Responsible Disclosure Program
The Ola responsible disclosure program is designed to encourage security researchers to find security vulnerabilities in Ola software and to recognize those who help us create a safe and secure product for our customers and partners.
If you believe you have found a security vulnerability in Ola software, we encourage you to let us know as soon as possible. We will investigate the submission and if found valid, take necessary corrective measures. We request you to review our responsible disclosure policy as mentioned below along with the reporting guidelines, before you report a security issue.
To show our appreciation for the security researchers, we recognize the individual by a honourable mention in our Hall of Fame.
The information on this page is intended for security researchers interested in reporting security vulnerabilities to Ola security team. If you are an Ola customer and have concerns regarding non-information security related issues or seeking information about your Ola account / complaints, please reach out to customer support or write to firstname.lastname@example.org.
Reporting security issues
Go to the Report a Vulnerability page to report security issues related to our applications.
- We do not offer a bug bounty at this time, but honourable mention will be awarded based on the severity, impact, complexity and the awesomeness of the vulnerability reported and it is at the discretion of Ola security team.
- A certificate of appreciation (soft copy) is reserved for researchers who have been continuously reporting valid security issues to us over a longer period of time.
Responsible disclosure & reporting guidelines
- You should not do any public disclosure of a bug without prior approval from the Ola security team.
- Please understand that due to the high number of submissions, it might take some time to triage the submission or to fix the vulnerability reported by you. Therefore, give us a reasonable amount of time to respond to you.
- Originality, quality, and content of the report will be considered while triaging the submission, please make sure that the report clearly explains the impact and exploitability of the issue with a detailed proof of concept.
- Please make sure that any information like proof of concept videos, scripts etc., should not be uploaded on any 3rd party website and should be directly attached as a reply to the acknowledgement email that you receive from us.
- You are obliged to share any extra information if asked for, refusal to do so will result in invalidation of the submission.
- You are not supposed to access any data/internal resources of Ola as well the data of our customers without prior approval from the Ola security team.
- You must be respectful to our existing applications, and in any case you should not run test-cases which might disrupt our services.
- Do not use scanners or automated tools to find vulnerabilities since they’re noisy. Doing so will invalidate your submission and you will be completely banned from Ola responsible disclosure program.
- We also request you not to attempt attacks such as social engineering, phishing etc. These kinds of findings will not be considered as valid ones, and if caught, might result in suspension of your account and appropriate legal action as well.
Responsibility at our end
- We will be fast and will try to get back to you as soon as possible.
- We will keep you updated as we work to fix the bug you have submitted.
- Hall of Fame will be updated only once the vulnerability has been fixed.
Targets in scope
- Ola Cabs mobile app ( Android | iOS )
- Ola Lite mobile app - Lighter version of Ola Cabs app ( Android )
- Ola Money mobile app ( Android | iOS )
- Ola Operator mobile app ( Android )
- Ola Partner mobile app ( Android | iOS)
Out of Scope Targets
- All the sandbox and staging environments are out scope.
- All external services/software which are not managed or controlled by Ola are considered as out of scope / ineligible for recognition.
- Newly acquired company websites/mobile apps are subject to a 12 month blackout period. Issues reported sooner in such websites/mobile apps won't qualify for any recognition.
* The above list of targets are out of scope even if the domain matches the inscope pattern.
Prerequisites to qualify for Hall of Fame:
- Be the first researcher to responsibly disclose the bug. Duplicate submissions are not eligible for any recognition.
- Must adhere to our Responsible disclosure & reporting guidelines (as mentioned above).
- This program is applicable only for individuals not for organizations.
- Verify the fix for the reported vulnerability to confirm that the issue is completely resolved.
In scope vulnerability examples
Report a bug that could compromise the integrity of user data, circumvent the privacy protections of user data or enable access to a restricted/sensitive system within our infrastructure.
