Reward

Bounty

$50 Low $100 Medium $800 High $2,500 Critical $5,000

Program

Avg reward -

Max reward -

Scopes12

Supported languagesEnglish

Hacktivity

Reports394

1st response < 1 day

Reports last 24h3

Reports last week12

Reports this month46

Program description

Gojek

Gojek is rapidly expanding product offerings to our consumers. This growth is a win for everyone, but we want to ensure that our consumers remain safe on our platform. We take the security of our consumers very seriously and are thus taking steps to ensure we work closely with the broader security community to handle responsible disclosure of any bugs found on our platform.

We look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.

Program Rules

At Gojek, we recognize the important role that security researchers play in helping to keep Gojek and our customers secure.

By participating in this program you acknowledge that you have read and agreed to the Program Rules, which is defined as this entire document.

Testing Policy and Responsible Disclosure

Please adhere to the following rules while performing research on this program:

• Denial of service (DoS) attacks on Gojek applications, servers, networks or infrastructure are strictly forbidden.

• Avoid tests that could cause degradation or interruption of our services.

• Do not use automated scanners or tools that generate large amount of network traffic.

• Only perform tests against your own accounts to protect our users' privacy.

• Do not leak, manipulate, or destroy any user data or files in any of our applications/servers.

• Do not copy any files from our applications/servers and disclose them.

• No vulnerability disclosure, full, partial or otherwise, is allowed.

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

Reward Eligibility and Amount

We are happy to thank everyone who submits valid reports which help us improve the security of Gojek, however only those that meet the following eligibility requirements may receive a monetary reward:

• You must be the first reporter of a vulnerability.

• The vulnerability must be a qualifying vulnerability (see below).

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

• The report must contain the following elements:

• Clear textual description of the vulnerability, how it can be exploited, the security impact it has on the application, its users and Gojek, and remediation advice on fixing the vulnerability

• Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.

• Proof of exploitation: screenshots and/or videos demonstrating the exploit was performed, and showing the final impact

• Provide complete steps with the necessary information to reproduce the exploit, including (if necessary) code snippets, payloads, commands etc

• You must not break any of the testing policy rules listed above

• You must not be a former or current employee of Gojek or one of its contractors.

• We have 30 days delay for a CVE in order to be eligible for reward.

Recent CVE 30 Days Delay

To ensure we have reasonable time to patch recently released Common Vulnerabilities and Exposures (CVEs), any vulnerability based on a CVE released within the last 30 days will not be eligible for a bounty until after this period, This delay allows us to adequately assess, test, and deploy patches for newly disclosed vulnerabilities.

Reward amounts

Reward and amount will be decided based on Gojek Security team discretion. We will give our best to assess the vulnerability and use CVSS scoring and actual business impact of the vulnerability upon performing risk analysis.

Special Situations

Some situations exist that may earn partial bounties or bonuses on top of a base bounty per report.

Here are a few of the most common examples:

• Same vulnerability, on different paths or hosts:

If you believe a vulnerability may exist on a different (unique) path or host, please submit all affected paths and hosts in the same report. We will award an additional 5% bonus per path / per host for any valid ones you've included in the report. However, if you subsequently identify the same vulnerability on a different path / host on a new report submission, such reports will be treated as a duplicate. This is to allow Gojek sufficient time to patch the related paths.

• Same Payload, Different Parameter

In some cases, rewards may be consolidated into a single payout. For example, multiple reports of the same vulnerability across different parameters of a resource, or demonstrations of multiple attack vectors against a fundamental framework issue. We kindly ask you to consolidate reports rather than separate them.

• All vulnerabilities found in the staging environment will be out of scope (staging domain could be indicated by words like test/integration/staging, etc).

Third-Party Services

If you believe an issue with one of our third-party service providers is the result of Gojek’s misconfiguration or insecure usage of that service (or you’ve reported an issue affecting many customers of the service that you believe Gojek can temporarily mitigate without stopping usage of the service while a fix is implemented upstream), we’d appreciate your report regarding the issue.

