iCabbi is committed to maintaining the confidentiality, integrity, and availability of our products and services. Security is fundamental to how we build, operate, and improve our platform.

We welcome vulnerability reports from researchers, customers, and partners who act in good faith and follow responsible disclosure practices. While we do not currently operate a public bug bounty program, we are preparing to launch a formal program and will share details here when available.

How to Report a Vulnerability

Please email security@icabbi.com with the following information:

• A clear description of the issue and the affected system/component
• Steps to reproduce (proof-of-concept where possible)
• Relevant logs, screenshots, or supporting details
• Your contact details for follow-up questions

What You Can Expect From Us

• We will acknowledge your report within 5 business days
• We will assess and prioritise valid vulnerabilities
• We will work to remediate confirmed issues in a timely manner
• We may contact you for clarification or additional details
• In the appropriate cases, we will provide a financial reward consistent with the guidelines below (subject to change).

Responsible Disclosure Guidelines

To protect our customers and services, we ask that you:

• Avoid data access beyond what is necessary to demonstrate the issue
• Do not modify or delete data, or disrupt service availability
• Do not use social engineering, phishing, or physical access attempts
• Do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and resolve it
• We appreciate the contribution of the security community in helping us keep iCabbi safe and secure.

Bounty Rewards Guidelines

Critical (€2,500 – €5,000+)
Impact: Full compromise of the dispatch system or mass data exfiltration.
Examples: * RCE on the dispatch server.
Broken Tenant Isolation: A taxi firm in Dublin being able to see or cancel bookings for a firm in London.
Mass PII Leak: Unauthorized access to the global passenger/driver database (S3 bucket misconfigurations, etc.).

High (€1,200 – €2,000)
Impact: Takeover of individual high-value accounts or sensitive data access.
Examples: * Account Takeover (ATO): Taking over a Dispatcher or Admin account without user interaction.
GPS Tracking: Accessing real-time “Driver Location” or “Passenger Location” data without authorization.
Stored XSS on the dispatch dashboard that could steal admin session cookies.

Medium (€400 – €800)
Impact: Manipulating individual business logic or bypasses.
Examples: * Price Manipulation: Altering the fare of a ride via API manipulation.
IDOR: Viewing a specific receipt or trip history of another passenger by changing a UUID/ID in the URL.
CSRF on critical actions (e.g., changing a driver’s payout bank details).

Low (€100 – €250)
Impact: Technical glitches with limited exploitability.
Examples: * Information Disclosure: Verbose error messages revealing server internals.
Logout bypass: Sessions not invalidating properly on the server after logout.
Circular Redirects or Open Redirects on icabbi.com.

📩 security@icabbi.com