Banner object (1)

Hack and Take the Cash !

751 bounties in database
Bug Bounty Program - BlaBlaCar logo


100 € 

Bug Bounty Program - BlaBlaCar

Bug Bounty Program - BlaBlaCar

About the company

BlaBlaCar is the world leader in long-distance carpooling. We are an innovative and fast-growing company building a unique community of members to transform the way people travel!

Since 2013, BlaBlaCar has grown exponentially and we’re now a community of over 40 millions members in more than 20 countries. Thus, we need to keep our member’s privacy and data secure.

Reporting & Disclosure Policy

BlaBlaCar believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our products or services, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

  • Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • Please avoid DDOSing us or causing a service disruption while testing our platform. And take care of not endangering the privacy or our members.
  • Do not try to over exploit the bug and access internal data for further vulnerabilities. We will determine the severity and reward accordingly.
  • If you find the same vulnerability several times, please create only one report and eventually use comments. You'll be rewarded accordingly to your findings.

Domains in the scope of this program

  • All localized versions of our website.

Domains | Domains
---|--- | | | | | | | | | | | | | | | | | | | | | |

  • Our api
  • Our Android Application

    • &hl=en
    • Our IOS Application

    • &mt=8

Please note that is hosted by a third party and thus is out of scope.

Scopes of the program

  • Cross-Site Scripting (XSS), Cross-site Request Forgery (CSRF), Server-Side Request Forgery (SSRF)
  • Missing "secure" flags on authentication cookies (PHPSESSID, blablacar_token)
  • Sensitive members information exposure except during a usual trip flow
  • SQL Injection
  • Remote Code Execution (RCE)
  • Access Control Issues (Insecure Direct Object Reference issues, etc.)
  • Directory Traversal Issues
  • Local File Disclosure (LFD)
  • Decrypting this: a1eb77ff94d12fa7s42lHZ1RBvYYQ8YD1h1bOVA82wORD2w1coIyeTJflqo=
  • Decrypting this: 0A5CRg99Df2muBSoXijzv-4kwhEsZSw1oA3UMnTWfq0
  • Exposure of internal tools (web apps showing metrics without authentication, development environments, etc)
  • Exposure of configuration files or secrets (from GitHub on blablacar ( or employee's opensource projects, etc)

What are sensitive member information: lastname, phone number (except after booking a trip), email, physical address, license plate, physical id copy.

High target value

Bounties are doubled if the vulnerability:

  • affect the API: you can either proxify your mobile and use the app, or create a client id and access the doc at

  • affect the payment, whatever the nature of the vulnerability

  • affect our encryption strategies

Ineligible reports

  • Any hypothetical flaw or best practices without exploitable POC
  • Login, logout, unauthenticated or low-value CSRF
  • Unverified results of automated tools or scanners
  • Social engineering (including phishing) of BlaBlaCar staff or contractors
  • Any physical attempts against BlaBlaCar offices or data centers
  • Missing security-related HTTP headers which do not lead directly to a vulnerability
  • Presence/absence of SPF/DMARC records
  • Presence of autocomplete attribute on web forms
  • Vulnerabilities affecting users of outdated browsers and platforms
  • Self XSS
  • Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept)
  • Mixed content warnings
  • Brute force / password reuse attacks
  • User enumeration attacks
  • Premium phone numbers attacks
  • Denial of service
  • Missing cookie flags on non-sensitive cookies (sensitive cookies are blablacar_token and PHPSESSID)
  • Attacks requiring physical access to a user's device
  • Disclosure of known public files or directories, (e.g. robots.txt)
  • Massive automated actions on the platform through robots/crawling (except if it gathers sensitive information from members)
  • Finding ways to give ratings to members without actually travelling with them
  • Lack of context on SMS containing a code sent to members
  • Persistent login cookie weaknesses
  • Everything related to our external partner Datadome and its scrapping protection
  • Errors thrown by nginx when the request were invalid / fuzzing
  • Security issues related to our wordpress blog
  • Sell/ransom user information taken from password reuse or other attacks
  • Host injection, except if you can successfully forge a wrong URL or compromise something using it
  • CORS configuration, except if you can show a way to exploit this vulnerability to compromise sensitive information
  • Finding your numeric user id in integer format instead of UUID4 or encrypted format

Notes about the wordpress blog:

  • most of its paths begin with /blablalife, but there's also /press and others in different languages
  • you can also check its source code (as wordpress keyword is everywhere) if you have any doubt

However, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code, we will reward you with a bounty.

Hall of Fame

List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2019