bug-bounty-program-blablacar

YesWeHackView on YesWeHack

11

In Scope

4

Out of Scope

In-Scope Assets (11)

Asset	Category	Quick Links
https://api.blablalines.com	URL	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal
https://apps.apple.com/fr/app/blablalines-covoiturage/id1225543288	IOS	-
https://auth.blablacar.(fr\|de\|co.uk\|in\|es\|mx\|be\|hr\|hu\|it\|nl\|pl\|com.br\|pt\|ro\|ru\|com\|tr\|com.ua)	URL	-
https://blablacardaily.com	URL	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal
https://daily.blablacar.fr	URL	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal
https://edge.blablacar.(fr\|de\|co.uk\|in\|es\|mx\|be\|hr\|hu\|it\|nl\|pl\|com.br\|pt\|ro\|ru\|com\|tr\|com.ua))	URL	-
https://itunes.apple.com/fr/app/blablacar-trusted-carpooling/id341329033?l=en&mt=8	IOS	-
https://m.blablacar.(fr\|de\|co.uk\|in\|es\|mx\|be\|hr\|hu\|it\|nl\|pl\|com.br\|pt\|ro\|ru\|com\|tr\|com.ua)	URL	-
https://play.google.com/store/apps/details?id=com.blablalines	ANDROID	Play Store
https://play.google.com/store/apps/details?id=com.comuto&hl=en	ANDROID	Play Store
https://www.blablacar.(fr\|de\|co.uk\|in\|es\|mx\|be\|hr\|hu\|it\|nl\|pl\|com.br\|pt\|ro\|ru\|com\|tr\|com.ua)	URL	-

Out-of-Scope Assets (4)

Asset	Category
Any website that is not listed explicitly in the scope.	OTHER
Finally, fraud related reports are out-of-scope if they do not exploit a security vulnerability. Therefore, fraud activity enabled by bug or incomplete business rules enforcement are out-of-scope. However, a fraud activity enabled by a CSRF exploit for example is valid.	OTHER
However, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code, we will reward you with a bounty.	OTHER
Please note that https://dev.blablacar.com is hosted by a third party and thus is out of scope.	OTHER