Program guidelines

Program highlights

Fast PaymentEnsures payment within 1 month of receiving a vulnerability report. [https://docs.hackerone.com/en/articles/8490833-security-page#h_9c1fc6b7c0](

)

Gold Standard Safe HarborAdheres to Gold Standard Safe Harbor. [https://docs.hackerone.com/en/articles/8494525-gold-standard-safe-harbor-statement](

)

Platform StandardsFully compliant with Platform Standards. [https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards#h_e01bc643a8](

)

Coordinated Vulnerability DisclosureStandard [https://docs.hackerone.com/en/articles/9829406-coordinated-vulnerability-disclosure](

)

Top Response EfficiencyThis program's response efficiency is above 90%. [https://docs.hackerone.com/en/articles/8490880-response-target-indicators](

)

Collaboration EnabledIncludes Retesting

4 hours Average time to first response

7 hours Average time to triage

2 days, 9 hours Average time to bounty

2 days, 16 hours Average time from submission to bounty

2 months, 5 days Average time to resolution

Rewards summary

Last updated on January 30, 2026. [/bykea/bounty_table_versions](View changes

)

Each severity lists the 90-day average bounty and the percentage of total resolved reports, if applicable.

LowAvg. bounty $8055.68% submissions

MediumAvg. bounty $10021.59% submissions

HighAvg. bounty n/a20.45% submissions

CriticalAvg. bounty n/a2.27% submissions

LowAvg. bounty $8055.68% submissions

MediumAvg. bounty $10021.59% submissions

HighAvg. bounty n/a20.45% submissions

CriticalAvg. bounty n/a2.27% submissions

—

$50

$100–$300

$350–$600

$50

$100–$200

$750–$1,500

$2,000–$5,000

Asset | Asset Type | Low | Medium | High | Critical | com.bykea.pk | GOOGLE-PLAY-APP-ID | $50 | $100 - $200 | $750 - $1500 | $2000 - $5000 | com.bykea.pk.partner | GOOGLE-PLAY-APP-ID | $50 | $100 - $200 | $750 - $1500 | $2000 - $5000 | 1351179184 | APPLE-STORE-APP-ID | $50 | $100 - $200 | $750 - $1500 | $2000 - $5000 | https://tomoe.bykea.net | URL | $50 | $100 - $200 | $750 - $1500 | $2000 - $5000 | https://api.bykea.net | URL | $50 | $100 - $200 | $750 - $1500 | $2000 - $5000 | https://kronos*.bykea.net | WILDCARD | $50 | $100 - $200 | $750 - $1500 | $2000 - $5000 | https://loadboard*.bykea.net/ | WILDCARD | $50 | $100 - $200 | $750 - $1500 | $2000 - $5000 | https://raptor*.bykea.net | WILDCARD | $50 | $100 - $200 | $750 - $1500 | $2000 - $5000 | *.bykea.net | WILDCARD | $50 | $100 - $200 | $750 - $1500 | $2000 - $5000 | https://googleplace*.bykea.net | WILDCARD | - | $50 | $100 - $300 | $350 - $600 | https://geocode-beta.bykea.net | URL | - | $50 | $100 - $300 | $350 - $600 | https://maps.bykea.net | URL | - | $50 | $100 - $300 | $350 - $600 | https://bykea.com | URL | - | $50 | $100 - $300 | $350 - $600 | https://leaflet-map.bykea.net | URL | - | $50 | $100 - $300 | $350 - $600 | https://nominatim.bykea.net | URL | - | $50 | $100 - $300 | $350 - $600 | https://test.bykea.net | WILDCARD | - | $50 | $100 - $300 | $350 - $600 |

Our rewards align with CVSS severity ratings, serving as general guidelines. Reward decisions rest with Bykea, subject to business considerations.

Scope exclusions

Core Ineligible Findings are out of scope. [https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings](Learn more

)Category Exclusion details

Exemplary Standards

This program has committed to awarding the submissions below.

Bounty awards for discovered leaked credentials

Check https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards#h_83c05e1cc8 for the full Exemplary Standards page list.

Overview

Last updated on January 30, 2026. [/bykea/policy_versions](View changes

)

Bykea looks forward to working with the security community to find security vulnerabilities to keep our businesses and customers safe.

Kindly review the rules set forth on this page before testing and submitting a report to us.

Testing Guidelines and Procedures:

Before initiating any testing activities, please review and adhere to the following guidelines to ensure a smooth testing process:

Location and Emulation: For test execution, it is essential to use an Android emulator and configure your location to "Sibi, Pakistan." Maintaining this specific location throughout the testing process is crucial for the app to function correctly.

Respect Ride Ownership: During testing, please refrain from accepting booking requests that are not your own, especially those belonging to genuine customers. Interact only with rides that you have initiated for testing purposes.

