Urban Company
We take security seriously at Urban Company, and we’re committed to protecting our community. If you are a security researcher or expert and believe you’ve identified security-related issues with Urban Company’s website or apps, we would appreciate you disclosing it to us responsibly.
Our team is committed to addressing all security issues in a responsible and timely manner, and we ask the security community to give us the opportunity to do so before disclosing them publicly. Please submit a detailed description of the issue to us, along with the steps to reproduce it. We trust the security community to make every effort to protect our users’ data and privacy.
To be eligible for the Bug Bounty Program, you must not:
Be in violation of any national, state, or local law or regulation
Be employed by Urban Company or its subsidiaries
Be an immediate family member of a person employed by Urban Company or its subsidiaries or affiliates
Be less than 14 years of age. If you are at least 14 years old, but are considered a minor in your place of residence, you must get your parent’s or legal guardian’s permission prior to participating in the program.
Former employees and contractors are eligible to participate in the program only if both the below conditions are met -
You have left Urban Company more than 1 year prior to submission
You are not making use of or referring to any non-public Urban Company information obtained when you were an employee or contractor.
If Urban Company discovers that you meet any of the criteria above, Urban Company will remove you from the Bug Bounty Program and disqualify you from receiving any Bounty Payments.
Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third party.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
If the UC's Security team has evidence of active exploitation or imminent public harm, they may immediately provide remediation details to the public so that users can take protective action.
Please include a header X-Hackerone: <h1_username> when you test so we can identify your requests easily.
In order to allow hackers outside of India to test on Urban Company, we have created a sample account. Please use the following details while logging in:
Phone Number: +91 9205884806
OTP: 1234
Exclusions: Please note that rate-limiting-related vulnerabilities reported on the test account provided above will not be considered as a valid report (as the rate-limiting mechanism has been disabled for test accounts). For proof of such vulnerabilities, your testing will have to be done with a valid Urban Company account.
To promote the discovery and reporting of vulnerabilities and increase user safety, we ask that you:
Note that automated tools or scripts are strictly prohibited, and any POC submitted to us should have a proper step-by-step guide to reproduce the issue.
Do not access or modify data without the explicit permission of the owner.
Never use a finding to compromise/exfiltrate data or pivot to other systems. Use a proof of concept only to demonstrate an issue.
Due to complexity and other factors, some vulnerabilities might require longer than even 30 days to remediate.
Responsibility – Act in good faith not to degrade the performance of our services or the privacy of our users. Please do not attempt to compromise the safety or privacy of our users (so please use test accounts), or the availability of Urban Company through DoS attacks or spam. We also request you do not use vulnerability testing tools that generate a significant volume of traffic.
Reproducibility – Our engineers must be able to reproduce the security flaw from your report. Reports that are too vague or unclear are not eligible for a reward. Reports that include clearly written explanations, and working code are more likely to garner rewards.
We only reward the first reporter of a vulnerability.
Do not test the physical security of Urban Company offices, employees, equipment, etc.
Public disclosure of the vulnerability without express consent from the organization will result in disqualification from the program.
Accepted, in-scope vulnerabilities include, but are not limited to:
Disclosure of sensitive or personally identifiable information
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF) for sensitive functions in a privileged context
Server-side or remote code execution (RCE)
Authentication or authorization flaws, including insecure direct object references and authentication bypass
Injection vulnerabilities, including SQL and XML injection
Directory traversal
Significant security misconfiguration with a verifiable vulnerability
Exposed credentials, disclosed by UC or its employees, that pose a valid risk to an in-scope asset
Shell Upload vulnerabilities (only upload basic backend script that just prints some string, preferably try printing the hostname of the server and stop there!)
Ability to book UC services for free
Certain vulnerabilities are considered out-of-scope for the Bug Bounty Program. Those out-of-scope vulnerabilities include, but are not limited to:
Any physical attacks against Urban Company property or data centers
Reports that involve a secondary user account where an existing business relationship is being leveraged and the impact is limited solely to the parent account
Username enumeration on customer-facing systems (i.e. using server responses to determine whether a given account exists)
Scanner output or scanner-generated reports, including any automated or active exploit tool
Attacks involving payment fraud, theft, or malicious merchant accounts
Man-in-the-Middle attacks
Vulnerabilities involving stolen credentials or physical access to a device
Social engineering attacks, including those targeting or impersonating internal employees by any means (e.g. customer service chat features, social media, personal domains, etc.)
