Description

We provide a platform for: - Businesses to sell products (like food, clothing and even electronics). - Customers to purchase such products and get them delivered by Wolt couriers. - Wolt couriers to receive and manage delivery requests. We have more than 30 million registered users and we operate in 20+ countries. Read more about us: https://wolt.com/en/about.

Bounties
Low
0.1 - 3.9
Medium
4.0 - 6.9
High
7.0 - 8.9
Critical
9.0 - 9.4
Exceptional
9.5 - 10.0
Tier 1
150
750
1,500
3,000
3,500
Tier 1
€150 - €3,500
Tier 2
100
500
1,000
2,000
2,500
Tier 2
€100 - €2,500
Rules of engagement
Required
Intigriti/{username}
max. 3 requests /sec
X-Intigriti-Username: {username}

Accounts you don't own

⛔ Please don't use or interact with accounts or data you don't own, including but not limited to restaurants/venues and merchant data.
⛔ Please use only your own accounts and data for testing purposes.

Test entities

  • If you need to test any sort of access to user data, please do it only against this specific consumer test account, whose user_id is 670fa3e9ead6e49d65cc3614.
  • If you need to test any sort of access to restaurant or venue data, please do it only against this specific venue test account, whose venue_id is 670e7897e3c56dcc5b5a0989.
  • If you need to test any sort of venue-related functionality, please do it only against this test venue (real purchase is not available): https://wolt.com/en/fin/helsinki/venue/test-670e7897e3c56dcc5b5a0989-sh0p

By participating in this program, you agree to:

  • Respect the Community Code of Conduct
  • Respect the Intigriti Terms and Conditions
  • Respect the scope of the program
  • Do not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and other platforms)

Validation times

We aim validate all submissions within the below timelines, once your submission has been verified by Intigriti.

Vulnerability Severity Time to validate
Exceptional 3 Working days
Critical 3 Working days
High 5 Working days
Medium 15 Working days
Low 15 Working days

Check our fix

We offer up to €50 bonus to verify a resolved issue for us (when requested).
This remains at the discretion of Wolt to award.


Domains

Keywords: OAuth2, OIDC, JWT

  • Used by: Regular wolt.com users, Wolt employees, other services (service-to-service communication).
  • Handles the vast majority of our authN/authZ. In other words, JWTs signed by this service can grant you access to other services/APIs.
  • Your JWT as a regular wolt.com user comes from this service.

Keywords: admin

  • Used by: Wolt employees, corporate customers.
  • Admin portal for Wolt's corporate customers.
  • Your JWT as a regular wolt.com user should grant you limited access.
URL

Keywords: admin

  • Used by: Wolt employees, delivery partners.
  • Admin portal for Wolt's last-mile delivery partners.
  • Your JWT as a regular wolt.com user should grant you limited access.

Keywords: admin

  • Used by: Wolt employees, store managers.
  • Portal for store managers to update menus.
  • Your JWT as a regular wolt.com user should grant you limited access.
URL

Keywords: admin

  • Used by: Wolt employees.
  • This service's endpoints are only accessible by Wolt employees (if you can show otherwise, that’ll be very interesting). However, your tainted data (e.g., purchase info, profile info) may be processed by this service.
  • Used by: Regular wolt.com users, Wolt employees, corporate customers, delivery partners, store managers.
  • Notable use-cases: Creating and editing users, placing orders, tracking orders, setting prices.
  • Your JWT as a regular wolt.com user should grant you access to most functionality for your user type.
Tier 1
URL
  • Used by: Everybody.
  • Our main web page.
  • Notable use-cases: Offering an in-browser JavaScript app to interact with other APIs and services. Offering HTTP endpoints to interact with this service's own APIs.

*.wolt.com

Tier 2
Wildcard
  • Anything else under the .wolt.com domain is fair game. EXCEPTIONS:
    • press.wolt.com. This is a third-party SaaS and we aren't authorized to test it.
    • blog.wolt.com. This is a third-party SaaS (wpengine.com). wpengine.com owns the infrastructure, but we maintain the WordPress installation. Only WordPress-level probes are allowed.
  • Depending on the affected service and finding type, we might bump this to Tier 1 bounties.
iOS

Keywords: iOS

  • Used by: Wolt couriers.
  • Notable use-cases: Receiving delivery requests, tracking orders, completing deliveries, modifying your profile info.
  • For the time being we don't provide accounts of the courier type.
  • It would be very interesting if you can interact with the courier APIs without actually having a courier account.
iOS