Keep in mind that any reports regarding third-party services are likely to not be eligible for a reward.

Scope

Valid submissions for the assets in the ‘Scope’ section will be rewarded accordingly in this bug bounty program.

Please note that we cannot promise you a bounty for valid report submissions that are outside of the in-scope assets. However, in certain exceptional cases, if we decide to reward, the decision will be at our discretion and it won’t probably go higher than a Tier 2 Medium bounty.

Focus Areas

We are happy for you to look over the entire suite of services that our Consumer App offers.

We would, however, be very interested to find out what you can do on our payment platform.

Anything around peer to peer transfer and withdrawal is particularly interesting for us.

Note that you will need an Indonesian phone number to transfer to and from.

Safe Harbor

Any activities in relation to your participation in this program conducted in a manner with full submission and compliance with this Policy Page will be considered authorized conduct and we will not initiate or suggest legal action against you.

If legal action is initiated by a third party against you in connection with your participation in this program, provided that you have fully submitted and complied with this program’s Policy Page, we will make it known that your actions were conducted pursuant to this program and have complied with the Policy Page.

Thank you for helping keep Gojek and our users safe!

FAQ

Q: I want swag, how do I get it?

A: Unfortunately, Gojek does not currently offer any swag.

Q: Can Gojek provide me with a pre-configured test account?

A: As of now, Gojek doesn’t provide any test accounts.

Q: Can we test Gojek Apps outside of the operating country?

A: Yes, we would love to have you participate.

Reward

Asset value | CVSS Low | CVSS Medium | CVSS High | CVSS Critical | Critical | $100 | $800 | $2,500 | $5,000 | High | $50 | $400 | $800 | $2,000 | Medium | $50 | $300 | $500 | $1,000 |

Scopes

Scope | Type | Asset value | Expand rewards grid | *.gojekapi.com | Wildcard | Critical | | Low $100

Medium $800

High $2,500

Critical $5,000

| api.gojek.co.id | API | Critical | | Low $100

Medium $800

High $2,500

Critical $5,000

| https://play.google.com/store/apps/details?id=com.gojek.app | Mobile application Android | Critical | | Low $100

Medium $800

High $2,500

Critical $5,000

| https://apps.apple.com/id/app/gojek/id944875099 | Mobile application IOS | Critical | | Low $100

Medium $800

High $2,500

Critical $5,000

| gofood.co.id | Web application | High | | Low $50

Medium $400

High $800

Critical $2,000

| api.gobiz.co.id | API | High | | Low $50

Medium $400

High $800

Critical $2,000

| *.gofood.co.id | Wildcard | Medium | | Low $50

Medium $300

High $500

Critical $1,000

| *.gobiz.co.id | Wildcard | Medium | | Low $50

Medium $300

High $500

Critical $1,000

| portal.gofoodmerchant.co.id | Web application | High | | Low $50

Medium $400

High $800

Critical $2,000

| *.gojek.com | Wildcard | Medium | | Low $50

Medium $300

High $500

Critical $1,000

| *.golabs.io | Wildcard | Medium | | Low $50

Medium $300

High $500

Critical $1,000

| *.gofoodmerchant.co.id | Wildcard | Medium | | Low $50

Medium $300

High $500

Critical $1,000

|

Out of scopes

• Any staging environment will be out of scope (staging domain could be indicated by words like test/integration/staging, etc)
• All other Goto assets not listed above are to be considered as out of scope

Vulnerability types

Qualifying vulnerabilities

• Cross-Origin Resource Sharing (CORS)/Cross-site Request Forgery (CSRF) with real security impact
• Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
• Business logic vulnerability with real security impact
• Authentication bypass & broken authentication
• Horizontal and vertical privilege escalation
• Insecure Direct Object References (IDOR)
• Code injections (JS, SQL, PHP, ...)
• Remote Code Execution (RCE)
• Cross-Site Scripting (XSS)

