Details

#About Via At Via, we are building the transportation systems of tomorrow, right now. Via's technology is deployed worldwide through dozens of partner projects with public transportation agencies, private transit operators, taxi fleets, private companies, and universities, seamlessly integrating with public transit infrastructure to power cutting-edge on-demand mobility.

Via looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

Response Targets

Via will make the best effort to meet the following response targets for hackers participating in our program:

Time to first response (from report submission) - 5 business days
Time to triage (from report submission) - 10 business days
Time to bounty (from triage) - 10 business days

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

Follow HackerOne's disclosure guidelines.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Social engineering of any kind (e.g. phishing, vishing, smishing) is absolutely prohibited.
Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder. Under no circumstances should you access any personally identifiable information ("PII") of a Via rider, Via driver, or anyone associated with Via.

Rewards

Please see the structured bounty table. Our bounty table provides general guidelines and the amounts are indicative of ranges, thus, all final decisions are at the discretion of Via.

Program’s Scope Highlights

##** New Additions! (November 2024) ** We are pleased to announce the expansion of our bug bounty program to include 2 new Rider applications, covering both web and mobile platforms!

Metro Connect (New Addition):

Google Play: https://play.google.com/store/apps/details?id=ridewithvia.neoridelittlerock Apple Store: https://apps.apple.com/us/app/metro-connect-rock-region/id6449737830 Web URL: https://metroconnect.app.ridewithvia.com/

Pierce Transit - Runner (New Addition):

Google Play: https://play.google.com/store/apps/details?id=ridewithvia.par.piercetransit Apple Store: https://apps.apple.com/us/app/pierce-transit-runner/id6464473474 Web URL: https://pt-runner.app.ridewithvia.com/

Remix

platform.remix.com eu.remix.com

Citymapper

Google Play: https://play.google.com/store/apps/details?id=com.citymapper.app.release App Store: https://apps.apple.com/us/app/citymapper/id469463298 API Domain: *global-api.citymapper.com

Out-of-scope

*.remix.com *.citymapper.com citymapper.com/* https://ridewithvia.com - commercial site

Stay tuned for future updates and further expansions!

#Known Issues Please note that the Via Security Team actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.

#Out-of-scope vulnerabilities When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

Cache Poisoning
OTP Bypass (e.g: Response manipulation, Account registration and profile updates)
Exposed Google API and Mparticle keys.
Exposed API keys that pose no risk of accessing any sensitive information.
Task Hijacking
Clickjacking on pages with no sensitive actions.
Weak password policy.
UUID / ID enumeration of any kind.
Logout/login CSRF.
Attacks requiring MITM or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Open ports without an accompanying proof-of-concept demonstrating vulnerability.
Subdomain Takeovers / Dangling DNS on non-wildcard domains are classified as Low; only Wildcard domain takeovers with proven impact may qualify for Medium or High severity.
Invalid or missing SPF/DKIM/DMARC
Issues regarding missing rate limiting or bypasses for non-sensitive endpoints.
SMS/Email bombing, flooding, or simply triggering messages to a phone number/email address without demonstrating a significant security vulnerability.
Any activity that could lead to the disruption of our service (DoS).
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Missing HTTP header/ Missing cookie flag which does not lead to a direct vulnerability
Software version disclosure
Self-XSS
SSL/TLS scan reports
Reports consisting of automated scanner output (e.g., Nessus, Burp) without a manual Proof of Concept.
Path or hostname disclosure in error messages
Tabnabbing
Open redirect - unless an additional security impact can be demonstrated
User / Data Enumeration issues with low-risk and insignificant information being enumerated
Social engineering of any kind (e.g. phishing, vishing, smishing, spear phishing).

#Never in scope

Third-party services used by Via app
Third-party implementations integrating the Via SDK
DoS

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Via and our users safe!

Response Targets

Via will make the best effort to meet the following response targets for hackers participating in our program:

Time to first response (from report submission) - 5 business days

Time to triage (from report submission) - 10 business days

Time to bounty (from triage) - 10 business days

We’ll try to keep you informed about our progress throughout the process.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

Social engineering of any kind (e.g. phishing, vishing, smishing) is absolutely prohibited.

Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder. Under no circumstances should you access any personally identifiable information ("PII") of a Via rider, Via driver, or anyone associated with Via.

Out-of-scope

*.remix.com *.citymapper.com citymapper.com/* https://ridewithvia.com - commercial site

Stay tuned for future updates and further expansions!

#Out-of-scope vulnerabilities When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

Cache Poisoning

OTP Bypass (e.g: Response manipulation, Account registration and profile updates)

Exposed Google API and Mparticle keys.

Exposed API keys that pose no risk of accessing any sensitive information.

Task Hijacking

Clickjacking on pages with no sensitive actions.

Weak password policy.

UUID / ID enumeration of any kind.

Logout/login CSRF.

Attacks requiring MITM or physical access to a user's device.

Previously known vulnerable libraries without a working Proof of Concept.

Comma Separated Values (CSV) injection without demonstrating a vulnerability.

Open ports without an accompanying proof-of-concept demonstrating vulnerability.

Subdomain Takeovers / Dangling DNS on non-wildcard domains are classified as Low; only Wildcard domain takeovers with proven impact may qualify for Medium or High severity.

Invalid or missing SPF/DKIM/DMARC

Issues regarding missing rate limiting or bypasses for non-sensitive endpoints.

SMS/Email bombing, flooding, or simply triggering messages to a phone number/email address without demonstrating a significant security vulnerability.

Any activity that could lead to the disruption of our service (DoS).

Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

Missing HTTP header/ Missing cookie flag which does not lead to a direct vulnerability

Software version disclosure

Self-XSS

SSL/TLS scan reports

Reports consisting of automated scanner output (e.g., Nessus, Burp) without a manual Proof of Concept.

Path or hostname disclosure in error messages

Tabnabbing

Open redirect - unless an additional security impact can be demonstrated

User / Data Enumeration issues with low-risk and insignificant information being enumerated

Social engineering of any kind (e.g. phishing, vishing, smishing, spear phishing).

#Never in scope

Third-party services used by Via app

Third-party implementations integrating the Via SDK

DoS  

Safe Harbor

Thank you for helping keep Via and our users safe!