Lyft Security

Lyft drivers and passengers entrust us with their personal information and travel details in order to get them where they're going. We work hard to keep Lyft safe, and keep our users’ data secure and private.

Driver & passenger safety issues

Our Trust & Safety team is available around the clock to take care of our community. If you are involved in an incident that you believe threatens your personal safety, call the authorities by dialing 911 or your local non-emergency assistance line. Then call our Critical Response Line through our call tool.

Driver & passenger fraud reporting

If you want to report fraudulent activity on your lyft account, please reach out to our Support team.

Reporting security vulnerabilities

If you believe you've discovered a security bug or vulnerability in the Lyft service, please report it to us using the Lyft Hackerone page via the "Contact Security Team" link. We will investigate your report and respond to you as soon as possible. Please do not disclose your findings until we have had the opportunity to review and address them with you. We appreciate your help in keeping Lyft secure for our community. Alternatively you can send an email to bugbounty@lyft.com. Participation in our bug bounty program requires complying with the full bug bounty policy below.

Bug bounty policy

Program Eligibility

In order to participate in Lyft’s Bug Bounty Program:

• You must be 18 years of age or older.
• You must not be employed by Lyft or any of its affiliates or an immediate family member of a person employed by Lyft or any of its affiliates.
• You must not be a resident of, or report a security bug or vulnerability from, a country against which the United States has issued export sanctions or other trade restrictions.
• You must not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to Lyft’s Bug Bounty Program.

Disclosure Policy and Rules

• If you believe you've discovered a security bug or vulnerability, report it to us as soon as possible.
• Do not disclose your reported findings to others until we've had an opportunity to respond and address them. By keeping your reports private until we resolve them, you’re helping keep Lyft secure for our entire community.
• Researchers must adhere to HackerOne's Disclosure Guidelines .
• This is a private program. If a researcher discloses any information about a vulnerability that has been fixed, They must de-identify the content; the content must not include any language or images that can be traced back to the brand. This provides safety to our users and drivers while we resolve existing issues.
• Please fully and carefully read through the program scope and Prohibitions and Exclusions to make sure you are dedicating your time to identifying vulnerabilities that are within the scope of the bounty program.
• We discourage the use of vulnerability testing tools or other tools that generate significant volumes of traffic; using these tools may disqualify you from qualifying for a reward.

Not eligible for reward

• XSS requiring legacy browsers
• Self-XSS
• SSL/TLS best practices
• Reflected file download
• Software version disclosure
• Path or hostname disclosure in error messages
• Logout CSRF
• Missing HTTP header which does not lead to a direct vulnerability
• Missing cookie flags, unless the absence can be abused by a legitimate workflow
• Clickjacking without demonstration of impact
• Account enumeration through brute-force attacks
• CSV command execution

Never in scope

• Third-party websites used by Lyft app, websites or affiliates
• Third-party implementations integrating the Lyft SDK

Prohibitions and Exclusions

While researching, you must refrain from:

• Denial of service
• Brute-force attacks
• Spamming
• Social engineering (including phishing) of Lyft staff, passengers, or drivers
• Any physical attempts against Lyft property or data centers
• Accessing, gathering, recording, downloading, storing, deleting, or altering confidential or proprietary data, including user data and personal data
• Impairing, disrupting, or disabling systems or rendering data inaccessible

If at any point while researching a vulnerability, you are unsure whether you should continue, immediately engage with our Bug Bounty team.
Do not attach conditions to your report such that there is even the appearance of of a ransom or extortion attempt related to your finding.

Please do not access, record, download, or store PII. Doing so will automatically make you ineligible for a bounty.

Rights and Licenses

We may modify this Bug Bounty Program Policy or cancel the Bug Bounty Program at any time.
By reporting a security bug or vulnerability, you represent and warrant that the report is original to you and you have the right to submit it.
By reporting a security bug or vulnerability, you give us the right to use your report for any purpose.

Information Security Concerns

Information Security questions not related to fraudulent activity can be directed to security@lyft.com. Security researchers who have identified potential vulnerabilities in our services can reach us via our bug bounty program.