Credential Claiming: Hackers with Signal 3 or higher can directly claim testing credentials from the Credentials tab. If your Signal is lower, you may still request credentials by emailing us your username at mailto:[email protected], provided you have at least one valid submission or experience in mobile app testing. Please note, the provided credentials use a hardcoded 4-digit OTP, while real-world scenarios generate OTPs dynamically per request.

Reporting Issues or Blocks: If you encounter any issues or face blockages while conducting your tests, do not hesitate to contact us at mailto:[email protected]. Our team is available to assist you in resolving any challenges you may encounter.

Compliance and Integrity: It is imperative that all participants adhere to these terms and maintain the highest level of integrity during testing. ** Any violations of these terms or the discovery of fraudulent activity associated with the provided credentials may result in your removal from the program. **

HackerOne Identification: To assist us in identifying traffic originating from HackerOne, adhere to the following measures:

• Please limit the rate of your requests to below 5 requests per second.

• Include a X-Bug-Bounty: header in all your requests with the format h1-username. This enables us to distinguish traffic generated by HackerOne from other sources.

• Updates Subscription: For updates please subscribe our [https://whatsapp.com/channel/0029VavtnhsDDmFLmbR25d07](WhatsApp @BykeaSecurity) and [https://t.me/BykeaSecurity](Telegram @BykeaSecurity) channel.

By following these comprehensive testing guidelines and procedures, we aim to ensure a productive testing environment for all participants. Your cooperation and adherence to these instructions are greatly appreciated.

Our areas of interest:

1. Critical Technical Vulnerabilities: We prioritize issues like Remote Code Execution (RCE), SQL Injection (SQLi/NoSQLi), and similar high-impact threats. 2. Business Logic Errors: Detect flaws such as authorization bypass, improper access controls, and vulnerabilities in key workflows that lead to unauthorized actions. Digital Wallet Security: Pinpoint vulnerabilities in our wallet system like transaction issues, insecure data storage, and unauthorized fund access. 3. PII Exposure: Spotlight risks that cause exposure of sensitive user details like names, emails, passwords, and financial data. 4. Reputation & Financial Impact: Identify threats with potential harm to our reputation or finances, including data breaches or unauthorized disclosures.

When reporting, provide details on (1) exploitability and (2) security impact. All impactful vulnerabilities, justified by their impact, should be submitted for review.

Out of scope vulnerabilities:

The following issues are considered out of scope:

• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g., stack traces, application or server errors).

• CORS with no sensitive information in response

• Clickjacking and issues only exploitable through clickjacking.

• CSRF with minimal security implications (Logout CSRF, etc.).

• Comma Separated Values (CSV) injection without demonstrating vulnerability.

• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

• Cloudflare WAF bypass without impact or demonstration of an actual vulnerability

• Missing security headers

• Session Management, such as session timeout, session hijacking, etc.

• Missing or broken social media links

• Username/email enumeration

• Reports that state that software is out of date/vulnerable without a proof of concept

• Sensitive data in URLs/request bodies when protected by SSL/TLS

• Attacks requiring MITM or physical access to a user's device.

• Issues that require unlikely user interaction.

• Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)

• Missing security configurations or misconfigurations without being able to demonstrate any impact.

• Rate limiting issues are typically considered out of scope (OOS) unless a significant impact is demonstrated.

• Promo code/gift card enumerations

• Tabnabbing

• Self-XSS

• SSL Issues

Out of Scope bugs for Android/IOS apps:

• Absence of certificate pinning.

• Inadequate root/jailbreak prevention/detection in the app.

• Exploits using tools such as Frida with unlikely possible user end exploitation.

• Path disclosure in the binary

• Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries

• Lack of binary protection (anti-debugging) controls

• Sensitive data stored unencrypted on filesystem/external storage.

• Shared links leaked through the system clipboard.

• Any URIs leaked because a malicious app has permission to view URIs opened.

• Sensitive data in URLs/request bodies when protected by TLS.

• Lack of obfuscation.

• Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive. (exploiting these for sensitive data leakage is in scope)

Program Rules:

• Social engineering (e.g. phishing, vishing, smishing) is prohibited and we will take strict actions as it is a violation of the safe harbor policy.

• DoS/DDOS attacks are also explicitly prohibited and considered a violation of the safe harbor policy.

• Please follow Testing Guidelines and Procedures to conduct any active testing.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. Don’t leave any system in a more vulnerable state than you found it.

• Vulnerabilities sharing the same type and occurring on the same endpoint will be deemed duplicates.

• If a universal vulnerability has been previously reported and acknowledged by our security team (in private h1 report discussion or in public) as a mass vulnerability, subsequent reports of this issue on different endpoints will also be classified as duplicates.

• Vulnerabilities that have been identified and flagged internally are considered duplicate reports. Such issues are ineligible for bounty rewards, regardless of their severity, as they are already in the pipeline for fixing or documented in our internal tracking systems.

• Respect our users’ privacy. If you encounter user information during your research:

• Stop right there. Actions taken beyond this are not authorized.

• Report this immediately to our team so we can investigate.

