Foreword

Security is a top priority at Grab. We believe that no technology is perfect and that working with skilled security researchers across the globe is crucial in identifying weaknesses in our technology.

If you believe you've found a security bug in our service, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.

Coordinated disclosure rules

Please let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly correct the issue if it is found to be valid. You may not disclose any information about the issue outside of the program unless you receive explicit written consent from the Grab team.

Making an effort in good faith by ensuring that there is no leak, manipulation, alteration, modification and/or destruction, in whatsoever manner, to any of user data and Grab proprietary data. Please only test against accounts you own yourself or with the explicit permission of the account holder. Please refrain from automated/scripted account creation. In the events of a possible bulk enumeration of customer data, refrain from harvesting a large amount of information, a small sample is enough as a proof of concept.

By participating in this program, you agree to be bound by these rules.

Rewards

Grab will only issue monetary rewards for reports demonstrating meaningful impact. This means, for example, that we will issue a relatively high reward for a vulnerability that has the potential to leak sensitive user data, but that we will issue little to no reward for a vulnerability that allows an attacker to deface a micro-site.

For this reason, we strongly encourage researchers to spend extra time to provide a realistic attack/threat scenario adapted to our business. This will increase the chance of receiving a higher bounty.

The following table outlines some example scenarios of vulnerabilities for in-scope assets. Note that all amounts listed in the Rewards section are the maximum we can pay for each issue based on their severities. All final decisions are at the discretion of Grab.

We try our best to cycle bounty payouts on Fridays.

| Severity | Examples (inspired from previous reports) |

| :------- | ------------------- |

| Critical | RCE on a Production server, Bulk personally identifiable information (PII) exposure [^], Access to source code|

| High | Restricted or limited account takeover, Vertical/horizontal privilege escalations, Authorization checks bypass allowing fraudulent transactions | $2,000 - $5,000 |

| Medium | SSRF without clear impact demonstration, Business logic error with monetary impact |

| Low | Stored/Reflected XSS with low impact (no sensitive data exfiltrated), Exposed logs without sensitive information, Exposed API keys with low privileges |

| None | Duplicate, N.A, Informational bug(s) |

~ Bounty payout range table (all amounts are in USD) ~

• Note that Asset severity can be used as a weightage for calculating the final bounty amount (please refer to the Scope section for more details).*

• [^] Including but not limited to: customer/driver name, email, address, IC number, driver photos, license plate numbers, location information, or payment card information (PCI) like credit card numbers, bank account numbers, etc.*

Notes

• Please note that if a single fix is able to resolve multiple vulnerabilities, usually due to the same root cause, it will be rewarded as a single bounty on one report, determined by its overall impact.

• For quality reports that prove significant impact on the Grab business, are well-written, display an innovative approach in testing and where the reporter demonstrates a professional attitude, Grab may award a maximum of $2,000 bonus on top of the original bounty amount. Decisions to award a bonus for a report is at our discretion.

Report Eligibility

Grab reserves the right to decide if the minimum severity threshold is met and whether it was previously reported. To qualify for a reward under this program, you should:

• Be the first to report a specific vulnerability.

• Send a clear textual description of the report along with steps to reproduce the vulnerability. Include attachments such as screenshots or proof of concept code as necessary.

• Disclose the vulnerability report directly and exclusively to us. Please do not disclose (public disclosure or disclosure to other third parties- including vulnerability brokers) information about the issue or your report without explicit written consent from the Grab Team.

  • For all other disclosure guidelines (except for the disclosure of Grab issues mentioned above), please refer to HackerOne's Vulnerability Disclosure Guidelines.

Known issues

Please note that the Grab Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.

We seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.

Acquisitions

Newly acquired sites are subject to a twelve-month blackout period. Bugs reported sooner are certainly appreciated but will not qualify for rewards.

Recently disclosed 0-day vulnerabilities

We need time to patch our systems just like everyone else - please give us two months before reporting these types of issues. We will appreciate anyone raising awareness for new CVEs but such reports will not qualify for a reward either.

Vulnerabilities found in third-party/vendors

Vulnerabilities affecting assets not listed as part of Grab's scope are not eligible for a bounty. If you find a vulnerability in a vendor or third-party that directly affects Grab, we will accept it and work with the third party on a best-effort basis to remediate the issue.

However, in certain exceptional cases, if we decide to reward, the decision will be at our discretion.

Out-of-Scope Vulnerabilities

This section contains issues that are not accepted under this program, because they are malicious and/or because they have a low-security impact and will be immediately marked as invalid.

The following findings are specifically excluded from the bounty:

• Descriptive error messages that do not reveal any sensitive information (e.g. Stack Traces, application or server errors).

• Exposure of third-party API keys with no significant security impact (eg. Google Maps API, Sentry keys).

• Open redirects. For the rare cases where the impact is higher, e.g. If you can leverage the open redirect to steal any sensitive information, perform an unauthorized action, chain with another vulnerability to bypass any restriction, etc., we do still want to hear about them.

• Out-of-date software without demonstration of significant security impact.

• Mis-configured host header with no significant security impact.

• Broken Link Hijacking with no significant security impact.

• Disclosure of known public files or directories, (e.g. robots.txt).

• Clickjacking/Tapjacking issues without working POC and without demonstrating a significant security impact.

• Comma Separated Values (CSV) injection without demonstrating a significant security impact.

• Issues with prerequisite of MITM, physical or remote access to a victim's authenticated session.

• Cross-site Request Forgery with no significant security impact.

• Lack of cookie flags on non-sensitive cookies.

• Issue related to HTTP "OPTIONS" method.

• Content spoofing/text injection

• Issues exploitable only on outdated browsers.

• Best practice concerns without demonstrating an exploitable vulnerability.

• Reverse Tabnabbing related issues.

• Missing HTTP security headers with no significant security impact.

• Infrastructure vulnerabilities, including:

• Issues related to weak TLS/SSL versions & ciphers.

• Mail server misconfiguration, spoofing, SPF, DMARC, etc.

• Server misconfiguration issues (i.e., open ports, TLS, etc.)

• Most vulnerabilities within our sandbox, uat, or staging environments.

• Vulnerability requiring installation or use of 3rd party apps/ tools/ plugins for successful exploitation.

• Issues with a prerequisite of phishing or controlling a victim's email account, social media accounts, etc.

• Most issues requiring brute force.

• Denial of service.

• Spamming.

• Insufficient rate limiting.

• Disclosure of private IP addresses or domains pointing to private IP addresses.

Out of Scope bugs for Android apps

• Any URIs leaked because a malicious app has permission to view URIs opened

• Absence of certificate pinning

• Sensitive data in URLs/request bodies when protected by TLS

• User data stored unencrypted on external storage

• Lack of obfuscation is out of scope

• Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceiver (exploiting these for sensitive data leakage is commonly in scope)

• Any kind of sensitive data stored in-app private directory

• Lack of binary protection control in the android app

• Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)

Out of Scope bugs for iOS apps

• Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries

• Absence of certificate pinning

• Path disclosure in the binary

• User data stored unencrypted on the file system

• Lack of obfuscation is out of scope

• Lack of jailbreak detection is out of scope

• Crashes due to malformed URL Schemes

• Lack of binary protection (anti-debugging) controls

• Snapshot/Pasteboard leakage

• Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)

Please note that the rules, rewards, and assets in this Policy Page (https://hackerone.com/grab) precedes all previous versions and updates that may have been made in the past. All final decisions are at the discretion of Grab.

We are looking forward to seeing your reports,

Happy hunting !

? Grab Application Security Team ?