20180 policies in database
Link to program      
2021-10-07
DANA Bug Bounty Program logo
Thank
Gift
HOF
Reward

Reward

DANA Bug Bounty Program

DANA

DANA Wallet is an e-wallet provider in Indonesia. It began operation in July 2017. DANA Wallet Indonesia's headquarter is in Jakarta, Indonesia.

Pay for anything & everything with just a tap of your finger. Experience the convenience of carrying out transactions with ease; from bills, e-commerce payments, to barcode scans in merchants. #GantiDompet now & switch to DANA Digital wallet for faster, safer & more practical payment methods.

Program Rules

Thank you for your interest in the DANA bug bounty program.

  • We believe that no technology is perfect and that working with skilled security researchers is crucial in identifying weaknesses in our systems.
  • If you believe you've found a security bug in our service, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.
  • Any type of denial of service attacks is strictly forbidden, as well as any interference with network equipment and DANA infrastructure.

Eligibility and Responsible Disclosure

We are happy to thank everyone who submits valid reports which help us improve the security of DANA, however only those that meet the following eligibility requirements may receive a monetary reward:

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability (see below).
  • "OneFixOneReward": If two or more endpoints use the same codebase and a single fix can be deployed to fix all the different endpoints, only one endpoint will be considered as eligible for a reward and other reports will be closed as Informative. Regardless, such reports will be reviewed on a case by case basis.
  • You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
  • You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit yourself about requests per second).
  • You must not leak, manipulate, or destroy any user data.
  • You must not be a former or current employee of DANA or one of its contractor.
  • Our analysis is always based on worst case exploitation of the vulnerability, as is the reward we pay.
  • No vulnerability disclosure, including partial is allowed.

Testing Policy

Please test vulnerabilities only against your own accounts. Only use authorized accounts so as not to inadvertently compromise the privacy of our users.

  • Avoid tests that could cause degradation or interruption of our services.
  • Do not use automated scanners or tools that generate large amount of network traffic.
  • Do not leak, manipulate, or destroy any user data or files in any system.
  • Do not copy any files from the system and disclose them.

Known vulnerabilities

The following list are known vulnerabilities that are known from previous security testing. They are in the process of being fixed, and will not be rewarded.

  • Overly permissive Google API key in application binaries. This is known and will be fixed in a near future release
  • Open Redirect on m.dana.id

Rewards Grid

Rewards are given based on CVSS scoring and actual business impact.

Rating CVSS score Bounty
None 0.0 No bounty
Low 0.1 - 3.9 No bounty
Medium 4.0 - 6.9 $50 - 200
High 7.0 - 8.9 $400 – 1000
Critical 9.0 - 10.0 $1500 - 2000

In Scope

Scope Type Scope Name
android_application

https://play.google.com/store/apps/details?id=id.dana&hl=en

api

mgs-gw.m.dana.id

api

api-saas.dana.id

ios_application

https://apps.apple.com/id/app/dana/id1437123008

web_application

https://appgallery.huawei.com/#/app/C100570215

web_application

sec.m.dana.id

web_application

m.dana.id

Out of Scope

Scope Type Scope Name
web_application

webdev.dana.id

web_application

wp.dana.id

web_application

fiat.dana.id

web_application

cmsdev.dana.id

web_application

techops.dana.id

web_application

dm.dana.id

web_application

encrypt.dana.id


This policy crawled by Onyphe on the 2021-10-07 is sorted as bounty.

FireBounty © 2015-2021

Legal notices