Submit bug report
About Lime
Lime is an urban transportation leader that offers mobility services, including scooters and bikes.
Ratings and Rewards
For the initial prioritization and rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy.
However, in some cases, a vulnerability priority can be modified based on impact or risk. When an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal and make a case for a higher priority.
Credentials
You can self-register for the lime rider/juicer apps which are found on the
App Store
Google Play
Other Philosophies
Focus on impact. Minor misconfiguration alone does not qualify for rewards.
For 0day issues, we aim at patching within 30 days. Reports within 30 days of vulnerability release may not be rewarded.
For vulnerability of a vendor (for example, Zendesk, Hubspot), please report to the vendor directly to avoid double reporting.
Target Information
Major targets include
Rider Apps (available on iOS / Android)
Backend APIs that supports the application.
Web application that supports operation. -'li[.]me' -'*[.]limeinternal[.]com'
Through the app, users can access both
rider functionality: using the scooters and other modes of transit
juicer functionality: charging devices for Lime
Do not engage in any behavior that is disruptive, accesses users' private information, endangers users/the public, or is in any way harmful. If you believe you have found a vulnerability that can cause any of these sorts of issues, please stop testing and report your findings.
Certain exclusions apply. Please refer to the Out of Scope section below.
Out of Scope
If you have a concern about whether a potential submission is in-scope, please first validate that it is demonstrably owned by Lime, and carefully read the "Out of Scope", and the "Targets" sections. If it is still unclear but you believe it should still be considered, please submit via the program ONLY (instead of alternate channels like email), and include a few sentences describing your judgment regarding scope. Submissions that demonstrate thoughtful consideration for scope but that we ultimately do not act on will receive a "Not Applicable" status, rather than "Out Of Scope" with negative points. Some may be paid out if deemed valuable
Zero-day vulnerabilities that are less than 30 days old.
Cookie flags on webview.lime.bike
"secret" keys exposed in iOS/Android builds that we do not consider secret.
Email anti-spoofing configurations. (anything related, including but not limited to SPF, DKIM, DMARC)
'*.airflow.limeinternal.com Legacy domain
*.limebike.com (unless user data is affected)
help.li.me (report to zendesk)
community.li.me (report to bevy)
TLS/SSL protocol vulnerabilities.
"clickjacking".
logout CSRF.
Rate limit problems that does not lead to unauthorized access of accounts.
Attacks that require unauthorized access to users' clients (phones, browsers, etc)
Low impact open redirects (no immediate credential leak)
Android debugging enabled
Safe Harbor
When conducting vulnerability research according to this policy, we consider this research to be:
Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws.
If you hare uncertain whether your security research is consistent with this policy, please inquire via support@bugcrowd.com before going any further.
