We are rapidly expanding our product offerings to our consumers. This growth is a win for everyone, but we want to ensure that our consumers remain safe on our platform. We take the security of our consumers very seriously and are thus taking steps to ensure we work closely with the broader security community to handle responsible disclosure of any bugs found on our platform.
Responsible disclosure benefits all parties involved and as a security researcher, it tells us that you are aware of the intricacies of running a large scale, multi-product platform and are willing to give us a chance to rectify our bugs. Work with us and you will find a responsive team that is committed to resolving issues fast.
Rules of Engagement
We are very interested in hearing about any security issues on our apps or platform. We list a set of in-scope targets below and your bug reports should be related to one or more of these in-scope targets.
This program adheres to theBugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.
Please also note that we will use this as the benchmark for determining Vulnerability Rating, however, we will also include our own Risk/Impact Rating. The final rating can go Higher or Lower from those that are indicated in the pdf document.
Last updated 13 Feb 2020 00:32:09 UTC
Technical severity | Reward range
p1 Critical | Starting at: $5,000
p2 Severe | $1,500 - $2,500
p3 Moderate | $500 - $1,000
p4 Low | $200 - $300
P5 submissions do not receive any rewards for this program.
Target name | Type
*.gojekapi.com | API Testing
api.gojek.co.id | API Testing
GO-JEK iOS | iOS
GO-JEK Android | Android
Target name | Type
go-jek.com | Website Testing
For this bounty program, only our Consumer Apps are in scope. There are two Consumer Apps for the Android and iOS platforms and both are fair game. You can use the ones that are published in either of the App stores. Along with the apps, the domains that the apps are talking to are also fair game. Just to be certain, the following domains are what we expect you to test against:
If you believe an issue with one of our third-party service providers is the result of Gojek’s misconfiguration or insecure usage of that service (or you’ve reported an issue affecting many customers of the service that you believe Gojek can temporarily mitigate without stopping usage of the service while a fix is implemented upstream), we’d appreciate your report regarding the issue.
Keep in mind that any reports regarding third-party services are likely to not be eligible for a reward – but will receive kudos points.
Some features such as transferring money between user accounts require an Indonesian mobile phone number. We are currently not able to provide virtual numbers for testing but are working on a mechanism to allow for testers from BugCrowd to bypass our SMS verification feature; we will update the program when this feature becomes available. Researchers can obtain an Indonesian phone number by signing up for an account from Nexmo, Twilio or other similar services. We use SMS messages to verify that you own the phone number you are registering with. Payment related bugs are looked upon very favorably!
The GO-JEK Consumer app allows for self-registration. Please register for an account after downloading the app.
We're based in Indonesia. All our services are based out of Indonesia. To help you along, you have to keep a few things in mind:
We are happy for you to look over the entire suite of services that our Consumer App offers. We would, however, be very interested to find out what you can do on our payment platform. Anything around peer to peer transfer and withdrawal is of particular interest to us. Note that you will need an Indonesian phone number to transfer to and from.
Missing or incorrect SPF records of any kind
Missing or incorrect DMARC records of any kind
*DoS and DDoS submissions are out of scope
If you have a concern about whether a potential submission is in-scope, please first validate that it is demonstrably owned by Go-Jek, and carefully read the "Out of Scope", and the "Targets" sections. If it is still unclear but you believe it should still be considered, please submit via the program ONLY (instead of alternate channels like email), and include a few sentences describing your judgement regarding scope. Submissions that demonstrate thoughtful consideration for scope but that we ultimately do not act on will receive a "Not Applicable" status, rather than "Out Of Scope" with negative points.
To Request Top-Up of wallet please submit your submission first and do the
credit request by leaving a note.
We will send you a form to fill in afterwards.
Send all your queries to firstname.lastname@example.org.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
|Scope Type||Scope Name|
|Scope Type||Scope Name|
This program feature scope type like web_application, android_application, ios_application.