Banner object (1)

5283 policies in database
  Back Link to program      
Lime logo
Hall of Fame


100 $ 


About Lime

Lime is an urban transportation leader that offers mobility services, including scooters and bikes.

Ratings and Rewards

For the initial prioritization and rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy.

However, in some cases, a vulnerability priority can be modified based on impact or risk. When an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal and make a case for a higher priority.


Other Philosophies

  • Focus on impact. Minor misconfiguration alone does not qualify for rewards.
  • For 0day issues, we aim at patching within 14 days. Reports within 14 days of vulnerability release may not be rewarded.
  • For vulnerability of a vendor (for example, Zendesk, Hubspot), please report to the vendor directly to avoid double reporting.

Reward range

Last updated 4 Mar 2020 17:14:36 UTC

Technical severity | Reward range
p1 Critical | $2,100 - $5,000
p2 Severe | $1,000 - $1,250
p3 Moderate | $450 - $600
p4 Low | $100 - $200

P5 submissions do not receive any rewards for this program.


In scope

Target name | Type
<> | iOS
<> | Android
<> | API Testing
<> | API Testing
<> | API Testing
<> | Website Testing | API Testing
<> | API Testing
* | API Testing
* | Website Testing
<> | Website Testing
<> | Website Testing
<> | Website Testing
<> | Website Testing

Out of scope

Target name | Type
---|--- (hubspot) | Website Testing (zendesk) | Website Testing
<https://*> | Website Testing

Active testing is only authorized on the targets listed as In-Scope.

If you believe you have identified a severe vulnerability on a Lime system outside the scope, please check with

Target Information

  • Major targets include

    • Rider Apps (available on iOS / Android)
    • Backend APIs that supports the application.
    • Web application that supports operation.
    • Through the app, users can access both

    • rider functionality: using the scooters and other modes of transit

    • juicer functionality: charging devices for Lime
    • Do not engage in any behavior that is disruptive, accesses users' private information, endangers users/the public, or is in any way harmful. If you believe you have found a vulnerability that can cause any of these sorts of issues, please stop testing and report your findings.
  • Certain exclusions apply. Please refer to the Out of Scope section below.

Out of Scope

  • Cookie flags on
  • "secret" keys exposed in iOS/Android builds that we do not consider secret.
  • Email anti-spoofing configurations. (anything related, including but not limited to SPF, DKIM, DMARC)
  • *, * (unless user data is affected)
    • (report to hubspot)
    • (report to zendesk)
    • (report to bevy)
  • TLS/SSL protocol vulnerabilities.
  • "clickjacking".
  • logout CSRF.
  • Rate limit problems that does not lead to unauthorized access of accounts.
  • Attacks that require unauthorized access to users' clients (phones, browsers, etc)
  • Low impact open redirects (no immediate credential leak)
  • Android debugging enabled

Safe Harbor

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If you hare uncertain whether your security research is consistent with this policy, please inquire via before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

In Scope

Scope Type Scope Name
















Out of Scope

Scope Type Scope Name
web_application (hubspot)

web_application (zendesk)



Firebounty have crawled on 2019-12-11 the program Lime on the platform Bugcrowd.

FireBounty © 2015-2020

Legal notices