Open redirection, except in the following circumstances:
Clicking an Urban Company-owned URL immediately results in a redirection, and/or
A redirection results in the loss of sensitive data (e.g. session tokens, PII, etc)
Host header injections without a specific, demonstrable impact
Vulnerabilities found through DDoS or spam attacks. If you discover a vulnerability and believe it can cause DoS (for example, a logical flaw or known CVE), please submit it and we will review it on a case-by-case basis. Do not attempt or execute DDoS attacks.
Self-XSS, which includes any payload entered by the victim
Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls
Login/logout CSRF
CSRF on unauthenticated forms or forms with no sensitive actions
Content spoofing without embedding an external link or JavaScript
Session not getting invalidated after logout
Infrastructure vulnerabilities, including:
Issues related to SSL certificates
DNS configuration issues
Server configuration issues (e.g. open ports, TLS versions, etc.)
Vulnerabilities only affecting users of outdated, unpatched, or unsupported browsers and platforms, including any version of Internet Explorer
Vulnerabilities that only affect one browser will be considered on a case-by-case basis and may be closed as informative due to the reduced attack surface
Information disclosure of public or non-protected information (e.g. code in a public repository, server banners, etc.), or information disclosed outside of Urban Company's control (e.g. a personal, non-employee repository; a list from a previous infodump; etc.)
Exposed credentials that are either no longer valid, or do not pose a risk to an in-scope asset
Any XSS that requires Flash. Flash is disabled by default in most modern browsers, thus greatly reducing the attack surface and associated risk
Missing HttpOnly or Secure flags on cookies
Missing security headers
Invalid or missing SPF/DKIM/DMARC records
Clickjacking on pages with no sensitive actions
Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis
Any other submission determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction or resulting in minimal impact
Vulnerabilities on third-party libraries without showing specific impact to the target application (e.g. a CVE with no exploit)
Exposure of non-sensitive data on the device
Vulnerabilities requiring a rooted, jailbroken, or otherwise modified device
https://www.urbancompany.com/blog points to blog.urbancompany.com and is out of scope.
Certain vulnerabilities are already known either internally or through past submissions. These issues will be closed as Not Applicable.
Hardcoded/Unrestricted third-party API keys (Google API Keys, Branch.io, etc.)
CORS Misconfiguration
Impersonating another person's account on UI using response tampering without being able to book services on their behalf
Broken links hijacking
Bypassing rate limiting using IP rotation
Task Hijacking
For all submissions, please include:
Full description of the vulnerability being reported, including the exploitability and impact
Evidence and explanation of all steps required to reproduce the submission, which may include:
Videos
Screenshots
Exploit code
Traffic logs
Web/API requests and responses
Mobile Number or user ID of any test accounts
IP address used during testing
For RCE submissions, see below
Failure to include any of the above items may delay or jeopardize the Bounty Payment
Failure to meet the below conditions and requirements could result in a forfeiture of any potential Bounty Payment:
Source IP address
Timestamp, including time zone
Full server requests and responses
Filenames of any uploaded files, which must include “bugbounty” and the timestamp
Callback IP and port, if applicable
Any data that was accessed, either deliberately or inadvertently
Allowed Actions:
Directly injecting benign commands via the web application or interface (e.g. whoami, hostname, ifconfig)
Uploading a file that outputs the result of a hard-coded benign command
Prohibited Actions:
Uploading files that allow arbitrary commands (i.e. a web shell)
Modifying any files or data, including permissions
Deleting any files or data
Interrupting normal operations (e.g. triggering a reboot)
Creating and maintaining a persistent connection to the server
Intentionally viewing any files or data beyond what is needed to prove the vulnerability
Failing to disclose any actions taken or applicable required information
You must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.
Urban Company reserves the right to change or modify the terms of this program at any time.
If you have any doubts, please write to us: security@urbancompany.com.
Thank you for helping keep Urban Company safe!
| Scope Type | Scope Name |
|---|---|
| android_application | com.urbanclap.provider |
| android_application | com.urbanclap.urbanclap |
| ios_application | 1032480595 |
| ios_application | 982922982 |
| web_application | www.urbancompany.com |
| web_application | www.urbanclap.com |
| Scope Type | Scope Name |
|---|---|
| web_application | Other urbancompany.com subdomains except for the ones in-scope |
Firebounty have crawled on 2021-07-29 the program Urban Company on the platform Hackerone.
FireBounty © 2015-2024
