Lyft Invites Community to Envoy Bug Bounty Program

At Lyft, our mission is to improve people’s lives with the world’s best transportation. We provide over 50 million rides a month to our community, helping people efficiently and reliably get around their cities. Lyft drivers and riders entrust us with their personal information and travel details in order to get them where they’re going, which is why we work hard to keep Lyft safe and keep our users’ data secure and private.

Today we are excited to announce that as we continuously improve upon the security of the information Lyft is entrusted with, we are inviting our external security researcher community to disclose bugs found in Envoy.

For background, Envoy was developed at Lyft in 2015 to build the path for network transparency and support our efforts to move from a monolith to microservices. Envoy launched into the Open Source community in 2016 and was accepted into the Cloud Native Computing Foundation the following year.

Bugs found and fixed in Envoy will have far-reaching impact beyond Lyft. In addition to its internal uses at Lyft, Envoy has seen tremendous adoption by major cloud providers and startups, including Airbnb, Google, Netflix, Salesforce and Stripe.

Our Bug Bounty program is hosted with HackerOne, up until this point privately by invitation to researchers. Validated bugs in a non-forked repository will be compensated according to the criticality.

This will not replace or interfere with existing vendor-specific bug bounty programs for their deployments of Envoy. For example, if the bug is in Google’s specific deployment of Envoy, it should be reported to and routed to the Google Vulnerability Rewards Program.

Bugs can be reported at lyft.com/security. We welcome your feedback and appreciate you helping keep Lyft secure for our community.