About Lime

Welcome to Lime’s bug bounty program! Lime is an urban transportation leader that offers mobility services, including scooters and bikes. Our mission is to develop the most advanced micro mobility solution that empowers humans to take one step towards becoming carbon neutral. Lime has three customer profiles that we cater:

1. Riders, this customer is using Lime products to commute from point A to point B.
2. Operators, this customer makes sure our fleet of vehicles is always functioning to serve the riders. There are three major categories of operators at Lime:
   • Operators: These people are Lime employees who perform in-warehouse tasks to repair and maintain the fleet
   • Logistics Partner: This a contracting agency that Lime uses to partner with during peak season for fluctuating operational demands
   • Juicers: These are independent contractors that perform out-of-warehouse tasks to get paid through the juicer app
3. Cities, this customer provides Lime the opportunity to serve the customers of that city. The city provides a region to Lime where they can operate in also provides certain requirements like No-operation zones(NOZ) [you might have noticed the speed of scooters and bike drop in certain areas], No-parking zones you might have seen dedicated parking spots in some cities], Safety requirements etc. They require Lime to submit heatmaps to help them in city planning along with other Government relations requirements.

We're looking for passionate and driven researchers who are excited to join us in our pursuit of revolutionizing the way humans try to save the planet. With access to state-of-the-art technology and a highly collaborative team, you'll have the opportunity to explore groundbreaking ideas and make a real impact in this exciting and rapidly evolving field of micromobility.

Lime values the work done by security researchers in improving the security of our products and service offerings. We are committed to working with this community to verify, reproduce, and respond to legitimate reported vulnerabilities. We encourage the community to participate in our responsible reporting process. We will coordinate and communicate with researchers through the bug bounty process.

Good luck, and happy hunting!

Eligibility

Note, that Lime's bug bounty program is in part facilitated through a third party (BugCrowd) that performs additional services and eligibility checks on our behalf. For example, Lime may not issue payments if one or more of the following is applicable:

1. You are a resident of a country under U.S. sanctions or live in a country that prohibits this type of program.
2. You are currently (or were in the last 6 months) an employee of Lime, a Lime subsidiary, or a third-party contractor with access to Lime’s internal systems and networks.

How does the program work?

1. Security researchers and Lime customers are encouraged to submit reports regarding the security measures used to protect Lime products and services.
2. When conducting security research, you are required to follow Responsible Disclosure Guidelines & Lime’s Rules of Engagement (referred to as “Terms”), which are provided below.
3. If a vulnerability is found, please document your findings thoroughly before sending them to us. This may include screenshots or videos or POC code of your findings.
4. Members of Lime’s team may contact you to confirm that we have received your submission, ask questions about your findings, and discuss how to reproduce them.
5. Lime may direct you to stop your activities in the event that your research impacts Lime-owned assets, Lime vendors, or other customers. If directed to stop, you must immediately comply with the request.
6. Lime’s security team will then work with impacted business units to validate the findings.
7. If Lime can validate your findings and we determine that it is eligible for a reward under this program’s Terms, a bounty reward will be issued.
8. You are responsible for the payment of all applicable taxes.

What happens after you submit?

Please submit a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to maliciously exploit a security issue, or access other user’s data.

Note: Abusing vulnerabilities in other websites in order to test Lime is prohibited. Provided that you’ve made a good faith effort to abide by our terms, we will not take legal action against you or ask law enforcement to investigate you.

Upon receipt of your report, Bugcrowd will triage the vulnerability and communicate timelines for triaging, and answer questions during the investigative period. A detailed description of the vulnerability and reproduction steps are required for each report. If you do not provide this information within 7 business days from the submission of the report, we will close the report as Not Applicable.

Note: Timelines, as shown below, are based upon receipt of a fully detailed vulnerability with reproduction steps provided with the submitted report.

1. Initial Communication: Upon receipt of a new report [Bugcrowd]
2. Initial Triage Review: 2 business days from receipt of a new report [Bugcrowd]
3. Tier 2 Triage Review: From Tier 1 review [Lime]
   • Critical (P1) - 1 day
   • High (P2) - 1 week
   • Medium (P3) - 2 week
   • Low (P4) - 4 weeks
4. Bounty Payout: 5 business days from Tier 2 Triage Review and accepting the bug will be resolved
5. Response to Researcher Questions: 2 business days from blocker created for customers

This program is dedicated to perceived online security issues that may affect many people on Lime. If you're having issues related to your individual account, please visit our Help Center

Ratings and Rewards

For the initial prioritization and rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy.

Internally Lime will use a CVSS 3.0 score to determine the severity of the vulnerability, the overall risk is determined by the Severity of the vulnerability, ease of exploitation, and business impact on Lime. The severity/Vulnerability rating only determines the “Severity of the vulnerability”. The overall risk rating can be different from the severity rating of the vulnerability. If the risk rating is reduced after Bugcrowd triage, the Lime security team will provide a detailed explanation as to why they made the change.

TERMS

This term is effective as of Sept 18, 2023 All reports submitted prior to this date will adhere to the previous policy.

Responsible Disclosure Guidelines

We will investigate legitimate reports and make every effort to quickly correct any vulnerability. To encourage responsible reporting, we will not take legal action against you nor ask law enforcement to investigate you, so long as you comply with the Terms.

1. Do not access or modify data that does not belong to you. If you are able to gain access to or modify data that belongs to Lime, other customers, or Lime vendors during the course of your research, you must take the following actions:
   • Immediately stop your activities,
   • Disclose your findings to Lime as soon as possible (but no later than 24 hours after discovery). Your findings should include details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC),
   • Wait for further instructions from the Lime team.
2. Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
3. Give Lime a reasonable time to correct the issue before making any information public. In certain circumstances, Lime may request that you not disclose your findings or to delay disclosure until we can ensure that the matter has been adequately addressed. You may not disclose confirmed, unresolved vulnerabilities without approval from Lime.

Rules of Engagement

1. Research must be done using your own Lime account on products that you own. You should not intentionally modify online accounts, data or products owned by other Lime customers (without explicit permission). If during the course of your research, you find a vulnerability that would allow you to bypass an authentication control for another person’s account, you should report the vulnerability to Lime immediately and take no further action.

2. If you are able to access or modify the personal data of other customers or other sensitive data that does not belong to you, immediately contact Lime. Do not attempt to conduct post-exploitation work with this data.

3. Where you are able to access data that does not belong to you, you will be asked to delete it. You must comply with this request, demonstrate the steps you took to ensure it was deleted and confirm deletion to Lime in order to be eligible for a reward.

4. Do not attempt to use brute force or denial of service attacks on Lime-owned systems without prior written approval.

Credentials

• You can self-register for the lime rider/juicer apps which are found on the
  • App Store
  • Google Play

Focus Area

1. Lime's public-facing applications
2. Vulnerabilities in other applications owned by Lime
3. Vulnerabilities we don’t already know about
4. The quality of a submission that makes Lime’s security engineers' job easier will result in a higher bounty in the category.
   • Visual POC with code and video of screen share to reproduce
   • Detailed attacker following MITRE attack framework
5. Focus on impact. Minor misconfiguration alone does not qualify for rewards.
6. For 0-day issues, we aim at patching within 30 days. Reports within 30 days of vulnerability release may not be rewarded.
7. For vulnerability of a vendor (for example, Zendesk, Hubspot), please report to the vendor directly to avoid double reporting.