FireBounty
52235 policies in database
Link to program      
2021-10-07
DANA Bug Bounty Program logo
Thank
Gift
HOF
Reward

Reward

DANA Bug Bounty Program

DANA

DANA Wallet is an e-wallet provider in Indonesia. It began operation in July 2017. DANA Wallet Indonesia's headquarter is in Jakarta, Indonesia.

Pay for anything & everything with just a tap of your finger. Experience the convenience of carrying out transactions with ease; from bills, e-commerce payments, to barcode scans in merchants. #GantiDompet now & switch to DANA Digital wallet for faster, safer & more practical payment methods.

Program Rules

Thank you for your interest in the DANA bug bounty program.

  • We believe that no technology is perfect and that working with skilled security researchers is crucial in identifying weaknesses in our systems.
  • If you believe you've found a security bug in our service, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.
  • Any type of denial of service attacks is strictly forbidden, as well as any interference with network equipment and DANA infrastructure.

Eligibility and Responsible Disclosure

We are happy to thank everyone who submits valid reports which help us improve the security of DANA, however only those that meet the following eligibility requirements may receive a monetary reward:

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability (see below).
  • "OneFixOneReward": If two or more endpoints use the same codebase and a single fix can be deployed to fix all the different endpoints, only one endpoint will be considered as eligible for a reward and other reports will be closed as Informative. Regardless, such reports will be reviewed on a case by case basis.
  • You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
  • You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit yourself about requests per second).
  • You must not leak, manipulate, or destroy any user data.
  • You must not be a former or current employee of DANA or one of its contractor.
  • Our analysis is always based on worst case exploitation of the vulnerability, as is the reward we pay.
  • No vulnerability disclosure, including partial is allowed.

Testing Policy

Please test vulnerabilities only against your own accounts. Only use authorized accounts so as not to inadvertently compromise the privacy of our users.

  • Avoid tests that could cause degradation or interruption of our services.
  • Do not use automated scanners or tools that generate large amount of network traffic.
  • Do not leak, manipulate, or destroy any user data or files in any system.
  • Do not copy any files from the system and disclose them.

Known vulnerabilities

The following list are known vulnerabilities that are known from previous security testing. They are in the process of being fixed, and will not be rewarded.

  • Overly permissive Google API key in application binaries. This is known and will be fixed in a near future release
  • Open Redirect on m.dana.id

Rewards Grid

Rewards are given based on CVSS scoring and actual business impact.

Rating CVSS score Bounty
None 0.0 No bounty
Low 0.1 - 3.9 No bounty
Medium 4.0 - 6.9 $50 - 200
High 7.0 - 8.9 $400 – 1000
Critical 9.0 - 10.0 $1500 - 2000

REPORTS OF LEAKS AND EXPOSED CREDENTIALS

In the context of this program, we do not accept or reward reports of leaks that are not applicable to our program’s scope and identified outside of our program’s scope.

Also, in order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behavior (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees/service providers.

To summarize our policy, you may refer to this table :

TYPE OF LEAK SOURCE OF LEAK IS IN-SCOPE SOURCE OF LEAK BELONGS TO DANA BUT IS OUT-OF-SCOPE SOURCE OF LEAK DOES NOT BELONG TO DANA AND IS OUT-OF-SCOPE
Impact is in-scope (e.g. valid credentials on an in-scope asset) Eligible Eligible Not eligible
Impact is out-of-scope (e.g. valid credentials for an out-of-scope asset) Eligible Not eligible Not eligible

This excludes, but is not limited to:

  • Stolen credentials gathered from unidentified sources
  • Exposed credentials that are not applicable on the program’s scope
  • Exposed GitHub/GitLab (or similar) instance with no direct relation with our program’s scope
  • Exposed secrets (e.g. API tokens/keys or other technical credentials) that are not directly related to the program’s scope
  • Exposed PII on an out-of-scope asset

Special Case

  • If you can bypass our face verification method in Login feature, we will give you a bonus up to 2000$

In Scope

Scope Type Scope Name
android_application

https://play.google.com/store/apps/details?id=id.dana&hl=en
api

mgs-gw.m.dana.id
api

api-saas.dana.id
ios_application

https://apps.apple.com/id/app/dana/id1437123008
web_application

https://appgallery.huawei.com/#/app/C100570215
web_application

sec.m.dana.id
web_application

m.dana.id

Out of Scope

Scope Type Scope Name
web_application

webdev.dana.id
web_application

wp.dana.id
web_application

fiat.dana.id
web_application

cmsdev.dana.id
web_application

techops.dana.id
web_application

dm.dana.id
web_application

encrypt.dana.id

This policy crawled by Onyphe on the 2021-10-07 is sorted as bounty.

FireBounty © 2015-2024

Legal notices | Privacy policy