FireBounty Ant Group Security Response Center - Bug Bounty Program Vulnerability Disclosure Program

Link to program

2024-11-25

2025-03-11

Thank

Gift

HOF

Reward

Ant Group Security Response Center - Bug Bounty Program

Ant Group looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe. If you believe you have discovered a vulnerability, kindly disclose it responsibly via MySRC.

Annoucement: Additional Qualifying Vulnerability Framework

Dear Hunters,

We are excited to announce the launch of our Additional Qualifying Vulnerability Framework. This new framework is designed to recognize and reward findings that demonstrate significant risk or organized abuse against Ant International’s business:

Category	Qualifying Scenarios	Reward Range (USD)
Critical	• Clear, verifiable evidence of large-scale organized group activity impacting Ant International’s business (account transactions, fake registrations, loan fraud), involving >100 independent accounts/domains/emails.• Confirmed money laundering networks/organizations with detailed transactions, initial cash-out methods, organization info, and direct Ant International links.• Effective first-time face recognition bypass method (video + tools/methods).	$800 – $1,000
High	• Confirmed organized activity involving 50–100 accounts/domains/emails.• Cryptocurrency websites actively using A+ for payments (30+ valid accounts with screenshots and transaction evidence).• Forged identities/documents successfully passed WF/AlipayHK/Ant Bank/ANEXT verification.• Detailed reusable cash-out schemes exploiting Ant International’s business.	$200 – $400
Medium	• 3–5 cryptocurrency websites displaying A+/Alipay branding without authorization.• 2–9 accounts/domains tied to organized activity impacting Ant International.• Evidence of a single attempted face recognition bypass with only partial PoC (e.g., fake photo/video, no full exploit chain).• Loan fraud method described but lacking transaction proof.	$50 – $150
Low	• Unverified general leads (e.g., suspected crypto sites, unverified email/domain lists).• Public but related account transaction samples (not yet linked to Ant).• Single confirmed cryptocurrency website using A+ for payments/branding.• Incomplete records of suspected fraud/money laundering methods.	$0 – $40

Please review the updated framework and continue to submitting high-quality findings. We appreciate your contributions in strengthening Ant International’s ecosystem.

Thank you for your ongoing support and dedication.

Program Policy

Malicious reporters will be banned.
Irrelevant problems will be ignored.
Employees of Ant Group and Alibaba Group cannot participate in the award plan, directly or indirectly.
The award plan is only available to users submitting reports through AntSRC or through YWH.
AntSRC holds the right of final interpretation for the award plan.

Report Submission

Please fill in all relevant vulnerability details and submit via mysrc.group according to the required standards.

> Important: Please keep your vulnerability strictly confidential. No credit or rewards will be given if the issue is disclosed publicly before it is fixed. > >

Vulnerability Evaluation Process

Once submitted, AntSRC will evaluate your report within 48 hours

AntSRC will contact you if necessary for clarification or further testing.

Additional Incentives: Critical Vulnerabilities

Submissions that meet Critical severity may qualify for a cash bonus ranging from USD 1337 to USD 31337, in addition to the swag.

What qualifies as "Critical"?

Vulnerabilities that can lead to escalation of privileges on core servers, including but not limited to:
- Memory corruption
- WEBSHELL upload
- Remote Code Execution (RCE) > Note: Core servers refer to those storing information on funds, identities, and transactions. > >
- Core sensitive information leakage vulnerabilities, including those caused by loose permission controls.
Logic vulnerabilities in core business processes that can be massively exploited to cause financial or reputational damage to the company or users, including but not limited to:
- Account credential validation logic
- Data verification logic in core APIs
- Payment logic flaws
- SQL injection vulnerabilities that:
- Allow direct command execution
- Leak sensitive data from core databases, such as user IDs, order information, or bank card details

Additional Cash Bonus (USD 1337 – USD 31337)

Eligible vulnerabilities include:

Large-scale user account information leakage or unauthorized privilege changes
Ability to massively acquire sensitive user data, such as orders
Capability to take control of important servers

Submission Requirements

To help us process reports efficiently, please append [YWH] to your report title.

Example Title:
[YWH] SQL Injection on example.net at /example/register

Submissions with the [YWH] tag will be prioritized for review and processing during the promotional period. This helps us quickly identify participants eligible for the swag reward and ensures faster triage.

Contact AntSRC

For any questions or clarifications, you may contact the Ant Group Security Response Center at
antsrc@service.alipay.com

In Scope

Scope Type	Scope Name
web_application	*.alipayplus.com
web_application	*.antom.com
web_application	*.worldfirst.com
web_application	bettrfinancing.com
web_application	anext.com.sg
web_application	alipayhk.com
web_application	antbank.hk
web_application	Any Other Applications found here: https://mysrc.group/project_detail?id=11

Out of Scope

Scope Type	Scope Name
undefined	All domains or subdomains not listed in the above list of 'Scopes'.
undefined	Not Belonging to Ant Group’s Products or Systems.
web_application	Third-party applications and websites

This policy crawled by Onyphe on the 2024-11-25 is sorted as bounty.