• Do not save, copy, store, transfer, disclose, or otherwise retain the information.

• To be eligible to participate in our BBP Program, you must also

• Not be employed by Bykea or be in any working capacity with Bykea

• Not violate any national, state, or local law or regulation concerning any activities directly or indirectly related to the BBP Program.

• Before submitting CVEs please make sure that at least 45 days must have passed since that CVE is published.

Response Targets:

Stage | Time | First Response | 1-2 Days | Triage | 1-3 Days | Bounty | 1-7 Days | Resolution | Depends on complexity and business impact |

Disclosure Policy

• Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.

• Follow HackerOne's [https://www.hackerone.com/disclosure-guidelines](disclosure guidelines).

Reward Payout:

In recognition of your valuable contribution to our security, we offer rewards for the discovery of vulnerabilities.

Our reward decisions will be processed within a maximum of 14 days after an initial assessment, although we aim to complete the process much sooner. You will receive a notification on your bug report confirming the validation of the reported vulnerability and the corresponding reward.

Reward payments will be facilitated through https://docs.hackerone.com/hackers/payments.html. Your efforts play a crucial role in enhancing our security posture, and we appreciate your commitment to making our systems more secure.

Vulnerability | Bounty | Severity | Full Remote code execution (RCE) and Command Injection | $ 5000 | Critical | Injections (SQLi leading to FULL DB Sensitive Data Disclosure) | $ 2000 | Critical | Insecure deserialization issues leading to RCE | $ 750-5000 | High - Critical | SSRF, non-blind (with the ability to read reply text), except dedicated proxies (if leveraged to AWS infra and RCE then max bounty) | $ 750 - 5000 | High - Critical | Server-side vulnerability with information disclosure (e.g. memory Leaks / IDORs) of sensitive application or infrastructure data (Infrastructure compromise like admin access to AWS will be eligible for max reward) | $ 750-5000 | High - Critical | Admin/support interface authentication bypass with full access | $ 1200 | Critical | Local file access and manipulation (LFR, RFI) without jail/sandbox/chroot/file type restrictions | $ 1000 | High | Server-side vulnerability with information disclosure (e.g. memory Leaks / IDORs) of personal or highly confidential data. (At least 1000 records of PII e.g. sessions, accounts, passwords, credit cards, e-mail messages) | $ 750 | High | Customer or driver auth bypass or account takeovers | $ 750 | High | Admin/support interface blind XSS | $ 750 | High | Reflected Cross-Site Scripting with demonstrable impact (XSS) | $ 100 | Medium | Stored Cross-Site Scripting (XSS) with Potential Impact | $ 150 | Medium | Blind SSRF (without exfiltrating sensitive data or executing actions, yet demonstrating impact) with dedicated proxies | $50-100 | Low to Medium | Subdomain takeovers | $ 50 | Low |

Top hackers

[/bykea/thanks](See all hackers

)

1

/sameer_ali?type=userReputation: 441

2

/bugbountywithmarco?type=userReputation: 214

3

/doyouevengetpaid?type=userReputation: 150

4

/grassye?type=userReputation: 140

5

/back2arie?type=userReputation: 75

6

/mrrhacker?type=userReputation: 61

7

/marvelmaniac?type=userReputation: 59

8

/karal?type=userReputation: 44

9

/albatraoz?type=userReputation: 32

10

/jeyabalaji711?type=userReputation: 22

11

/0xgalal?type=userReputation: 22

12

/savitar0x01?type=userReputation: 22

Bykea

https://bykea.comhttps://x.com/bykeapk Bykea is an all in one app, helping to transform transportation and logistics through a technology-enabled platform based in Pakistan.Bug Bounty Program launched in Dec 2024

Response efficiency: 100%

[/bykea/reports/new?type=team&report_type=vulnerability](

Submit without Report Assistant

)

Rewards

Severity

Rewards

Severity

Rewards

LowAvg. bounty $8055.68% submissions

$50

MediumAvg. bounty $10021.59% submissions

$50–$200

HighAvg. bounty n/a20.45% submissions

$100–$1,500

CriticalAvg. bounty n/a2.27% submissions

$350–$5,000

Stats

Total bounties paid | >$10,000 | Average bounty range | $50 - $100 | Top bounty range | $350 - $2,000 | Bounties paid | 90 days | $1 - $5,000 | Reports received | 90 days | 197 | Last report resolved | 6 days ago | Reports resolved | 111 | Hackers thanked | 74 | Assets In Scope | 16 |

© HackerOne

• /opportunities/all
• /security
• /leaderboard
• https://www.hackerone.com/blog
• https://www.hackeronestatus.com/
• https://docs.hackerone.com
• https://support.hackerone.com
• [https://www.hackerone.com/disclosure-guidelines](Disclosure Guidelines)
• https://www.hackerone.com/press
• https://www.hackerone.com/privacy
• https://www.hackerone.com/terms
• https://x.com/hacker0x01