Banner object (1)

4217 policies in database
  Back Link to program      
12/07/2017
Grab logo
Thanks
Gift
Hall of Fame
Reward

Reward

50 $ 

Grab

Updates

27/12/2019 - We have updated our Policy page with an overhauled design. We hope this provides everyone a clearer and more concise representation of our program.

25/12/2019 - 🎄Holiday notice: some of our Triage team members are not available from December 20th through January 3rd. As a result, our usual response time may be longer than usual. The team wishes you all happy holidays and happy hacking! 🎄


Foreword

Security is a top priority at Grab. We believe that no technology is perfect and that working with skilled security researchers across the globe is crucial in identifying weaknesses in our technology.

If you believe you've found a security bug in our service, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.

Coordinated disclosure rules

Please let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly correct the issue. Provide us a reasonable amount of time to fix the issue before publishing it elsewhere.

Making a good faith effort to not leak, manipulate, or destroy any user data. Please only test against accounts you own yourself or with explicit permission of the account holder. Please refrain from automated/scripted account creation. In the events of a possible bulk enumeration of customer data, refrain from harvesting large amount of information, a small sample is enough as a proof of concept.

By participating in this program, you agree to be bound by these rules.

Rewards

Grab will only issue monetary rewards for reports demonstrating meaningful impact. This means, for example, that we will issue a relatively high reward for a vulnerability that has the potential to leak sensitive user data, but that we will issue little to no reward for a vulnerability that allows an attacker to deface a micro-site.

For this reason, we strongly encourage researchers to spend extra-time to provide a realistic attack/threat scenario adapted to our business. This will increase the chance of receiving a higher bounty.

The following table outlines the nominal rewards with example scenarios of vulnerabilities for in-scope assets. Note that all amounts listed here are the maximum we can pay for each issue based on their severities. All final decisions are at the discretion of Grab.

We try our best to cycle bounty payouts on Fridays.

Severity | Examples (inspired from previous reports) | Payout Range [1]
---|---|---
Critical | RCE on a Production server, Bulk personally indentifiable information (PII) exposure [2], Access to source code | 🎉$5,000 - $10,000
High | Restricted or limited account takeover, Vertical/horizontal privilege escalations, Authorization checks bypass allowing fraudulent transactions | $2,000 - $5,000
Medium | SSRF without clear impact demonstration, Business logic error with monetary impact | $500 - $2,000
Low | Stored/Reflected XSS with low impact (no sensitive data exfiltrated), Exposed logs without sensitive information, Exposed API keys with low privileges | $50 - $500
None | Duplicate, N.A, Informational bug(s) | 😞 $0

~ Bounty payout range table (all amounts are in USD) ~

We sometimes decide on awarding a small bonus to promnote reports (and/or reseachers) meeting certain criterias such as: originality, clarity, or an overall professional attitude demonstrated by the reporter.

[1] Asset severity can be used as a weightage for calculating the final bounty amount (please refer to the Scope section for more details).

[2] Including but not limited to: customer/driver name, email, address, IC number, driver photos, licence plate numbers, location information or payment card information (PCI) like credit card numbers, bank account numbers etc.

Report Eligibility

Grab reserves the right to decide if the minimum severity threshold is met and whether it was previously reported. To qualify for a reward under this program, you should:

  • Be the first to report a specific vulnerability.
  • Send a clear textual description of the report along with steps to reproduce the vulnerability. Include attachments such as screenshots or proof of concept code as necessary.
  • Disclose the vulnerability report directly and exclusively to us. Public disclosure or disclosure to other third parties - including vulnerability brokers - before we addressed your report will forfeit the reward. Please read and follow HackerOne's Vulnerability Disclosure Guidelines .

Known issues

Please note that the Grab Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.
We seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.

Acquisitions

Newly acquired sites are subject to a twelve-month blackout period. Bugs reported sooner are certainly appreciated but will not qualify for rewards.

Domain | Date Added | Blackout end
---|---|---
kios.grab.com | 06 Oct 2019 | 05 Oct 2020

Recently disclosed 0-day vulnerabilities

We need time to patch our systems just like everyone else - please give us two months before reporting these types of issues. We will appreciate anyone raising awareness for new CVEs but such reports will not qualify for a reward either.

Vulnerabilities found in third-party/vendors

Vulnerabilities affecting assets not listed as part of Grab's scope are not eligible for a bounty. If you find a vulnerability in a vendor or third-party that directly affects Grab, we will accept it and work with the third-party on a best-effort basis to remediate the issue.
However, in certain exceptional cases, if we decide to reward, the decision will be at our discretion.


Out-of-Scope Vulnerabilities

This section contains issues that are not accepted under this program, because they are malicious and/or because they have low security impact and will be immediately marked as invalid.

