FAQs:

Security Bug Bounty Program Information

The OLA Security Bug Bounty Program is designed to encourage security researchers to find security vulnerabilities in OLA software and to reward those who help us create a safe and secure product for our customers and partners.

If you believe you have found a security vulnerability in Ola software, we encourage you to let us know as soon as possible. We will investigate the submission and if found valid, take necessary corrective measures. We request you to review our responsible disclosure policy as mentioned below along with rewards and reporting guidelines, before you report a security issue.

To show our appreciation for our security researchers, we offer a monetary bounty or goodies (SmartWatches / Tablets / HeadPhones / Tees / Other cool stuff) for all valid security vulnerabilities based on the severity, impact and complexity of the vulnerability.

The information on this page is intended for security researchers interested in reporting security vulnerabilities to Ola security team. If you are an Ola customer and have concerns regarding non-information security related issues or seeking information about your OLA account / complaints, please reach out to customer support or write to [email protected].

Reporting security issues

Go to the Report a Vulnerability link to report security issues related to our applications.

Rewards

Category Core OLA (*.olacabs.com
& *.olamoney.com)
Other OLA domains &
acquisitions
Injections

Examples:
SQL injection, Remote code
execution, Command injection,
Xpath injection
50,000 to 3,00,000 INR 25,000 to 2,00,000 INR
Server side issues

Examples:
SSRF, LFI / Path traversal, XXE,
IDOR
10,000 to 75,000 INR 10,000 to 40,000 INR
Client side issues

Examples:
XSS, CSRF
10,000 to 25,000 INR 5,000 to 15,000 INR
Bypassing significant
security controls

Examples:
Payment bypass, Account
takeover
50,000 to 2,00,000 INR 30,000 to 1,50,000 INR
[1] Other valid security
vulnerabilities

Examples:
Information leakage,
Clickjacking, Privilege
escalation
10,000 to 1,00,000 INR or
Goodies
5,000 to 40,000 INR or
Goodies

* All the currencies mentioned on this page are in Indian Rupees (INR).

[1] Other valid security vulnerabilities: We may reward only with awesome goodies or Hall of Fame recognition for low/ medium severity vulnerabilities (smartwatches/tablets/headphones/tees/other cool stuff) which have not qualified for cash rewards depending upon severity.

Bounties are awarded based on the severity, impact, complexity and the awesomeness of the vulnerability reported and it is at the discretion of Ola Security Bug Bounty panel.

Apart from monetary benefits, vulnerability reporters who work with us to resolve security bugs in our products will be honored on the Hall of Fame page.

Responsible disclosure & reporting guidelines

  • We request you not to do any public disclosure of a bug before it has been fixed.
  • Please understand that due to high number of submissions, it might take some time to fix the vulnerability reported by you. Therefore, give us reasonable amount of time to respond to you with the fix, before you go public.
  • Share the security issue in detail. At times, we might ask for more information (if required).
  • Please do not access to another user’s account or data without permission.
  • Please be respectful with our existing applications, and we request you not to run test-cases which might disrupt our services.
  • Do not use scanners or automated tools to find vulnerabilities. They’re noisy and might result in suspension of your user account / IP Address.
  • We also request you not to attempt attacks such as social engineering, phishing. These kind of bugs will not be considered as valid ones, and if caught, might result in suspension of your account.
  • Vulnerabilities made public before the fix are not eligible for bounty reward.

Responsibility at our end

  • We will be fast and will try to get back to you as soon as possible.
  • We will keep you updated as we work to fix the bug you have submitted.
  • Bounty reward will be paid only once the vulnerability has been fixed.

Targets ONLY in scope

  • *.olacabs.com
  • *.olamoney.com
  • Ola Cabs mobile app ( Android | iOS | Windows )
  • Ola Lite mobile app - Lighter version of Ola Cabs app ( Android )
  • Ola Money mobile app ( Android | iOS )
  • Ola Operator mobile app ( Android )
  • Ola Partner mobile app ( Android )

Out of Scope Targets

Note that the list of out-of-scope targets is not exhaustive. This is an indicative list. For more details refer to “Exclusions” section further down in this page.

Eligibility

Prerequisites to qualify for a bounty:

  • Be the first researcher to responsibly disclose the bug. Duplicate submissions are neither eligible for rewards nor Hall of Fame. Only one bounty will be rewarded for every distinct security vulnerability.
  • Adhere to our Responsible disclosure & reporting guidelines (as mentioned above).
  • Security Bug bounty is applicable only for individuals.
  • Verify the fix for the reported vulnerability to confirm that the issue is completely resolved.

In scope vulnerability examples

Report a bug that could compromise the integrity of user data, circumvent the privacy protections of user data, or enable access to a system within our infrastructure.

Example of such bugs are:

  • Cross-Site Scripting (XSS)
  • Sql Injection/ XXE / RCE
  • Server Side Request Forgery (SSRF)
  • Cross-Site Request Forgery (CSRF/XSRF)
  • Broken Authentication (including OAuth bugs)
  • Broken Session flaws
  • Remote Code Execution
  • Privilege Escalation
  • Provisioning Errors
  • Business Logical flaws
  • Payment Related Issues
  • Misuse/Unauthorized use of our APIs

Out of scope vulnerabilities

Some of the reported issues, which carry low impact, may not qualify. Although we review them on a case-by-case basis, here are some of the common low-risk issues which typically do not earn a monetary reward or goodies:

