Bug Bounty Program Information

The Ola Bug Bounty Program ("Program") is designed to encourage security researchers to find security vulnerabilities in Ola's software and to recognize those who help us create a safe and secure product for our customers and partners. The Program is operated and facilitated by ANI Technologies Private Limited and its affiliates (together "Ola").

If you believe you have found a security vulnerability in Ola software, we encourage you to let us know as soon as possible.We will investigate the submission and if found valid, take necessary corrective measures. We may request you for additional information regarding the vulnerability(ies), for which you will cooperate in providing. We request you to review our bug bounty policy as mentioned below along with the reporting guidelines, before you report a security issue. By submitting any information to us, you agree to be bound by these terms and conditions ("T&Cs").

To show our appreciation for the security researchers,we offer a monetary reward/ goodies for all valid security issues based on the severity impact and complexity of the same, the individual will also be given a honourable mention in our Hall of Fame.

The information on this page is intended for security researchers interested in reporting security vulnerabilities to Ola security team. If you are an Ola customer and have concerns regarding non-information security related issues or seeking information about your Ola account / complaints, please reach out to customer support

Reporting security issues

Go to the Report a Vulnerability page to report security issues related to our applications.

Rewards

We offer monetary rewards for security issues which meet the following criteria:

  • The minimum monetary reward for eligible bugs is 1000 INR. All reward amounts, once communicated by Ola, are non-negotiable.
  • We may reward only with awesome goodies depending on the severity of the vulnerability.
  • Apart from monetary benefits, vulnerability reporters who work with us to resolve security bugs in our products will be honored on the Hall of Fame page.
  • Rewards are decided based on the severity, impact, complexity and the awesomeness of the vulnerability reported and it is at the discretion of Ola Bug Bounty panel.

* All the monetary rewards mentioned on this page are in Indian Rupees (INR).

Responsible disclosure & reporting guidelines

  • You are bound by utmost confidentiality with Ola. You will not publicly or otherwise disclose any information regarding a bug or security incident without Ola’s prior approval.
  • Please understand that due to the high number of submissions, it might take some time to triage the submission or to fix the vulnerability reported by you. Therefore, give us a reasonable amount of time to respond to you.
  • Originality, quality, and content of the report will be considered while triaging the submission, please make sure that the report clearly explains the impact and exploitability of the issue with a detailed proof of concept.
  • Please make sure that any information like proof of concept videos, scripts etc., should not be uploaded on any 3rd party website and should be directly attached as a reply to the acknowledgement email that you receive from us.
  • You are obliged to share any extra information if asked for, refusal to do so will result in invalidation of the submission.
  • You will not access any data/internal resources of Ola as well as the data of our customers without prior approval from the Ola security team.
  • You must be respectful to our existing applications, and in any case you should not run test-cases which might disrupt our services.
  • Do not use scanners or automated tools to find vulnerabilities since they’re noisy. Doing so will invalidate your submission and you will be completely banned from the Program.
  • We also request you not to attempt attacks such as social engineering, phishing etc. These kinds of findings will not be considered as valid ones, and if caught, might result in suspension of your account and appropriate legal action as well.

Responsibility at our end

  • We will be fast and will try to get back to you as soon as possible.
  • We will keep you updated as we work to fix the bug you have submitted.
  • The Hall of Fame will be updated only once the vulnerability has been fixed.

Targets in scope

  • *.olacabs.com
  • *.olamoney.com
  • *.olakrutrim.com
  • *.olamaps.io
  • *.ola.foundation
  • *.olaelectric.in
  • *.olaelectric.com
  • *.mission-electric.in
  • *.ola.institute
  • Ola Cabs mobile app ( Android | iOS )
  • Ola Lite mobile app - Lighter version of Ola Cabs app ( Android )
  • Ola Money mobile app ( Android | iOS )
  • Ola Operator mobile app ( Android )
  • Ola Partner mobile app ( Android | iOS )
  • Ola Electric mobile app ( Android | iOS )
  • Ola Krutrim mobile app ( Android )

Out of Scope Targets

  • All the sandbox and staging environments are out scope.
  • All external services/software which are not managed or controlled by Ola are considered as out of scope / ineligible for recognition.
  • Newly acquired company websites/mobile apps are subject to a 12 month blackout period. Issues reported sooner in such websites/mobile apps won't qualify for any reward or recognition.

Eligibility

Prerequisites to qualify for reward or recognition:

  • Be the first researcher to responsibly disclose the bug. Duplicate submissions are not eligible for any reward or recognition.
  • Must adhere to our Responsible disclosure & reporting guidelines (as mentioned above).
  • This program is applicable only for individuals not for organizations.
  • Verify the fix for the reported vulnerability to confirm that the issue is completely resolved.

In scope vulnerability examples

Report a bug that could compromise the integrity of user data, circumvent the privacy protections of user data or enable access to a restricted/sensitive system within our infrastructure.

