FAQs:

Bug bounty Program Information

The OLA Bug Bounty Program is designed to encourage security research in OLA software and to reward those who help us create the safest mobile application in existence.

If you believe you have found security vulnerability on Ola software , we encourage you to let us know as soon as possible. We will investigate the submission and if found valid, take the necessary corrective measures. We request you to review our responsible disclosure policy as mentioned below along with reward and reporting guidelines, before you report a security issue.

To show our appreciation for our security researchers, we offer a monetary bounty for all valid security vulnerabilities based on the severity, impact and complexity of the vulnerability.

Here is how it works:

Reporting security issues

Go to the Report a Vulnerability link to report security issues related to our applications.

Responsible disclosure & reporting guidelines

  • We request you not to do any public disclosure of a bug before it has been fixed.
  • Please understand that due to high number of submissions, it might take a bit of time in order to fix the vulnerability reported by you. Therefore, give us reasonable amount time to respond to you before you go public.
  • Share the security issue in detail. At times, we might ask for more information (if required).
  • Please do not access to another user’s account or data without permission.
  • Please be respectful with our existing applications, and we request you not to run test-cases which might disrupt our services.
  • Do not use scanners or automated tools to find vulnerabilities. They’re noisy and might result in suspension of your user account / IP Address.
  • We also request you not to attempt attacks such as social engineering, phishing. These kind of bugs will not be considered as valid ones, and if caught, might result in suspension of your account.
  • Vulnerabilities made public before the fix are not eligible for bounty reward

Responsibility at our end:

  • We will be fast and will try to get back to you as soon as possible.
  • We will keep you updated as we work to fix the bug you have submitted.
  • Bounty reward will be paid only once the vulnerability has been fixed.

Targets ONLY in scope:

Eligibility

To qualify for a bounty, you should:

  • Adhere to our Responsible Disclosure Policy (as mentioned above)
  • Be the first researcher to responsibly disclose the bug.
  • Report a bug that could compromise the integrity of user data, circumvent the privacy protections of user data, or enable access to a system within our infrastructure. Example of such bugs are:
  • Cross-Site Scripting (XSS)
  • Sql Injection/ XXE / RCE
  • Server Side Request Forgery (SSRF)
  • Cross-Site Request Forgery (CSRF/XSRF)
  • Broken Authentication (including OAuth bugs)
  • Broken Session flaws
  • Remote Code Execution
  • Privilege Escalation
  • Provisioning Errors
  • Business Logical flaws
  • Payment Related Issues
  • Misuse/Unauthorized use of our APIs
  • Improper TLS protection

Bounties

  • Bounties are awarded based on the severity, impact, complexity and the awesomeness of the vulnerability reported and it is at the discretion of the Ola bug bounty panel.
  • Our minimum reward is 1000 INR and we do not have an upper bound for the bounty amount.
  • Awesome bugs ** may win you some equally awesome goodies (SmartWatches/Tablets/HeadPhones/Tees/Other cool stuff) as well!!
  • Only one bounty will be rewarded for every distinct security vulnerability.
  • Bug bounty is applicable only for individuals.

Ineligible Reports and False Positives

Some of the reported issues, which carry low impact, may not qualify. Although we review them on a case-by-case basis, here are some of the common low-risk issues that typically do not earn a monetary reward:

  • Bugs requiring exceedingly unlikely user interaction.
  • Spam or social engineering techniques.
  • Denial-of-service attacks.
  • Logout cross-site request forgery
  • Presence of banner or version information
  • Error messages/Stack trace void of sensitive data.
  • Clickjacking on pages without sensitive content, authentication, or state changing actions.
  • Bugs that have already been submitted by another user, that we are already aware of, or that have been classified as ineligible.
  • Vulnerabilities that Ola determines to be an accepted risk will not be eligible for a paid bounty or listing on the site.
  • OPTIONS / TRACE HTTP method enabled.

Apart from monetary benefits, vulnerability reporters who work with us to resolve security bugs in our products will be credited on the Hall of Fame page.

Terms and Condition:

By participating, you agree to comply with the Ola’s Terms and Conditions which are as follow:

  1. Abide by all the applicable laws of the land. Ola would not be responsible for any non-adherence to the laws of the land on your part.
  2. You should make all effort to avoid Privacy violations, destruction of data, interruption & degradation of our service during your research. In case of any breach, Ola reserves the right to take legal action.
  3. Eligibility for rewards and determination of the recipients and amount of reward is left up to the discretion of Ola.
  4. Ola reserves the right to discontinue the Bug Bounty Program at any time without notice.
  5. You may only exploit, investigate, or target vulnerabilities against your own account. Testing should not violate any law, or disrupt or compromise any data or access data that does not belong to you.
  6. All payments will be made in Indian Currency (INR).

Changes to Program Terms

The Bug Bounty Program, including its policies, is subject to change or cancellation by Ola at any time, without notice. As such, Ola may amend these Program Terms and/or its policies at any time by posting a revised version on our website. By continuing to participate in the Bug Bounty Program after Ola posts any such changes, you accept the Program Terms, as modified.

Program Termination

In the event you breach any of these Program Terms or the terms and conditions of the Ola bug bounty program, Ola may immediately terminate your participation in the Bug Bounty Program and disqualify you from receiving any bounty payments.

Legal points

We are unable to issue rewards to individuals who do not follow the guidelines of our Vulnerability Program and depending upon the action of an individual, we could take strict legal action.

Testing using Tools

These tools are designed to be used by people who are working or interested in the field of information security. They address a gap present and not attack the application or service.

Don't be evil. Practice safe checks. Some of these tools can be disruptive or cause sites to misbehave leading to suspension of your account.

Thanks! we received your report. If you reported a valid security Issue we will get back to you within one business day.
There was an error submitting your report. Please try again.

Hall Of Fame

Ola would like to thank the following people who have found security vulnerabilities in Ola products or services and have made a responsible disclosure to us.

Each name listed represents an individual who has responsibly disclosed one or more security vulnerabilities.

  • Abbas Sivaj Sait .G.K
  • Abhishek Anand
  • Abhishek Shroti
  • Akshay Jain
  • Anand Prakash
  • Anand Sarvottam Moorthy
  • Archita Aparichita
  • Asish Das & Sazzad Hussain
  • Asish Kumar Agarwalla
  • Deepak Das
  • Deepankar Arora
  • Harsha Vardhan
  • Manas (Leet Crawler)
  • Manikandan Rajakumar
  • Manish Kumar
  • Meghana Nayak
  • Mohit Rawat
  • Nikhit Kumar
  • Nikith Naresh DARAPANENI
  • Nishant Sharma
  • Nitesh kuhar
  • Pavan
  • Prajal Kulkarni
  • Prayank Gahlot
  • Prithvinder Singh
  • Sachin Singh
  • Sai Shyam G
  • Sandeep Singh
  • Saurabh ​Agarwal
  • Shai Rod (@NightRang3r)
  • Sharath Unni
  • Sharz
  • Sujit Devkar
  • Sumit Sahoo
  • Tarakram Reddy
  • Vishwaraj Bhattarai