Non-qualifying vulnerabilities

• Broken Link/Social media Hijacking
• Tabnabbing
• Missing cookie flags
• Content/Text injections
• Clickjacking/UI redressing
• Denial of Service (DoS) attacks
• Recently disclosed CVEs (less than 30 days sinces patch release)
• CVEs without exploitable vulnerabilities and PoC
• Open ports or services without exploitable vulnerabilities and PoC
• Social engineering of staff or contractors
• Presence of autocomplete attribute on web forms
• Vulnerabilities affecting outdated browsers or platforms
• Self-XSS or XSS that cannot be used to impact other users
• Any hypothetical flaw or best practices without exploitable vulnerabilities and PoC
• SSL/TLS issues (e.g. expired certificates, best practices)
• Unexploitable vulnerabilities (e.g. Self-XSS, XSS or Open Redirect through HTTP headers...)
• Reports with attack scenarios requiring MITM or physical access to victim's device
• Missing security-related HTTP headers which do not lead directly to an exploitable vulnerability and PoC
• Low severity Cross-Site Request Forgery (CSRF) (e.g. Unauthenticated / Logout / Login / Products cart updates...)
• Invalid or missing email security records (e.g. SPF, DKIM, DMARC)
• Session management issues (e.g. lack of expiration, no logout on password change, concurrent sessions)
• Disclosure of information without exploitable vulnerabilities and PoC (e.g. stack traces, path disclosure, directory listings, software versions, IP disclosure, 3rd party secrets, EXIF Metadata, Origin IP)
• CSV injection
• Malicious file upload (e.g. EICAR files, .EXE)
• HTTP Strict Transport Security Header (HSTS)
• Subdomain takeover
• Blind SSRF without exploitable vulnerabilities and PoC (e.g. DNS & HTTP pingback, Wordpress XMLRPC)
• Lack or bypass of rate-limiting, brute-forcing or captcha issues
• User enumeration (e.g. email, alias, GUID, phone number, common CMS endpoints)
• Weak password policies (e.g. length, complexity, reuse)
• Ability to spam users (email / SMS / direct messages flooding)
• Disclosed or misconfigured public API keys (e.g. Google Maps, Firebase, analytics tools...)
• Password reset token sent via HTTP referer to external services (e.g. analytics / ads platforms)
• Pre-account takeover (e.g. account creation via oAuth)
• GraphQL Introspection is enabled
• Reports with attack scenarios requiring MITM or physical access to victim's device
• Exploits that are only possible on Android version 7 and below
• Exploits that are only possible on IOS version 10 and below
• Exploits that are only possible on a jailbroken device
• Generic Android or iOS vulnerabilities

Reports of leaks and exposed credentials

In the context of this program, we do not intend to encourage, accept or reward reports of leaks that are not applicable to our program’s scope and policy. To summarize our policy, you may refer to the below table:

More info

Type of leak Source of leak is in-scope Source of leak belongs to the Organization and is out-of-scope Source of leak does not belong to the Organization and is out-of-scope

Impact is in-scope (e.g. valid credentials on an in-scope asset) Eligible Not eligible Not eligible

Impact is out-of-scope (e.g. valid credentials for an out-of-scope asset) Eligible Not eligible Not eligible

Hunting requirements

Account access

No test accounts will be provided.

You can download our consumer app from the [https://play.google.com/store/apps/details?id=com.gojek.app&hl=en&gl=US](Google Play Store) or [https://apps.apple.com/us/app/gojek/id944875099](Apple App Store).

The Gojek Consumer app allows for self-registration. You may sign up for an account with your own phone number.

We operate in Indonesia, Singapore, Vietnam and Thailand.

Note: You may get suspended or blocklisted from our platform if we see your profile as one that is making too many fake bookings or one that is not making a single completed booking or for any rate limiting issues as part of our controls.

User agent

Please append to your user-agent header the following value: ' X-YesWeHack-Research: [Your YWH Username] '.

Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see [https://helpcenter.yeswehack.io/hunter/hunter-collaboration](help center). Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.

To submit a vulnerability report, you need to login with your hunter account. /programs/gojek-bug-bounty-program/create-report