Accounts you don't own

⛔ Please don't use or interact with accounts or data you don't own, including but not limited to restaurants/venues and merchant data.
⛔ Please use only your own accounts and data for testing purposes.

Test entities

• If you need to test any sort of access to user data, please do it only against this specific consumer test account, whose user_id is 670fa3e9ead6e49d65cc3614.
• If you need to test any sort of access to restaurant or venue data, please do it only against this specific venue test account, whose venue_id is 670e7897e3c56dcc5b5a0989.
• If you need to test any sort of venue-related functionality, please do it only against this test venue (real purchase is not available): https://wolt.com/en/fin/helsinki/venue/test-670e7897e3c56dcc5b5a0989-sh0p

By participating in this program, you agree to:

• Respect the Community Code of Conduct
• Respect the Intigriti Terms and Conditions
• Respect the scope of the program
• Do not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and other platforms)

Validation times

We aim validate all submissions within the below timelines, once your submission has been verified by Intigriti.

Check our fix

We offer up to €50 bonus to verify a resolved issue for us (when requested).
This remains at the discretion of Wolt to award.

Our worst-case scenarios are

• Mass disclosure of customer, courier, or merchant data.

General

• Multiple leaked human identity credentials originating from third-party datasets (leaked credential lists, databases, monitoring services and credential marketplaces)
• Testing the payment processors is out of scope
• Spam, social engineering and physical intrusion
• Network DoS/DDoS attacks
• Web Cache Poisoned Denial of Service
• Brute force attacks
• Attacks requiring access to a victim's computer/device
• Reports that state that software is out of date/vulnerable without a proof-of-concept
• Mass creating of entities, including accounts, profiles and applications

Application

• API key disclosure without proven business impact
• Signup with unverified mobile numbers (if you took over an existing number, then that's a finding!)
• Verbose messages/files/directory listings without disclosing any sensitive information
• CORS misconfiguration without proven impact
• Missing cookie flags
• Missing security headers
• Cross-site Request Forgery without proven impact
• Autocomplete on web forms
• Bypassing rate-limits or the non-existence of rate-limits
• Best practices violations (password complexity, expiration, re-use, etc.)
• Clickjacking without proven impact/unrealistic user interaction
• CSV Injection
• Sessions not being invalidated (logout, enabling 2FA, etc.)
• Content injection without being able to modify the HTML
• Username/email enumeration
• Email bombing
• HTTP Request smuggling without any proven impact
• Homograph attacks
• Banner grabbing/Version disclosure
• Subdomain takeover without proof
• Arbitrary file upload without proof
• Host header injection without proven business impact

Mobile

• Shared links leaked through the system clipboard
• Attacks requiring malicious apps to be installed beforehand
• Sensitive data in URLs/request bodies when protected by TLS
• Lack of obfuscation
• Path disclosure in the binary
• Lack of jailbreak & root detection
• Crashes due to malformed URL Schemes
• Lack of binary protection (anti-debugging) controls, mobile SSL pinning
• Snapshot/Pasteboard leakage
• Runtime hacking exploits (exploits only possible in a jailbroken environment)

This program follows Intigriti's triage standards based on the proof of concept.

Where can we get credentials?

We have several user types:

• Customer account
  • You can self-register using https://wolt.com, the iOS app, or the Androd app.
  • Please use user+1@intigriti.me aliases to register as many accounts as you need (how-to).
  • SMS verification is not mandatory, but your account will be limited (e.g., can't purchase items).
• Courier account
  • Not available at the moment. We will send an update when test accounts become available.
• Merchants or business account
  • Not available at the moment. We will send an update when test accounts become available.