About Via

At Via, we are building the transportation systems of tomorrow, right now. Via's technology is deployed worldwide through dozens of partner projects with public transportation agencies, private transit operators, taxi fleets, private companies, and universities, seamlessly integrating with public transit infrastructure to power cutting-edge on-demand mobility.

Via looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

Response Targets

Via will make a best effort to meet the following response targets for hackers participating in our program:

• Time to first response (from report submit) - 5 business days

• Time to triage (from report submit) - 10 business days

• Time to bounty (from triage) - 10 business days

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

• Follow HackerOne's disclosure guidelines.

Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

• Social engineering of any kind (e.g. phishing, vishing, smishing) is absolutely prohibited.

• Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder. Under no circumstances should you access any personally identifiable information ("PII") of a Via rider, Via driver or anyone associated with Via.

Rewards

Please see the structured bounty table. Our bounty table provides general guidelines and the amounts are indicative of ranges, thus, all final decisions are at the discretion of Via.

In Scope

• Via Rider Application

*  Google Play:  https://play.google.com/store/apps/details?id=via.rider 

*  App Store: https://itunes.apple.com/us/app/via-low-cost-ride-sharing/id657777015?mt=8

New Addition!

• "The Station" Application

* Google Play: https://play.google.com/store/apps/details?id=com.ridewithvia.zuzu

* App Store: https://apps.apple.com/us/app/id1515005951?mt=8

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Exposed Google API and Mparticle keys.

• Task Hijacking

• Clickjacking on pages with no sensitive actions.

• Weak password policy.

• UUID / ID enumeration of any kind.

• Logout/login CSRF.

• Attacks requiring MITM or physical access to a user's device.

• Previously known vulnerable libraries without a working Proof of Concept.

• Comma Separated Values (CSV) injection without demonstrating a vulnerability.

• Open ports without an accompanying proof-of-concept demonstrating vulnerability.

• Invalid or missing SPF/DKIM

• Any activity that could lead to the disruption of our service (DoS).

• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

• Missing HTTP header/ Missing cookie flag which does not lead to a direct vulnerability

• Software version disclosure

• Self-XSS

• SSL/TLS scan reports

• Path or hostname disclosure in error messages

• Tabnabbing

• Open redirect - unless an additional security impact can be demonstrated

• User / Data Enumeration issues with low-risk and insignificant information being enumerated

• Social engineering of any kind (e.g. phishing, vishing, smishing, spear phishing).

Never in scope

• Third-party services used by Via app

• Third-party implementations integrating the Via SDK

• DoS 

Out of scope domains

• *.drivewithvia.com

• https://ridewithvia.com - commercial site 

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Via and our users safe!