Gojek is rapidly expanding product offerings to our consumers. This growth is a win for everyone, but we want to ensure that our consumers remain safe on our platform. We take the security of our consumers very seriously and are thus taking steps to ensure we work closely with the broader security community to handle responsible disclosure of any bugs found on our platform.

We look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.

Response Targets

Gojek will make a best effort to meet the following response targets for hackers participating in our program:

| Type of Response | SLA in business days |

| ------------- | ------------- |

| First Response | 2 days |

| Time to Triage | 5 days |

| Time to Bounty | 10 days |

| Time to Resolution | depends on severity and complexity |

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

• Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.

• Follow HackerOne's disclosure guidelines.

Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

• Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.

• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

Scope

Valid submissions for the assets in the ‘Scope’ section will be rewarded accordingly in this bounty program. Please note that we cannot promise you a bounty for valid report submissions that are outside of the in-scope assets.

However, in certain exceptional cases, if we decide to reward, the decision will be at our discretion and it won’t probably go higher than a Tier 2 Medium bounty.

Test Plan

==Identifying testing traffic with custom headers==

In order for Gojek to separate testing traffic from real user traffic, we will require that you include a unique string/header added to each HTTP request made by yourself or any tooling you use. Please append the following in your request:

• X-HackerOne-Research: [Your H1 Username]

Please ensure that you do so when conducting your testing.

Creating Accounts and Credentials

You can download our consumer app from the Google Play Store or Apple App Store. The Gojek Consumer app allows for self-registration. You may sign up for an account with your own phone number.

We operate in Indonesia, Singapore, Vietnam and Thailand.

• Note: You may get suspended or blocklisted from our platform if we see your profile as one that is making too many fake bookings or one that is not making a single completed booking or for any rate limiting issues as part of our controls.

Focus Areas

We are happy for you to look over the entire suite of services that our Consumer App offers. We would, however, be very interested to find out what you can do on our payment platform. Anything around peer to peer transfer and withdrawal is of particular interest to us. Note that you will need an Indonesian phone number to transfer to and from.

Reward Assessment Guidelines

Special Situations

Some situations exist that may earn partial bounties or bonuses on top of a base bounty per report. Here are a few of the most common examples:

1. Same vulnerability, on different paths or hosts:

If you believe a vulnerability may exist on a different (unique) path or host, please submit all affected paths and hosts in the same report. We will award an additional 5% bonus per path / per host for any valid ones you've included in the report. However, if you subsequently identify the same vulnerability on a different path / host on a new report submission, such reports will be treated as a duplicate. This is to allow Gojek sufficient time to patch the related paths.

2. Same Payload, Different Parameter

In some cases, rewards may be consolidated into a single payout. For example, multiple reports of the same vulnerability across different parameters of a resource, or demonstrations of multiple attack vectors against a fundamental framework issue. We kindly ask you to consolidate reports rather than separate them.

Third-Party Services

If you believe an issue with one of our third-party service providers is the result of Gojek’s misconfiguration or insecure usage of that service (or you’ve reported an issue affecting many customers of the service that you believe Gojek can temporarily mitigate without stopping usage of the service while a fix is implemented upstream), we’d appreciate your report regarding the issue.

Keep in mind that any reports regarding third-party services are likely to not be eligible for a reward.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Highly speculative report with no real proof

• Related to Google Maps API Key eg. Static Maps API

• Sending raw scanner results without proper explanation and proof (e.g. MobSF, Nessus, burp)

• Clickjacking on pages with no sensitive actions

• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions or minimal impact

• Attacks requiring MITM or physical access to a user's device.

• Previously known vulnerable libraries without a working Proof of Concept.

• Comma Separated Values (CSV) injection without demonstrating a vulnerability.

• Any activity that could lead to the disruption of our service (DoS).

• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

• Rate limiting or bruteforce issues on authenticated and non-authenticated endpoints

• Tabnabbing

• Open redirect - unless an additional security impact can be demonstrated

• Issues that require unlikely user interaction

• Microsites with little to no user data outside of listed scope.

• Sending a spam email to a user directly without going through our system

• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

• All Flash-related bugs

• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).

• Disclosure of information that does not present a significant risk e.g. outdated info, personal task list with no sensitive data.

• Any issues related to browsers such as:

  • Not affecting the latest version of modern browsers

  • Web browser add-ons

• Missing HTTP security headers but not limited to:

Strict-Transport-Security

* HttpOnly

* X-Frame-Options

* X-XSS-Protection

* X-Content-Type-Options

* Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP

* Content-Security-Policy-Report-Only

• Any infrastructure vulnerabilities that are related to:

  • Missing best practices in SSL/TLS configuration or any Certificates/TLS/SSL related issues

  • DNS issues (i.e. MX records, SPF records, etc.)

  • Server configuration issues (i.e., open ports, TLS, etc.)

• Most vulnerabilities within our sandbox, UAT, or staging environments.

• Subdomain takeover without any real impact.

Out of Scope Vulnerabilities for Android/IOS apps

• Absence of certificate pinning

• Absence of root prevention/detection in APK/IPA

• Lack of obfuscation in APK/IPA

• Any kind of sensitive data stored in-app private directory

• Sensitive data through HTTP that protected by TLS

• OAuth & App secret hard-coded/recoverable in APK/IPA

• Runtime hacking exploits using tools like Frida/ Appmon or any other tools that possible in jailbroken/rooted environment

• Any URIs leaked because a malicious app has permission to view URIs opened

Snapshot/Pasteboard leakage

• Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceiver (exploiting these for sensitive data leakage is in scope) but if you can interact with a service to leak data then please let us know.

• Lack of binary protection control in APK/IPA app

• Vulnerabilities reported on modified APK/IPA through an unofficial system

Recently disclosed 0-day vulnerabilities

For any 0-days vulnerabilities, we really love the excitement, however please do understand that we need time to patch and it will take at minimum of 2 months. During the period of time any new CVEs won’t be qualified for a reward. However, in certain exceptional cases, if we decide to reward, the decision will be at our discretion.

Safe Harbor

Any activities in relation to your participation in this program conducted in a manner with full submission and compliance with this Policy Page will be considered authorized conduct and we will not initiate or suggest legal action against you. If legal action is initiated by a third party against you in connection with your participation in this program, provided that you have fully submitted and complied with this program’s Policy Page, we will make it known that your actions were conducted pursuant to this program and have complied with the Policy Page.

Thank you for helping keep Gojek and our users safe!

FAQ

I want swag, how do I get it?

Unfortunately, Gojek does not currently offer any swag.

Can Gojek provide me with a pre-configured test account?

As of now, Gojek doesn’t provide any test accounts.

Can we test Gojek Apps outside of the operating country?

Yes, we would love to have you participate.

What causes a report to be closed as Informative, Duplicate, N/A, or Spam?

https://docs.hackerone.com/hackers/report-states.html