Example of such bugs are:
- Cross-Site Scripting (XSS)
- Sql Injection
- XML external entity (XXE) injection>
- Server Side Template Injection (SSTI)
- Server Side Request Forgery (SSRF)
- Cross-Site Request Forgery (on sensitive actions)
- Broken Authentication / Authorization
- Broken Session flaws
- Remote Code Execution (RCE)
- Privilege Escalation
- Business Logical flaws
- Payment Related Issues
- Misuse/Unauthorized use of our APIs
- Open Redirects (which allow stealing secrets/tokens)
Out of scope vulnerabilities
Some of the reported issues, which carry low impact, may not qualify. Although we review them on a case-by-case basis, here are some of the common low-risk issues which typically do not earn any recognition:
- Clickjacking in any form
- Bugs requiring exceedingly unlikely user interaction (e.g Social engineering)
- Spamming (e.g. SMS/Email Bombing)
- Any kind of spoofing attacks or any attacks that leads to phishing (e.g. Email spoofing, Capturing login credentials with fake login page)
- Denial-of-service attacks or vulnerabilities that leads to DOS/DDOS
- Login - Logout cross-site request forgery
- Self XSS
- Presence of server/software banner or version information
- Stack traces and Error messages which do not reveal any sensitive data
- Third party API key disclosures without any impact or which are supposed to be open/public.
- OPTIONS / TRACE HTTP methods enabled
- Missing HTTP Security Headers (e.g. Strict-Transport-Security - HSTS)
- Missing Cookie Flags (e.g. HttpOnly, secure etc)
- Host Header Injection
- Broken Links (e.g. 404 Not Found page)
- Known public files or directories disclosure (e.g. robots.txt, css/images etc)
- Browser ‘autocomplete’ enabled
- HTML / Text Injection
- Forced Browsing to non-sensitive information (e.g. help pages)
- Certificates/TLS/SSL related issues (e.g. BREACH, POODLE)
- DNS issues (e.g. Missing CName, SPF records etc.)
- End of Life Browsers / Old Browser versions (e.g. internet explorer 6)
- Weak CAPTCHA or CAPTCHA bypass (e.g. using browser addons)
- Coupon Misuse
- Brute force on forms (e.g. Contact us page)
- Brute force on “Login with password” page
- Account lockout not enforced
- CSV injection
- Any kind of vulnerabilities that requires installation of software like web browser add-ons, etc in victim's machine
- Rate limit mechanism bypass
- Kiosk mode / Screen pinning bypass
- Any kind of vulnerabilities that requires physical device access (e.g. USB debugging), root/jailbroken access or third-party app installation in order to exploit the vulnerability
- Bypassing root/jailbroken detection
- SSL Pinning bypass
- Reporting usage of known-vulnerable software/known CVE’s without proving the exploitability on Ola’s infrastructure by providing a proper proof of concept
- Bug which Ola is already aware of or those already classified as ineligible
Terms and Conditions
By participating, you agree to comply with Ola’s Terms and Conditions which are as follows:
- Abide by all the applicable laws of the land. Ola would not be responsible for any non-adherence to the laws of the land on your part.
- You must avoid Privacy violations, destruction of data, interruption & degradation of our service during your participation in this program. In case of any breach or violation, Ola reserves the right to take legal action.
- Eligibility for recognition is up to the discretion of Ola.
- Exploiting or misusing the vulnerability for your own or others' benefit will automatically disqualify the report.
- Threatening of any kind will automatically disqualify you from participating in the program.
- All the communications with Ola related to this program are to remain fully confidential. Researchers must destroy all artifacts created to document vulnerabilities (POC code, videos, screenshots) after the bug report is closed.
- Ola reserves the right to discontinue the responsible disclosure program at any time without notice.
- You may only investigate, or target vulnerabilities against your own account. Testing should not violate any law, or disrupt or compromise any data or access data that does not belong to you.
- Vulnerabilities which Ola determines as accepted risk will not be eligible for any kind of recognition.
Changes to Program Terms
The responsible disclosure program, including its policies, is subject to change or cancellation by Ola at any time, without notice. As such, Ola may amend these program terms and/or its policies at any time by posting a revised version on our website. By continuing to participate in the responsible disclosure program after Ola posts any such changes, you implicitly agree to comply with the updated program terms.
In the event you breach any of these program terms or the terms and conditions of Ola responsible disclosure program, Ola may immediately terminate your participation in the program. In some cases all your previous contributions may also be invalidated.
We shall not issue recognition to any individual who does not follow the guidelines of our program and depending upon the action of an individual, we could take strict legal action.
Testing using Tools
Don't be evil. Practice safe checks. You must not use any automated tools/scripts as those can be disruptive or cause systems to misbehave, doing so will invalidate your submission and you will be completely banned from Ola responsible disclosure program.
Last updated on: 25th April 2020