Spin Security

Our riders trust us to transport both them and their data safely. Spin’s Security Team is constantly working to improve the security of our applications, infrastructure, and processes. We happily collaborate with the greater security community to achieve this goal.

Security research

Spin openly invites researchers to assess the security of our applications and services. We welcome reports through our bug bounty program and responsible disclosure form. Please review our guidelines below prior to  conducting any research.

If these guidelines prevent you from fully testing an issue, or you need clarification on what is allowed, please email security@spin.pm.

Research guidelines

  • Do not attempt social engineering
  • This includes research against employees, team members, support representatives, riders, etc.
  • Do not attempt physical security testing
  • This includes research against offices, warehouses, data centers, etc.
  • You may test the security of scooters and other rentable vehicles through APIs, wireless traffic, and other methods that do not pose physical harm to the vehicles.
  • Do not attempt denial-of-service (DoS) attacks
  • This includes application-level denial-of-service, distributed denial-of-service (DDoS), etc.
  • Do not attempt brute force attacks or spam
  • This includes enumeration, password guessing, web directory guessing, etc.
  • Avoid research that sends emails, text messages, push notifications, and other communications to other users. You may test these communications on yourself, but should avoid creating more traffic than necessary.
  • Do not attempt research on Spin vendors or third-parties
  • This includes websites operated by our parent company and anywhere else that Spin doesn’t have direct control over the code or infrastructure.
  • Stop testing immediately if you encounter sensitive data
  • This includes personally identifiable information (PII) (such as names, email addresses, physical addresses, phone numbers, etc.), financial data, rider trip history and trip routes, etc.
  • Report potential issues and we will guide further testing.
  • Respect Spin infrastructure, users, and other security researchers
  • Use your best effort to avoid causing harm to Spin property or disrupting services.
  • Avoid submitting low-quality reports or those without a clear security impact.

Bug bounty

Spin operates a private bug bounty program on Bugcrowd. We aim to open the program to more researchers over time, and eventually to make it public. Bugcrowd automatically invites active researchers to our program, so you can join by participating in other public programs and building a positive reputation on the platform.

Responsible disclosure

If you are not part of our bug bounty program, you may report an issue using the form below. These reports are not eligible for reward. We may invite you to re-submit a report to our bug bounty program for reward if the issue is of high severity, or if you have demonstrated expertise in one of our focus areas: internet of things (IoT) security, vehicle security, wireless security, and similar. We do not accept requests to join our bug bounty program.