Example of such bugs are:

  • Cross-Site Scripting (XSS)
  • Sql Injection
  • XML external entity (XXE) injection
  • Server Side Template Injection (SSTI)
  • Server Side Request Forgery (SSRF)
  • Cross-Site Request Forgery (on sensitive actions)
  • Broken Authentication / Authorization
  • Broken Session flaws
  • Remote Code Execution (RCE)
  • Privilege Escalation
  • Business Logical flaws
  • Payment Related Issues
  • Misuse/Unauthorized use of our APIs
  • Open Redirects (which allow stealing secrets/tokens)

Out of scope vulnerabilities

Some of the reported issues, which carry low impact, may not qualify. Although we review them on a case-by-case basis, here are some of the common low-risk issues which typically do not earn any recognition:

  • Clickjacking
  • Bugs requiring exceedingly unlikely user interaction (e.g Social engineering)
  • Spamming (e.g. SMS/Email Bombing)
  • Any kind of spoofing attacks or any attacks that leads to phishing (e.g. Email spoofing, Capturing login credentials with fake login page)
  • Denial-of-service attacks or vulnerabilities that leads to DOS/DDOS
  • Login - Logout cross-site request forgery
  • Self XSS
  • Presence of server/software banner or version information
  • Stack traces and Error messages which do not reveal any sensitive data
  • Third party API key disclosures without any impact or which are supposed to be open/public.
  • OPTIONS / TRACE HTTP methods enabled
  • Missing HTTP Security Headers (e.g. Strict-Transport-Security - HSTS)
  • Missing Cookie Flags (e.g. HttpOnly, secure etc)
  • Host Header Injection
  • Broken Links (e.g. 404 Not Found page)
  • Known public files or directories disclosure (e.g. robots.txt, css/images etc)
  • Browser ‘autocomplete’ enabled
  • HTML / Text Injection
  • Forced Browsing to non-sensitive information (e.g. help pages)
  • Certificates/TLS/SSL related issues (e.g. BREACH, POODLE)
  • DNS issues (e.g. Missing CName, SPF records etc.)
  • End of Life Browsers / Old Browser versions (e.g. internet explorer 6)
  • Weak CAPTCHA or CAPTCHA bypass (e.g. using browser addons)
  • Coupon Misuse
  • Brute force on forms (e.g. Contact us page)
  • Brute force on “Login with password” page
  • Account lockout not enforced
  • CSV injection
  • Any kind of vulnerabilities that requires installation of software like web browser add-ons, etc in victim's machine
  • Rate limit mechanism bypass
  • Kiosk mode / Screen pinning bypass
  • Any kind of vulnerabilities that requires physical device access (e.g. USB debugging), root/jailbroken access or third-party app installation in order to exploit the vulnerability
  • Bypassing root/jailbroken detection
  • SSL Pinning bypass
  • Tapjacking
  • Reporting usage of known-vulnerable software/known CVE’s without proving the exploitability on Ola’s infrastructure by providing a proper proof of concept
  • Bug which Ola is already aware of or those already classified as ineligible

Terms and Conditions

By participating, you agree to comply with Ola’s Terms and Conditions which are as follows:

  1. You shall abide by all the applicable laws of the land. Ola will not be responsible for any non-adherence to applicable laws on your part.
  2. You shall not engage in any confidentiality or privacy breaches or violations, destruction, removal or amendment of data (personal or otherwise), or interruption or degradation of our services during your participation in this Program. In case of any breach or violation, Ola reserves the right to ban you from the Program and/ or take legal action.
  3. Eligibility for reward or recognition is at the discretion of Ola.
  4. Exploiting or misusing the vulnerability for your own or others' benefit will automatically disqualify the report.
  5. Threatening of any kind will automatically disqualify you from participating in the program.
  6. All the communications with Ola related to this program are to remain fully confidential. Researchers must destroy all artifacts created to document vulnerabilities (POC code, videos, screenshots) after the bug report is closed. Failure to do so shall constitute a material breach of these T&Cs.
  7. Ola reserves the right to discontinue the responsible disclosure program at any time without notice.
  8. You may only investigate, or target vulnerabilities against your own account. Testing should not violate any law, or disrupt or compromise any data or access data that does not belong to you.
  9. Vulnerabilities which Ola determines as accepted risk will not be eligible for any kind of recognition.
  10. Any solutions, recommendation or suggestions, including any intellectual property contained therein, provided by you to Ola under this Program, shall immediately transfer to Ola without any limitations or exceptions, and once communicated to Ola you waive all rights, title, ownership and interest therein. If requested, you shall provide Ola with appropriate documentation to formalise any such transfer or assignment.

Changes to Program Terms

The Program, including its policies, is subject to change or cancellation by Ola at any time, without notice. As such, Ola may amend these Program T&Cs and/or its policies at any time by posting a revised version on our website. By continuing to participate in the bug bounty program after Ola posts any such changes, you implicitly agree to comply with the updated Program terms

Program Termination

In the event you breach any of these T&Cs or any other Program terms that Ola releases, Ola may immediately terminate your participation in the Program and/or take any further legal actions as necessary. In some cases all your previous contributions may also be invalidated.

Legal points

We shall not issue reward or recognition to any individual who does not follow the guidelines of our program and depending upon the action of an individual, we could take strict legal action. Ola does not commit to any compensation other than as outlined in these T&Cs or as communicated to you at the time of your submission. Ola shall not be liable to make any payments or rewards towards you in any other circumstances. Ola shall also not be liable in the event of delayed response to you for any submission.

Testing using Tools

Don't be evil. Practice safe checks. You must not use any automated tools/scripts as those can be disruptive or cause systems to misbehave, doing so will invalidate your submission and you will be completely banned from Ola bug bounty program.

Last updated on: 11th June 2024