Link to program

2021-10-07

Thank

Gift

HOF

Reward

DANA Bug Bounty Program

DANA

DANA Wallet is an e-wallet provider in Indonesia. It began operation in July 2017. DANA Wallet Indonesia's headquarter is in Jakarta, Indonesia.

Pay for anything & everything with just a tap of your finger. Experience the convenience of carrying out transactions with ease; from bills, e-commerce payments, to barcode scans in merchants. #GantiDompet now & switch to DANA Digital wallet for faster, safer & more practical payment methods.

Program Rules

Thank you for your interest in the DANA bug bounty program.

We believe that no technology is perfect and that working with skilled security researchers is crucial in identifying weaknesses in our systems.
If you believe you've found a security bug in our service, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.
Any type of denial of service attacks is strictly forbidden, as well as any interference with network equipment and DANA infrastructure.

Eligibility and Responsible Disclosure

We are happy to thank everyone who submits valid reports which help us improve the security of DANA, however only those that meet the following eligibility requirements may receive a monetary reward:

You must be the first reporter of a vulnerability.
The vulnerability must be a qualifying vulnerability (see below).
"OneFixOneReward": If two or more endpoints use the same codebase and a single fix can be deployed to fix all the different endpoints, only one endpoint will be considered as eligible for a reward and other reports will be closed as Informative. Regardless, such reports will be reviewed on a case by case basis.
You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit yourself about requests per second).
You must not leak, manipulate, or destroy any user data.
You must not be a former or current employee of DANA or one of its contractor.
Every report will be reanalyzed and the severity rating may be subject to change. Severity changes can be increased or decreased from initial report depending on the impact of a vulnerability.
No full or partial vulnerability disclosure is allowed.

Testing Policy

Please test vulnerabilities only against your own accounts. Only use authorized accounts so as not to inadvertently compromise the privacy of our users.

Avoid tests that could cause degradation or interruption of our services.
Do not use automated scanners or tools that generate large amount of network traffic.
Do not leak, manipulate, or destroy any user data or files in any system.
Do not copy any files from the system and disclose them.

Known vulnerabilities

The following list are known vulnerabilities that are known from previous security testing. They are in the process of being fixed and will not be rewarded.

Overly permissive Google API key in application binaries. This is known and will be fixed in a near future release
Open Redirect on m.dana.id

In-Scope Assets

Products or services described as "Core Product" below is in-scope:

1. Core Product

DANA Android Application https://play.google.com/store/apps/details?id=id.dana&hl=en

DANA iOS Application https://apps.apple.com/id/app/dana/id1437123008

DANA Web Application https://m.dana.id

Rewards Grid

Rewards are given based on CVSS scoring and actual business impact.

Scope	None Severity Vulnerability	Low Severity Vulnerability	Medium Severity Vulnerability	High Severity Vulnerability	Critical Severity Vulnerability
Core Product	$0	$0	$50-200	$350-750	$1500-3000

REPORTS OF LEAKS AND EXPOSED CREDENTIALS

In the context of this program, we do not accept or reward reports of leaks that are not applicable to our program’s scope and identified outside of our program’s scope.

Also, in order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behavior (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees/service providers. Eligible reports will be rewarded according to the "Core Product" reward grid.

To summarize our policy, you may refer to this table :

TYPE OF LEAK	SOURCE OF LEAK IS IN-SCOPE	SOURCE OF LEAK BELONGS TO DANA BUT IS OUT-OF-SCOPE	SOURCE OF LEAK DOES NOT BELONG TO DANA AND IS OUT-OF-SCOPE
Impact is on the in-scope assets of the bounty program (e.g valid sensitive information on an in-scope asset)	Eligible	Eligible	Not eligible
Impact is on out-of-scope assets of the bounty program (e.g. valid sensitive information for an out-of-scope asset)	Eligible	Not eligible	Not eligible

This excludes, but is not limited to:

Stolen credentials gathered from unidentified sources
Exposed credentials that are not applicable on the program’s scope
Exposed GitHub/GitLab (or similar) instance with no direct relation with our program’s scope
Exposed secrets (e.g. API tokens/keys or other technical credentials) that are not directly related to the program’s scope
Exposed PII on an out-of-scope asset

Special Case

If you can bypass our face verification method in Login feature, we will give you a bonus up to 2000$

In Scope

Scope Type	Scope Name
undefined	Core Product

Out of Scope

Scope Type	Scope Name
web_application	webdev.dana.id
web_application	wp.dana.id
web_application	fiat.dana.id
web_application	cmsdev.dana.id
web_application	techops.dana.id
web_application	dm.dana.id
web_application	encrypt.dana.id
web_application	*.dana.id

This policy crawled by Onyphe on the 2021-10-07 is sorted as bounty.