Banner object (1)

Hack and Take the Cash !

800 bounties in database
  Back Link to program      
Grab logo
Hall of Fame


50 $ 

In Scope

Scope Type Scope Name
android_application com.grabtaxi.passenger
android_application com.grabpay.merchant
ios_application Grab Driver
ios_application GrabPay Merchant
ios_application Grab (iOS)
ios_application Grab Driver
ios_application GrabPay Merchant
web_application *
web_application *
web_application *
web_application *
web_application *
web_application *

Out of Scope

Scope Type Scope Name


Security is a top priority at Grab. We believe that no technology is perfect and that working with skilled security researchers across the globe is crucial in identifying weaknesses in our technology. If you believe you've found a security bug in our service, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.

Coordinated disclosure rules

Please let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly correct the issue. Provide us a reasonable amount of time to fix the issue before publishing it elsewhere.

Making a good faith effort to not leak, manipulate, or destroy any user data. Please only test against accounts you own yourself or with explicit permission of the account holder. Please refrain from automated/scripted account creation.

Response Targets

Grab will make a best effort to meet the following response targets for hackers participating in our program:

  • Time to first response (from report submit) - 1 business days
  • Time to triage (from report submit) - 1 business days
  • Time to bounty (from triage) - 5 business days

We’ll try to keep you informed about our progress throughout the process.

Bounty eligibility

GrabTaxi reserves the right to decide if the minimum severity threshold is met and whether it was previously reported. To qualify for a reward under this program, you should:

  1. Be the first to report a specific vulnerability.
  2. Send a clear textual description of the report along with steps to reproduce the vulnerability. Include attachments such as screenshots or proof of concept code as necessary.
  3. Disclose the vulnerability report directly and exclusively to us. Public disclosure or disclosure to other third parties -- including vulnerability brokers -- before we addressed your report will forfeit the reward.

Vulnerabilities affecting assets not listed as part of Grab's scope are not eligible for a bounty. If you find a vulnerability in a vendor or third-party that directly affects Grab, we will accept it and work with the third-party on a best-effort basis to remediate the issue.
However, in certain exceptional cases, if we decide to reward, the decision will be at our discretion.

Please note that the rules, rewards, and assets in this Policy Page ( precedes all previous versions and updates that may have been made in the past. All final decisions are at the discretion of Grab.


Our rewards are impact-based. This means, for example, that we will issue a relatively high reward for a vulnerability that has the potential to leak sensitive user data, but that we will issue little to no reward for a vulnerability that allows an attacker to deface a microsite. When we have our reward meetings, we always ask one question: If a malicious attacker abuses this, how bad off are we? We assume the worst and pay out the bug accordingly.

If we receive several reports for the same issue, we offer the bounty to the earliest report for which we had enough actionable information to identify the issue. We don't want to encourage people spamming us with vague issues in an attempt to be first.

If a single fix fixes multiple vulnerabilities, we treat this as a single vulnerability. For example, if you find 3 vulnerabilities in a WordPress plugin we use, and our fix is to remove the plugin, this will receive a single bounty, determined, as always, by impact.

The payout ranges on this page are guidelines to express roughly how we think about the severity of classes of issues. They are not exact rules. There can be attributes of bugs that make them more or less severe, which will affect the payout. For example, if a vulnerability affects only a small population of users, it will likely receive a lower reward than a similar vulnerability that affects a larger population of users.

At the end of the day, all reward amounts are at our discretion, but we aim to be fair. Some researchers won't agree with some of our decisions, but we're paying out to the best of our ethical ability and trust that the majority of researchers will consider their rewards fair and in many cases generous. We will adapt as the program continues.

Rewards Payout Range

The amounts listed here are the maximum we can pay for issues based on these severities. Purpose of this is provide you an idea of how we think about rewarding issues, at the end it all comes down to the underlying impact but at our discretion

  • Critical Security Issues ($5,000 - $10,000): Command injection, deserialisation bugs, sandbox escapes, remote code execution on a production server. Exposure of personally identifiable information (PII) customer IC numbers, driver images, licence numbers, location information or payment card information (PCI) like credit card numbers, bank account numbers etc. Potential access to source code.

  • High Security Issues ($1,000 - $5,000): Restricted or limited account takeover, vertical/horizontal privilege escalations, authorization checks allowing bypassing fraudulent transactions and/or leading to the exposure of personally Identifiable Information (PII)

  • Medium Security Issues ($200 - $1,000): Stored/DOM Cross-site Scripting (XSS), most Cross-site Request Forgery (CSRF) issues, access control issues which do not expose PII but affect other accounts, some account validation bypasses (being able to change driver picture, etc). Any vulnerability which allows the bulk lookup of user enumeration

In-Scope Vulnerability Classes

  • Cross-site Scripting (XSS)
  • Cross-site Request Forgery
  • Server-Side Request Forgery (SSRF)
  • SQL Injection
  • Server-side Remote Code Execution (RCE)
  • XML External Entity Attacks (XXE)
  • Access Control Issues (Insecure Direct Object Reference issues, etc)
  • Directory Traversal Issues
  • Local File Disclosure (LFD)
  • Authorisation Issues

Out-of-Scope Vulnerabilities

This section contains issues that are not accepted under this program, because they are malicious and/or because they have low security impact and will be immediately marked as invalid.

