bug-bounty-program-blablacar
11
In Scope
4
Out of Scope
In-Scope Assets (11)
| Asset | Category | Bounty | Quick Links | |
|---|---|---|---|---|
| https://api.blablalines.com | URL | Yes | ||
| https://apps.apple.com/fr/app/blablalines-covoiturage/id1225543288 | IOS | Yes | - | |
| https://auth.blablacar.(fr|de|co.uk|in|es|mx|be|hr|hu|it|nl|pl|com.br|pt|ro|ru|com|tr|com.ua) | URL | Yes | - | |
| https://blablacardaily.com | URL | Yes | ||
| https://daily.blablacar.fr | URL | Yes | ||
| https://edge.blablacar.(fr|de|co.uk|in|es|mx|be|hr|hu|it|nl|pl|com.br|pt|ro|ru|com|tr|com.ua)) | URL | Yes | - | |
| https://itunes.apple.com/fr/app/blablacar-trusted-carpooling/id341329033?l=en&mt=8 | IOS | Yes | - | |
| https://m.blablacar.(fr|de|co.uk|in|es|mx|be|hr|hu|it|nl|pl|com.br|pt|ro|ru|com|tr|com.ua) | URL | Yes | - | |
| https://play.google.com/store/apps/details?id=com.blablalines | ANDROID | Yes | ||
| https://play.google.com/store/apps/details?id=com.comuto&hl=en | ANDROID | Yes | ||
| https://www.blablacar.(fr|de|co.uk|in|es|mx|be|hr|hu|it|nl|pl|com.br|pt|ro|ru|com|tr|com.ua) | URL | Yes | - |
Out-of-Scope Assets (4)
| Asset | Category | Bounty | |
|---|---|---|---|
| Any website that is not listed explicitly in the scope. | OTHER | Yes | |
| Finally, fraud related reports are out-of-scope if they do not exploit a security vulnerability. Therefore, fraud activity enabled by bug or incomplete business rules enforcement are out-of-scope. However, a fraud activity enabled by a CSRF exploit for example is valid. | OTHER | Yes | |
| However, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code, we will reward you with a bounty. | OTHER | Yes | |
| Please note that https://dev.blablacar.com is hosted by a third party and thus is out of scope. | OTHER | Yes |
Scope Changes (15)
Apr 16, 2026
| Change | Asset | Category | Scope | Time |
|---|---|---|---|---|
| Added | https://edge.blablacar.(fr|de|co.uk|in|es|mx|be|hr|hu|it|nl|pl|com.br|pt|ro|ru|com|tr|com.ua)) | URL | In Scope | 18:33 |
| Added | https://auth.blablacar.(fr|de|co.uk|in|es|mx|be|hr|hu|it|nl|pl|com.br|pt|ro|ru|com|tr|com.ua) | URL | In Scope | 18:33 |
| Added | https://www.blablacar.(fr|de|co.uk|in|es|mx|be|hr|hu|it|nl|pl|com.br|pt|ro|ru|com|tr|com.ua) | URL | In Scope | 18:33 |
| Added | https://m.blablacar.(fr|de|co.uk|in|es|mx|be|hr|hu|it|nl|pl|com.br|pt|ro|ru|com|tr|com.ua) | URL | In Scope | 18:33 |
| Added | https://play.google.com/store/apps/details?id=com.comuto&hl=en | ANDROID | In Scope | 18:33 |
| Added | https://itunes.apple.com/fr/app/blablacar-trusted-carpooling/id341329033?l=en&mt=8 | IOS | In Scope | 18:33 |
| Added | https://api.blablalines.com | URL | In Scope | 18:33 |
| Added | https://daily.blablacar.fr | URL | In Scope | 18:33 |
| Added | https://blablacardaily.com | URL | In Scope | 18:33 |
| Added | https://play.google.com/store/apps/details?id=com.blablalines | ANDROID | In Scope | 18:33 |
| Added | https://apps.apple.com/fr/app/blablalines-covoiturage/id1225543288 | IOS | In Scope | 18:33 |
| Added | please note that https://dev.blablacar.com is hosted by a third party and thus is out of scope | OTHER | Out of Scope | 18:33 |
| Added | any website that is not listed explicitly in the scope | OTHER | Out of Scope | 18:33 |
| Added | however, though listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working poc. if that convinces us to change our code, we will reward you with a bounty | OTHER | Out of Scope | 18:33 |
| Added | finally, fraud related reports are out-of-scope if they do not exploit a security vulnerability. therefore, fraud activity enabled by bug or incomplete business rules enforcement are out-of-scope. however, a fraud activity enabled by a csrf exploit for example is valid | OTHER | Out of Scope | 18:33 |