The OLA Bug Bounty Program is designed to encourage security research in OLA software and to reward those who help us create the safest mobile application in existence.
If you believe you have found security vulnerability on Ola software , we encourage you to let us know as soon as possible.
We will investigate the submission and if found valid, take the necessary corrective measures.
We request you to review our responsible disclosure policy as mentioned below along with reward and reporting guidelines, before you report a security issue.
To show our appreciation for our security researchers, we offer a monetary bounty for all valid security vulnerabilities based on the severity, impact and complexity of the vulnerability.
Here is how it works:
Reporting security issues
Go to the Report a Vulnerability link to report security issues related to our applications.
Responsible disclosure & reporting guidelines
- We request you not to do any public disclosure of a bug before it has been fixed.
- Please understand that due to high number of submissions, it might take a bit of time in order to fix the vulnerability reported by you. Therefore, give us reasonable amount time to respond to you before you go public.
- Share the security issue in detail. At times, we might ask for more information (if required).
- Please do not access to another user’s account or data without permission.
- Please be respectful with our existing applications, and we request you not to run test-cases which might disrupt our services.
- Do not use scanners or automated tools to find vulnerabilities. They’re noisy and might result in suspension of your user account / IP Address.
- We also request you not to attempt attacks such as social engineering, phishing. These kind of bugs will not be considered as valid ones, and if caught, might result in suspension of your account.
- Vulnerabilities made public before the fix are not eligible for bounty reward
Responsibility at our end:
- We will be fast and will try to get back to you as soon as possible.
- We will keep you updated as we work to fix the bug you have submitted.
- Bounty reward will be paid only once the vulnerability has been fixed.
Targets ONLY in scope:
To qualify for a bounty, you should:
- Adhere to our Responsible Disclosure Policy (as mentioned above)
- Be the first researcher to responsibly disclose the bug.
- Report a bug that could compromise the integrity of user data, circumvent the privacy protections of user data, or enable access to a system within our infrastructure. Example of such bugs are:
- Cross-Site Scripting (XSS)
- Sql Injection/ XXE / RCE
- Server Side Request Forgery (SSRF)
- Cross-Site Request Forgery (CSRF/XSRF)
- Broken Authentication (including OAuth bugs)
- Broken Session flaws
- Remote Code Execution
- Privilege Escalation
- Provisioning Errors
- Business Logical flaws
- Payment Related Issues
- Misuse/Unauthorized use of our APIs
- Improper TLS protection
- Bounties are awarded based on the severity, impact, complexity and the awesomeness of the vulnerability reported and it is at the discretion of the Ola bug bounty panel.
- Our minimum reward is 1000 INR and we do not have an upper bound for the bounty amount.
- Awesome bugs ** may win you some equally awesome goodies (SmartWatches/Tablets/HeadPhones/Tees/Other cool stuff) as well!!
- Only one bounty will be rewarded for every distinct security vulnerability.
- Bug bounty is applicable only for individuals.
Ineligible Reports and False Positives
Some of the reported issues, which carry low impact, may not qualify. Although we review them on a case-by-case basis, here are some of the common low-risk issues that typically do not earn a monetary reward:
- Bugs requiring exceedingly unlikely user interaction.
- Spam or social engineering techniques.
- Denial-of-service attacks.
- Logout cross-site request forgery
- Presence of banner or version information
- Error messages/Stack trace void of sensitive data.
- Clickjacking on pages without sensitive content, authentication, or state changing actions.
- Bugs that have already been submitted by another user, that we are already aware of, or that have been classified as ineligible.
- Vulnerabilities that Ola determines to be an accepted risk will not be eligible for a paid bounty or listing on the site.
- OPTIONS / TRACE HTTP method enabled.
Apart from monetary benefits, vulnerability reporters who work with us to resolve security bugs in our products will be credited on the Hall of Fame page.
Terms and Condition:
By participating, you agree to comply with the Ola’s Terms and Conditions which are as follow:
- Abide by all the applicable laws of the land. Ola would not be responsible for any non-adherence to the laws of the land on your part.
- You should make all effort to avoid Privacy violations, destruction of data, interruption & degradation of our service during your research. In case of any breach, Ola reserves the right to take legal action.
- Eligibility for rewards and determination of the recipients and amount of reward is left up to the discretion of Ola.
- Ola reserves the right to discontinue the Bug Bounty Program at any time without notice.
- You may only exploit, investigate, or target vulnerabilities against your own account. Testing should not violate any law, or disrupt or compromise any data or access data that does not belong to you.
- All payments will be made in Indian Currency (INR).
Changes to Program Terms
The Bug Bounty Program, including its policies, is subject to change or cancellation by Ola at any time, without notice.
As such, Ola may amend these Program Terms and/or its policies at any time by posting a revised version on our website.
By continuing to participate in the Bug Bounty Program after Ola posts any such changes, you accept the Program Terms, as modified.
In the event you breach any of these Program Terms or the terms and conditions of the Ola bug bounty program, Ola may immediately terminate your participation in the Bug Bounty Program and disqualify you from receiving any bounty payments.
We are unable to issue rewards to individuals who do not follow the guidelines of our Vulnerability Program and depending upon the action of an individual, we could take strict legal action.
Testing using Tools
These tools are designed to be used by people who are working or interested in the field of information security. They address a gap present and not attack the application or service.
Don't be evil. Practice safe checks. Some of these tools can be disruptive or cause sites to misbehave leading to suspension of your account.