The following findings are specifically excluded from the bounty:

  • Descriptive error messages (e.g. Stack Traces, application or server errors)
  • Exposure of third-party API keys with no significant security impact (eg. Google Maps API keys)
  • Open redirects. 99% of open redirects have low security impact. For the rare cases where the impact is higher, e.g., stealing auth tokens, we do still want to hear about them
  • Publicly accessible login panels without proof of exploitation.
  • Publicly editable Git Wiki.
  • Reports that state that software is out of date/vulnerable without a proof of concept.
  • Host header
  • Broken Links
  • HTTP codes/pages or other HTTP non- codes/pages.
  • Fingerprinting / banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking/Tapjacking and issues only exploitable through clickjacking/tapjacking.
  • CSV injection. Please see this article __.
  • Issues that require physical access to a victim’s computer.
  • CSRF in forms that are available to anonymous users (e.g. the contact form).
  • Login & Logout CSRF
  • Path Disclosure
  • WordPress username enumeration
  • Most issues dealing with HTTP transmission.
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure/HTTPOnly flags on non-security-sensitive Cookies.
  • Lack of Security Speed bump when leaving the site.
  • Weak Captcha / Captcha Bypass
  • Login or Forgot Password page brute force and account lockout not enforced.
  • OPTIONS HTTP method enabled
  • Content injection issues.
  • HTTPS Mixed Content Scripts
  • Content Spoofing without embedded links/html
  • Self-XSS that can not be used to exploit other users (this includes having a user paste JavaScript into the browser console).
  • Reflected File Download (RFD).
  • XSS issues that affect only outdated browsers (like Internet Explorer)
  • Flashed based XSS (XSF)
  • Best practices concerns.
  • HTML Injection
  • window.opener-related issues.
  • Highly speculative reports about theoretical damage. Be concrete.
  • Missing HTTP security headers __, specifically, For e.g.
  • Strict-Transport-Security
  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Type-Options
  • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
  • Content-Security-Policy-Report-Only
  • Infrastructure vulnerabilities, including:
  • Certificates/TLS/SSL related issues
  • DNS issues (i.e. mx records, SPF records, etc.)
  • Server configuration issues (i.e., open ports, TLS, etc.)
  • Most vulnerabilities within our sandbox, uat, or staging environments.
  • Outdated web browsers: vulnerabilities contingent upon outdated or unpatched browsers will not be honoured, including Internet Explorer all versions
  • Vulnerabilities involving active content such as web browser add-ons
  • Physical or social engineering attempts (this includes phishing attacks against Grab employees).
  • Recently disclosed 0day vulnerabilities. We need time to patch our systems just like everyone else - please give us two weeks before reporting these types of issues.
  • Microsites with little to no user data
  • Issues requiring user-interaction
  • Outdated Wordpress instances
  • Most brute forcing issues
  • Denial of service
  • Spamming

Out of Scope bugs for Android apps

  • Any URIs leaked because a malicious app has permission to view URIs opened
  • Absence of certificate pinning
  • Sensitive data in URLs/request bodies when protected by TLS
  • User data stored unencrypted on external storage
  • Lack of obfuscation is out of scope
  • OAuth & App secret hard-coded/recoverable in APK
  • Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceiver (exploiting these for sensitive data leakage is commonly in scope)
  • Any kind of sensitive data stored in app private directory
  • Lack of binary protection control in android app
  • Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)

Out of Scope bugs for iOS apps

  • Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
  • Absence of certificate pinning
  • Path disclosure in the binary
  • User data stored unencrypted on the file system
  • Lack of obfuscation is out of scope
  • Lack of jailbreak detection is out of scope
  • OAuth & app secret hard-coded/recoverable in IPA
  • Crashes due to malformed URL Schemes
  • Lack of binary protection (anti-debugging) controls
  • Snapshot/Pasteboard leakage
  • Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)


  • Issues related to software not under Grab’s control are out of scope. If you have found a vulnerability in systems managed externally, we can’t make any guarantees about when we can fix those issues.
  • We don’t need help running automated vulnerability scanners. We’ve got those covered. We need your brainpower, not your processing power.
  • Newly acquired sites are subject to a twelve-month blackout period. Bugs reported sooner are certainly appreciated but won't qualify for rewards.

FireBounty © 2015-2019

Legal notices