|Scope Type||Scope Name|
Out of Scope
|Scope Type||Scope Name|
Security is a top priority at Grab. We believe that no technology is perfect and that working with skilled security researchers across the globe is crucial in identifying weaknesses in our technology. If you believe you've found a security bug in our service, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.
Please let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly correct the issue. Provide us a reasonable amount of time to fix the issue before publishing it elsewhere.
Making a good faith effort to not leak, manipulate, or destroy any user data. Please only test against accounts you own yourself or with explicit permission of the account holder. Please refrain from automated/scripted account creation.
Grab will make a best effort to meet the following response targets for hackers participating in our program:
We’ll try to keep you informed about our progress throughout the process.
GrabTaxi reserves the right to decide if the minimum severity threshold is met and whether it was previously reported. To qualify for a reward under this program, you should:
Vulnerabilities affecting assets not listed as part of Grab's scope are not
eligible for a bounty. If you find a vulnerability in a vendor or third-party
that directly affects Grab, we will accept it and work with the third-party on
a best-effort basis to remediate the issue.
However, in certain exceptional cases, if we decide to reward, the decision will be at our discretion.
Please note that the rules, rewards, and assets in this Policy Page (https://hackerone.com/grab) precedes all previous versions and updates that may have been made in the past. All final decisions are at the discretion of Grab.
Our rewards are impact-based. This means, for example, that we will issue a relatively high reward for a vulnerability that has the potential to leak sensitive user data, but that we will issue little to no reward for a vulnerability that allows an attacker to deface a microsite. When we have our reward meetings, we always ask one question: If a malicious attacker abuses this, how bad off are we? We assume the worst and pay out the bug accordingly.
If we receive several reports for the same issue, we offer the bounty to the earliest report for which we had enough actionable information to identify the issue. We don't want to encourage people spamming us with vague issues in an attempt to be first.
If a single fix fixes multiple vulnerabilities, we treat this as a single vulnerability. For example, if you find 3 vulnerabilities in a WordPress plugin we use, and our fix is to remove the plugin, this will receive a single bounty, determined, as always, by impact.
The payout ranges on this page are guidelines to express roughly how we think about the severity of classes of issues. They are not exact rules. There can be attributes of bugs that make them more or less severe, which will affect the payout. For example, if a vulnerability affects only a small population of users, it will likely receive a lower reward than a similar vulnerability that affects a larger population of users.
At the end of the day, all reward amounts are at our discretion, but we aim to be fair. Some researchers won't agree with some of our decisions, but we're paying out to the best of our ethical ability and trust that the majority of researchers will consider their rewards fair and in many cases generous. We will adapt as the program continues.
The amounts listed here are the maximum we can pay for issues based on these severities. Purpose of this is provide you an idea of how we think about rewarding issues, at the end it all comes down to the underlying impact but at our discretion
Critical Security Issues ($5,000 - $10,000): Command injection, deserialisation bugs, sandbox escapes, remote code execution on a production server. Exposure of personally identifiable information (PII) customer IC numbers, driver images, licence numbers, location information or payment card information (PCI) like credit card numbers, bank account numbers etc. Potential access to source code.
High Security Issues ($1,000 - $5,000): Restricted or limited account takeover, vertical/horizontal privilege escalations, authorization checks allowing bypassing fraudulent transactions and/or leading to the exposure of personally Identifiable Information (PII)
Medium Security Issues ($200 - $1,000): Stored/DOM Cross-site Scripting (XSS), most Cross-site Request Forgery (CSRF) issues, access control issues which do not expose PII but affect other accounts, some account validation bypasses (being able to change driver picture, etc). Any vulnerability which allows the bulk lookup of user enumeration
This section contains issues that are not accepted under this program, because they are malicious and/or because they have low security impact and will be immediately marked as invalid.