About the company
BlaBlaCar is the world leader in long-distance carpooling. We are an innovative and fast-growing company building a unique community of members to transform the way people travel!
Since 2013, BlaBlaCar has grown exponentially and we’re now a community of over 40 millions members in more than 20 countries. Thus, we need to keep our member’s privacy and data secure.
Reporting & Disclosure Policy
BlaBlaCar believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our products or services, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
Please avoid DDOSing us or causing a service disruption while testing our platform. And take care of not endangering the privacy or our members.
Do not try to over exploit the bug and access internal data for further vulnerabilities. We will determine the severity and reward accordingly.
Domains in the scope of this program
All localized versions of our website.
Our api https://api.blablacar.com
Our Android Application
Our IOS Application
Please note that https://dev.blablacar.com is hosted by a third party and thus is out of scope.
Scopes of the program
* Cross-Site Scripting (XSS), Cross-site Request Forgery (CSRF), Server-Side Request Forgery (SSRF)
* Missing "secure" flags on authentication cookies (PHPSESSID, blablacar_token)
* Sensitive members information exposure except during a usual trip flow
* SQL Injection
* Remote Code Execution (RCE)
* Access Control Issues (Insecure Direct Object Reference issues, etc.)
* Directory Traversal Issues
* Local File Disclosure (LFD)
* Finding numeric user id (even yours)
* Decrypting this: a1eb77ff94d12fa7s42lHZ1RBvYYQ8YD1h1bOVA82wORD2w1coIyeTJflqo=
* Decrypting this: 0A5CRg99Df2muBSoXijzv-4kwhEsZSw1oA3UMnTWfq0
What are sensitive member information: lastname, phone number (except after booking a trip), email, physical address, license plate, physical id copy.
High target value
Bounties are doubled if the vulnerability:
* affect the API: you can either proxify your mobile and use the app, or create a client id and access the doc at https://dev.blablacar.com
* affect the payment, whatever the nature of the vulnerability
* affect our encryption strategies
* Any hypothetical flaw or best practices without exploitable POC
* Login, logout, unauthenticated or low-value CSRF
* Unverified results of automated tools or scanners
* Social engineering (including phishing) of BlaBlaCar staff or contractors
* Any physical attempts against BlaBlaCar offices or data centers
* Missing security-related HTTP headers which do not lead directly to a vulnerability
* Presence/absence of SPF/DMARC records
* Presence of autocomplete attribute on web forms
* Vulnerabilities affecting users of outdated browsers and platforms
* Self XSS
* Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept)
* Mixed content warnings
* Brute force / password reuse attacks
* User enumeration attacks
* Premium phone numbers attacks
* Denial of service
* Missing cookie flags on non-sensitive cookies
* Attacks requiring physical access to a user's device
* Disclosure of known public files or directories, (e.g. robots.txt)
* Massive automated actions on the platform through robots/crawling (except if it gathers sensitive information from members)
* Finding ways to give ratings to members without actually travelling with them
* Lack of context on SMS containing a code sent to members
* Persistent login cookie weaknesses
* Everything related to our external partner Datadome and its scrapping protection
* Errors thrown by nginx when the request were invalid / fuzzing
* Security issues related to our wordpress blog
* Sell/ransom user information taken from password reuse or other attacks
Notes about the wordpress blog:
* most of its paths begin with /blablalife, but there's also /press and others in different languages
* you can also check its source code (as wordpress keyword is everywhere) if you have any doubt
However, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code, we will reward you with a bounty.
Change log: 18/09/2017
add ineligible report: Errors thrown by nginx when the request were invalid / fuzzing
Hall of Fame