The following findings are specifically excluded from the bounty:

  • Descriptive error messages (e.g. Stack Traces, application or server errors)
  • Exposure of third-party API keys with no significant security impact (eg. Google Maps API keys)
  • Open redirects. 99% of open redirects have low security impact. For the rare cases where the impact is higher, e.g., stealing auth tokens, we do still want to hear about them
  • Publicly accessible login panels without proof of exploitation.
  • Publicly editable Git Wiki.
  • Reports that state that software is out of date/vulnerable without a proof of concept.
  • Host header
  • Broken Links
  • HTTP codes/pages or other HTTP non- codes/pages.
  • Fingerprinting / banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking/Tapjacking and issues only exploitable through clickjacking/tapjacking.
  • CSV injection. Please see this article .
  • Issues that require physical access to a victim’s computer.
  • CSRF in forms that are available to anonymous users (e.g. the contact form).
  • Login & Logout CSRF
  • Path Disclosure
  • WordPress username enumeration
  • Most issues dealing with HTTP transmission.
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure/HTTPOnly flags on non-security-sensitive Cookies.
  • Lack of Security Speed bump when leaving the site.
  • Weak Captcha / Captcha Bypass
  • Login or Forgot Password page brute force and account lockout not enforced.
  • OPTIONS HTTP method enabled
  • Content injection issues.
  • HTTPS Mixed Content Scripts
  • Content Spoofing without embedded links/html
  • Self-XSS that can not be used to exploit other users (this includes having a user paste JavaScript into the browser console).
  • Reflected File Download (RFD).
  • XSS issues that affect only outdated browsers (like Internet Explorer)
  • Flashed based XSS (XSF)
  • Best practices concerns.
  • HTML Injection
  • window.opener-related issues.
  • Highly speculative reports about theoretical damage. Be concrete.
  • Missing HTTP security headers , specifically, For e.g:
    • Strict-Transport-Security
    • X-Frame-Options
    • X-XSS-Protection
    • X-Content-Type-Options
    • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
    • Content-Security-Policy-Report-Only
  • Infrastructure vulnerabilities, including:
    • Certificates/TLS/SSL related issues
    • DNS issues (i.e. mx records, SPF records, etc.)
    • Server configuration issues (i.e., open ports, TLS, etc.)
  • Most vulnerabilities within our sandbox, uat, or staging environments.
  • Outdated web browsers: vulnerabilities contingent upon outdated or unpatched browsers will not be honoured, including Internet Explorer all versions
  • Vulnerabilities involving active content such as web browser add-ons
  • Physical or social engineering attempts (this includes phishing attacks against Grab employees).
  • Microsites with little to no user data
  • Issues requiring user-interaction
  • Outdated Wordpress instances
  • Most brute forcing issues
  • Denial of service
  • Spamming

Out of Scope bugs for Android apps

  • Any URIs leaked because a malicious app has permission to view URIs opened
  • Absence of certificate pinning
  • Sensitive data in URLs/request bodies when protected by TLS
  • User data stored unencrypted on external storage
  • Lack of obfuscation is out of scope
  • OAuth & App secret hard-coded/recoverable in APK
  • Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceiver (exploiting these for sensitive data leakage is commonly in scope)
  • Any kind of sensitive data stored in app private directory
  • Lack of binary protection control in android app
  • Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)

Out of Scope bugs for iOS apps

  • Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
  • Absence of certificate pinning
  • Path disclosure in the binary
  • User data stored unencrypted on the file system
  • Lack of obfuscation is out of scope
  • Lack of jailbreak detection is out of scope
  • OAuth & app secret hard-coded/recoverable in IPA
  • Crashes due to malformed URL Schemes
  • Lack of binary protection (anti-debugging) controls
  • Snapshot/Pasteboard leakage
  • Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)

Please note that the rules, rewards, and assets in this Policy Page (https://hackerone.com/grab) precedes all previous versions and updates that may have been made in the past. All final decisions are at the discretion of Grab.

We are looking forward to seeing your reports,
Happy hunting !

🚗 Grab Application Security Team 🚗

In Scope

Scope Type Scope Name
android_application

com.grabtaxi.passenger

android_application

com.grabpay.merchant

android_application

com.grab.merchant

web_application

*.myteksi.com

web_application

api.grabpay.com

web_application

p.grabtaxi.com

web_application

wiki.grab.com

web_application

jira.grab.com

web_application

manage.grab.co

web_application

drive.grab.co

web_application

gamma.grab.co

web_application

*.myteksi.net

web_application

*.grab.com

web_application

xtramile.grabpay.com

web_application

*.grabpay.com

web_application

grab.careers

web_application

*.grab.co

web_application

*.grabtaxi.com

web_application

mos.grabpay.com

Out of Scope

Scope Type Scope Name
ios_application

kios.grab.com

web_application

parcel.grab.com


Firebounty have crawled on 2017-07-12 the program Grab on the platform Hackerone.

FireBounty © 2015-2020

Legal notices