|Scope Type||Scope Name|
Out of Scope
|Scope Type||Scope Name|
|undefined||Any website that is not listed explicitly in the scope.|
|undefined||However, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code, we will reward you with a bounty.|
|web_application||Please note that https://dev.blablacar.com is hosted by a third party and thus is out of scope.|
BlaBlaCar is the world leader in long-distance carpooling. We are an innovative and fast-growing company building a unique community of members to transform the way people travel!
Since 2013, BlaBlaCar has grown exponentially and we’re now a community of over 40 millions members in more than 20 countries. Thus, we need to keep our member’s privacy and data secure.
BlaBlaCar believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our products or services, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
Domains | Domains
https://www.blablacar.cz | https://www.blablacar.com.ua
https://www.blablacar.de | https://m.blablacar.de
https://www.blablacar.co.uk | https://m.blablacar.co.uk
https://www.blablacar.in | https://m.blablacar.in
https://www.blablacar.es | https://m.blablacar.es
https://www.blablacar.mx | https://m.blablacar.mx
https://www.fr.blablacar.be | https://m.fr.blablacar.be
https://www.blablacar.fr | https://m.blablacar.fr
https://www.blablacar.hr | https://m.blablacar.hr
https://www.blablacar.hu | https://m.blablacar.hu
https://www.blablacar.it | https://m.blablacar.it
https://www.nl.blablacar.be | https://m.nl.blablacar.be
https://www.blablacar.nl | https://m.blablacar.nl
https://www.blablacar.pl | https://m.blablacar.pl
https://www.blablacar.com.br | https://m.blablacar.com.br
https://www.blablacar.pt | https://m.blablacar.pt
https://www.blablacar.ro | https://m.blablacar.ro
https://www.blablacar.ru | https://m.blablacar.ru
https://www.sk.blablacar.com | https://m.sk.blablacar.com
https://www.rs.blablacar.gg | https://m.rs.blablacar.gg
https://www.blablacar.com.tr | https://m.blablacar.com.tr
https://www.blablacar.com.ua | https://m.blablacar.com.ua
Our Android Application
Our IOS Application
Please note that https://dev.blablacar.com is hosted by a third party and thus is out of scope.
What are sensitive member information: lastname, phone number (except after booking a trip), email, physical address, license plate, physical id copy.
Bounties are doubled if the vulnerability:
affect the API: you can either proxify your mobile and use the app, or create a client id and access the doc at https://dev.blablacar.com
affect the payment, whatever the nature of the vulnerability
affect our encryption strategies (this does not apply when encryption is used for obfuscation purposes)
Notes about the wordpress blog:
However, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code, we will reward you with a bounty.