  • Bugs requiring exceedingly unlikely user interaction (Social engineering)
  • Spam or social engineering techniques (e.g. SMS Bombing, Forget password page, signup OTPs)
  • Any kind of Phishing/Spoofing attacks (e.g. Email spoofing, Capturing login credentials with fake login page)
  • Denial-of-service attacks
  • Login - Logout cross-site request forgery
  • Presence of banner or version information
  • Error messages (e.g. Application/Server/Database) and Stack trace void of sensitive data
  • Clickjacking on pages without sensitive content, authentication, or state changing actions
  • OPTIONS / TRACE HTTP methods enabled
  • Missing HTTP Security Headers (e.g. Strict-Transport-Security - HSTS)
  • Missing Cookie Flags (e.g. HttpOnly, secure etc)
  • Host Header Injection
  • Broken Links (e.g. 404 Not Found page)
  • Known public files or directories disclosure (e.g. robots.txt, css/images etc)
  • Browser ‘autocomplete’ enabled
  • HTML / Text Injection
  • Forced Browsing to non-sensitive information (e.g. help pages)
  • Certificates/TLS/SSL related issues (e.g. BREACH, POODLE)
  • DNS issues (e.g. Missing CName, SPF records etc.)
  • End of Life Browsers / Old Browser versions (e.g. internet explorer 6)
  • Weak CAPTCHA or CAPTCHA bypass using browser addons
  • Coupon Misuse
  • Brute force on forms (e.g. Contact us page)
  • Brute force on “Login with password” page
  • Account lockout not enforced
  • Any vulnerabilities limited to sandbox, staging environments which cannot be reproducible on production environment
  • CSV injection
  • Any kind of vulnerabilities that requires installation of web browser add-ons in victim's machine
  • Rate limit bypass by using multiple / duplicate accounts
  • Vulnerabilities which Ola determines as accepted risk will not be eligible for cash reward or goodies or listing on the Hall of Fame
  • Bug which Ola is already aware of or those already classified as ineligible

Exclusions

  • Vulnerabilities in external service/software which are not managed or controlled by OLA are considered as out of scope / ineligible for bounty.
  • We need time to perform internal reviews on acquired company's web assets. Newly acquired company websites/mobile apps are subject to a 12 month blackout period. Issues reported sooner in such websites/mobile apps won't qualify for bounty/goodies.

Terms and Conditions

By participating, you agree to comply with Ola’s Terms and Conditions which are as follows:

  1. Abide by all the applicable laws of the land. Ola would not be responsible for any non-adherence to the laws of the land on your part.
  2. You should make all effort to avoid Privacy violations, destruction of data, interruption & degradation of our service during your research. In case of any breach, Ola reserves the right to take legal action.
  3. Eligibility for rewards and determination of the recipients and amount of reward is left up to the discretion of Ola.
  4. Ola reserves the right to discontinue the Bug Bounty Program at any time without notice.
  5. You may only exploit, investigate, or target vulnerabilities against your own account. Testing should not violate any law, or disrupt or compromise any data or access data that does not belong to you.
  6. All payments will be made in Indian Currency (INR).

Changes to Program Terms

The Security Bug Bounty Program, including its policies, is subject to change or cancellation by Ola at any time, without notice. As such, Ola may amend these Program Terms and/or its policies at any time by posting a revised version on our website. By continuing to participate in the Security Bug Bounty Program after Ola posts any such changes, you implicitly agree to comply with the updated Program Terms.

Program Termination

In the event you breach any of these Program Terms or the terms and conditions of Ola Security Bug Bounty program, Ola may immediately terminate your participation in the Security Bug Bounty Program and disqualify you from receiving any bounty payments.

Legal points

We shall not issue rewards to individuals who do not follow the guidelines of our Vulnerability Program and depending upon the action of an individual, we could take strict legal action.

Testing using Tools

Don't be evil. Practice safe checks. Please don’t use automated scanners/scripts as those tools can be disruptive or cause sites to misbehave leading to suspension of your account.

Thanks! we received your report. If you reported a valid security Issue we will get back to you within one business day.
There was an error submitting your report. Please try again.
  • Ola BugBounty Program


  • Please send us a mail on [email protected] for any other security issue (which is not a Vulnerability).

Hall Of Fame

Ola would like to thank the following people who have found security vulnerabilities in Ola products or services and have made a responsible disclosure to us.

Each name listed represents an individual who has responsibly disclosed one or more security vulnerabilities.

  • Abbas Sivaj Sait .G.K
  • Abhay Kailasia
  • Abhilash Murarishetty
  • Abhishek Anand
  • Abhishek Jain
  • Abhishek Shroti
  • Afzal Sayed @afzalsayed96
  • Akshay Jain
  • Anand Prakash
  • Anand Sarvottam Moorthy
  • Archita Aparichita
  • Asish Das & Sazzad Hussain
  • Asish Kumar Agarwalla
  • Avinash Jain @logicbomb_1
  • Chandrapal @bnchandrapal
  • Deepak Das
  • Deepankar Arora
  • Dilip Prakash
  • Garv Maggu
  • Gaurang Bhatnagar
  • Harsha Vardhan
  • Himanshu Kumar
  • Jaikishan Tulswani
  • Manas (Leet Crawler)
  • Manikandan Rajakumar
  • Manish Kumar
  • Meghana Nayak
  • Mohit Rawat
  • Nikhit Kumar
  • Nikith Naresh DARAPANENI
  • Nishant Sharma
  • Nitesh kuhar
  • Pavan
  • Pavan Kumar Vutukuri
  • Prajal Kulkarni
  • Prayank Gahlot
  • Prithvinder Singh
  • Sachin Singh
  • Sai Shyam G
  • Sandeep Singh
  • Saurabh ​Agarwal
  • Shai Rod (@NightRang3r)
  • Sharath Unni
  • Sharz
  • Shashwat Kumar
  • Shubham Pathak
  • Sujit Devkar
  • Sumit Sahoo
  • Tarakram Reddy
  • Vinoth Kumar
  • Vishwaraj Bhattarai
  • Zerocoolz1