicer.lime.bike> | API
<https://admintool.lime.bike> | Website
proxy-production.lime.bike | API
<https://ops.lime.bike> | API
*.lime.bike | API

Out of scope

Target name | Type
---|---
https://li.me (hubspot) | Website
https://help.li.me (zendesk) | Website
<https://*.li.me> | Website

Active testing is only authorized on the targets listed as In-Scope.

If you believe you have identified a severe vulnerability on a Lime system outside the scope, please check with support@bugcrowd.com.


Target Information

  • Major targets include

    • Rider Apps (available on iOS / Android)
    • Backend APIs that supports the application.
    • Web application that supports operation.
    • Through the app, users can access both

    • rider functionality: using the scooters and other modes of transit

    • juicer functionality: charging devices for Lime
    • Do not engage in any behavior that is disruptive, accesses users' private information, endangers users/the public, or is in any way harmful. If you believe you have found a vulnerability that can cause any of these sorts of issues, please stop testing and report your findings.
  • Certain exclusions apply. Please refer to the Out of Scope section below.

Out of Scope

  • Cookie flags on webview.lime.bike
  • "secret" keys exposed in iOS/Android builds that we do not consider secret.
  • Email anti-spoofing configurations. (anything related, including but not limited to SPF, DKIM, DMARC)
  • *.li.me, *.limebike.com (unless user data is affected)
    • li.me (report to hubspot)
    • help.li.me (report to zendesk)
    • community.li.me (report to bevy)
  • TLS/SSL protocol vulnerabilities.
  • "clickjacking".
  • logout CSRF.
  • Rate limit problems that does not lead to unauthorized access of accounts.

Other Philosophies

  • For 0day issues, we aim at patching within 14 days. Reports within 14 days of vulnerability release may not be rewarded.
  • For vulnerability of a vendor (for example, Zendesk, Hubspot), please report to the vendor directly to avoid double reporting.

Credentials


Safe Harbor

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If you hare uncertain whether your security research is consistent with this policy, please inquire via support@bugcrowd.com before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

In Scope

Scope Type Scope Name
android_application

https://play.google.com/store/apps/details?id=com.limebike

ios_application

https://apps.apple.com/us/app/lime/id1199780189

web_application

https://api.lime.bike

web_application

https://webviews.lime.bike

web_application

https://juicer.lime.bike

web_application

https://admintool.lime.bike

web_application

proxy-production.lime.bike

web_application

https://ops.lime.bike

web_application

*.lime.bike

Out of Scope

Scope Type Scope Name
web_application

https://li.me (hubspot)

web_application

https://help.li.me (zendesk)

web_application

https://*.li.me


Firebounty have crawled on 2019-12-11 the programe Lime on the platform Bugcrowd.

FireBounty © 2015-2020

Legal notices