Keywords: iOS

  • Used by: Wolt customers.
  • Notable use-cases: Regular wolt.com account creation, placing orders, tracking your orders, modifying your profile info.
Android

Keywords: Android

  • Used by: Wolt customers.
  • Notable use-cases: Regular wolt.com account creation, placing orders, tracking your orders, modifying your profile info.
Android

Keywords: Android

  • Used by: Wolt couriers.
  • Notable use-cases: Receiving delivery requests, tracking orders, completing deliveries, modifying your profile info.
  • For the time being we don't provide accounts of the courier type.
  • It would be very interesting if you can interact with the courier APIs without actually having a courier account.
Out of scope
URL

Keywords: Third-party SaaS, WordPress

  • Used by: Wolt employees.
  • WordPress blog hosted by wpengine.com.
  • wpengine.com owns the infrastructure, but we maintain the WordPress installation.
  • Note: Only WordPress-level probes are allowed.
Out of scope
URL

Low severity issues affecting gettest.wolt.com

Out of scope
URL
Out of scope
URL

This is a third-party SaaS and we aren't authorized to test it.

URL
In scope

Our worst-case scenarios are

  • Mass disclosure of customer, courier, or merchant data.
Out of scope

General

  • Testing the payment processors is out of scope
  • Spam, social engineering and physical intrusion
  • Network DoS/DDoS attacks
  • Brute force attacks
  • Attacks requiring access to a victim's computer/device
  • Reports that state that software is out of date/vulnerable without a proof-of-concept
  • Mass creating of entities, including accounts, profiles and applications

Application

  • API key disclosure without proven business impact
  • Signup with unverified mobile numbers (if you took over an existing number, then that's a finding!)
  • Verbose messages/files/directory listings without disclosing any sensitive information
  • CORS misconfiguration without proven impact
  • Missing cookie flags
  • Missing security headers
  • Cross-site Request Forgery without proven impact
  • Autocomplete on web forms
  • Bypassing rate-limits or the non-existence of rate-limits
  • Best practices violations (password complexity, expiration, re-use, etc.)
  • Clickjacking without proven impact/unrealistic user interaction
  • CSV Injection
  • Sessions not being invalidated (logout, enabling 2FA, etc.)
  • Content injection without being able to modify the HTML
  • Username/email enumeration
  • Email bombing
  • HTTP Request smuggling without any proven impact
  • Homograph attacks
  • Banner grabbing/Version disclosure
  • Subdomain takeover without proof
  • Arbitrary file upload without proof
  • Host header injection without proven business impact

Mobile

  • Shared links leaked through the system clipboard
  • Attacks requiring malicious apps to be installed beforehand
  • Sensitive data in URLs/request bodies when protected by TLS
  • Lack of obfuscation
  • Path disclosure in the binary
  • Lack of jailbreak & root detection
  • Crashes due to malformed URL Schemes
  • Lack of binary protection (anti-debugging) controls, mobile SSL pinning
  • Snapshot/Pasteboard leakage
  • Runtime hacking exploits (exploits only possible in a jailbroken environment)
Severity assessment

This program follows Intigriti's triage standards

FAQ

Where can we get credentials?

We have several user types:

  • Customer account
    • You can self-register using https://wolt.com, the iOS app, or the Androd app.
    • Please use user+1@intigriti.me aliases to register as many accounts as you need (how-to).
    • SMS verification is not mandatory, but your account will be limited (e.g., can't purchase items).
  • Courier account
    • Not available at the moment. We will send an update when test accounts become available.
  • Merchants or business account
    • Not available at the moment. We will send an update when test accounts become available.
All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Overall stats
submissions received
359
average payout
N/A
accepted submissions
N/A
total payouts
€31,578
Last 90 day response times
avg. time first response
< 2 days
avg. time to decide
< 3 weeks
avg. time to triage
< 3 days
Activity
4/16
Wolt
closed a submission
4/15
Wolt
closed a submission
4/14
Wolt
accepted a submission
4/14
logo
juniorbrets
created a submission
4/14
logo
dynnyd20
created a submission
4/14
Wolt
closed a submission
4/14
Wolt
accepted a submission
4/14
Wolt
closed a submission
4/13
logo
the14st
created a submission
4/13
logo
magma69
created a submission