5640 policies in database
Link to program      
GO-JEK logo


200 $ 


We are rapidly expanding our product offerings to our consumers. This growth is a win for everyone, but we want to ensure that our consumers remain safe on our platform. We take the security of our consumers very seriously and are thus taking steps to ensure we work closely with the broader security community to handle responsible disclosure of any bugs found on our platform.

Responsible disclosure benefits all parties involved and as a security researcher, it tells us that you are aware of the intricacies of running a large scale, multi-product platform and are willing to give us a chance to rectify our bugs. Work with us and you will find a responsive team that is committed to resolving issues fast.

Rules of Engagement

We are very interested in hearing about any security issues on our apps or platform. We list a set of in-scope targets below and your bug reports should be related to one or more of these in-scope targets.

This program adheres to theBugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.

Please also note that we will use this as the benchmark for determining Vulnerability Rating, however, we will also include our own Risk/Impact Rating. The final rating can go Higher or Lower from those that are indicated in the pdf document.

Reward range

Last updated 13 Feb 2020 00:32:09 UTC

Technical severity | Reward range
p1 Critical | Starting at: $5,000
p2 Severe | $1,500 - $2,500
p3 Moderate | $500 - $1,000
p4 Low | $200 - $300

P5 submissions do not receive any rewards for this program.


In scope

Target name | Type
*.gojekapi.com | API Testing
api.gojek.co.id | API Testing
GO-JEK Android | Android

Out of scope

Target name | Type
go-jek.com | Website Testing

For this bounty program, only our Consumer Apps are in scope. There are two Consumer Apps for the Android and iOS platforms and both are fair game. You can use the ones that are published in either of the App stores. Along with the apps, the domains that the apps are talking to are also fair game. Just to be certain, the following domains are what we expect you to test against:

  • api.gojek.co.id
  • *.gojekapi.com

iOS : Here
Android : Here

3rd party services

If you believe an issue with one of our third-party service providers is the result of Gojek’s misconfiguration or insecure usage of that service (or you’ve reported an issue affecting many customers of the service that you believe Gojek can temporarily mitigate without stopping usage of the service while a fix is implemented upstream), we’d appreciate your report regarding the issue.

Keep in mind that any reports regarding third-party services are likely to not be eligible for a reward – but will receive kudos points.


Some features such as transferring money between user accounts require an Indonesian mobile phone number. We are currently not able to provide virtual numbers for testing but are working on a mechanism to allow for testers from BugCrowd to bypass our SMS verification feature; we will update the program when this feature becomes available. Researchers can obtain an Indonesian phone number by signing up for an account from Nexmo, Twilio or other similar services. We use SMS messages to verify that you own the phone number you are registering with. Payment related bugs are looked upon very favorably!


The GO-JEK Consumer app allows for self-registration. Please register for an account after downloading the app.

Effective Testing

We're based in Indonesia. All our services are based out of Indonesia. To help you along, you have to keep a few things in mind:

  • When you sign up with us please send us the email address that you used to sign up. We will credit you with some Indonesian currency with which you can embark on your payment testing journey.
  • When you make a booking for the production app, your booking will be sent out to an actual physical, human driver. Be wary of this and be kind. This is their livelihood so don't bomb the platform with bookings. We also have rate limiting in place to stop you from using up our entire driver supply.
  • You will have to always make your bookings by simulating the fact that you are in Jakarta. You can do this by manually choose or set a pick-up location in our application. Alternatively, just use the standard latitude, longitude for Jakarta here: 6.1745° S, 106.8227° E
  • To make things more simple, you may want to use our office address as the destination for all of your ride, food, shopping, bookings. Our office address is Pasaraya Mall, Jalan Iskandarsyah II, No 20.
  • You may get suspended or blacklisted from our platform if we see your profile as one that is making too many fake bookings or one that is not making a single completed booking. If this happens, you will receive an error when you try to make a booking. As soon as this happens, please get in touch with us with your email address used on our app and we will remove the suspension.

Focus Areas

We are happy for you to look over the entire suite of services that our Consumer App offers. We would, however, be very interested to find out what you can do on our payment platform. Anything around peer to peer transfer and withdrawal is of particular interest to us. Note that you will need an Indonesian phone number to transfer to and from.

Out of Scope

Missing or incorrect SPF records of any kind
Missing or incorrect DMARC records of any kind
*DoS and DDoS submissions are out of scope

If you have a concern about whether a potential submission is in-scope, please first validate that it is demonstrably owned by Go-Jek, and carefully read the "Out of Scope", and the "Targets" sections. If it is still unclear but you believe it should still be considered, please submit via the program ONLY (instead of alternate channels like email), and include a few sentences describing your judgement regarding scope. Submissions that demonstrate thoughtful consideration for scope but that we ultimately do not act on will receive a "Not Applicable" status, rather than "Out Of Scope" with negative points.

Contacting Us

To Request Top-Up of wallet please submit your submission first and do the credit request by leaving a note.
We will send you a form to fill in afterwards.

Send all your queries to bugcrowd@go-jek.com.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

In Scope

Scope Type Scope Name

GO-JEK Android







Out of Scope

Scope Type Scope Name


This program feature scope type like web_application, android_application, ios_application.

FireBounty © 2015-2020

Legal notices