Grab
External Program
Submit bugs directly to this organization
Grab
Security is a top priority at Grab. We believe that no technology is perfect and that working with skilled security researchers across the globe is crucial in identifying weaknesses in our technology.
If you believe you've found a security bug in our service, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.
Please let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly correct the issue if it is found to be valid. You may not disclose any information about the issue outside of the program unless you receive explicit written consent from the Grab team.
Making an effort in good faith by ensuring that there is no leak, manipulation, alteration, modification and/or destruction, in whatsoever manner, to any of user data and Grab proprietary data. Please only test against accounts you own yourself or with the explicit permission of the account holder. Please refrain from automated/scripted account creation. In the events of a possible bulk enumeration of customer data, refrain from harvesting a large amount of information, a small sample is enough as a proof of concept.
By participating in this program, you agree to be bound by these rules.
Grab will only issue monetary rewards for reports demonstrating meaningful impact. This means, for example, that we will issue a relatively high reward for a vulnerability that has the potential to leak sensitive user data, but that we will issue little to no reward for a vulnerability that allows an attacker to deface a micro-site.
For this reason, we strongly encourage researchers to spend extra time to provide a realistic attack/threat scenario adapted to our business. This will increase the chance of receiving a higher bounty.
The following table outlines some example scenarios of vulnerabilities for in-scope assets. Note that all amounts listed in the Rewards section are the maximum we can pay for each issue based on their severities. All final decisions are at the discretion of Grab.
We try our best to cycle bounty payouts on Fridays.
| Severity | Examples (inspired from previous reports) |
|---|---|
| Critical | RCE on a Production server, Bulk personally identifiable information (PII) exposure [^], Access to source code |
| High | Restricted or limited account takeover, Vertical/horizontal privilege escalations, Authorization checks bypass allowing fraudulent transactions |
| Medium | SSRF without clear impact demonstration, Business logic error with monetary impact |
| Low | Stored/Reflected XSS with low impact (no sensitive data exfiltrated), Exposed logs without sensitive information, Exposed API keys with low privileges |
| None | Duplicate, N.A, Informational bug(s) |
~ Bounty payout range table (all amounts are in USD) ~
Note that Asset severity can be used as a weightage for calculating the final bounty amount (please refer to the Scope section for more details).*
[^] Including but not limited to: customer/driver name, email, address, IC number, driver photos, license plate numbers, location information, or payment card information (PCI) like credit card numbers, bank account numbers, etc.*
Information Disclosure and Reward Policy Grab values the contributions of security researchers in identifying vulnerabilities and safeguarding our platform. To ensure responsible reporting and fair recognition, the following guidelines apply to information leakage disclosures: -Reports on information leakage involving actual employee domain accounts are typically rewarded with a token of appreciation of $50 USD for each unique case. For other types of cases, rewards will be determined at our discretion.
Note: Grab reserves the right to award bounties for cases demonstrating substantial impact.
Most information leakage issues are classified under Low Severity unless researchers can demonstrate a clear and significant impact. Examples of low-severity issues include, but are not limited to: 1. Leakage of non-sensitive public-facing information. 2. Discovery of outdated credentials or tokens that are no longer in use. 3. Misconfigured storage buckets containing non-sensitive data.
To ensure ethical and responsible disclosure, researchers are required to:
Any unauthorized exploitation or misuse of leaked information is strictly prohibited and may result in disqualification from the program.
Grab reserves the right to decide if the minimum severity threshold is met and whether it was previously reported. To qualify for a reward under this program, you should:
Please note that the Grab Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates. We seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.
Newly acquired sites undergo an initial blackout period of sixteen-months. While we greatly appreciate any bug reports submitted earlier, they will not be eligible for rewards during this period.
Note : For Mergers and Acquisitions (M&A) until explicitly listed in the scope section, we will only accept reports of critical and high-severity bugs . These reports may be considered for bounty rewards at the discretion of our security team, who will assess severity and reward amounts.
Our primary goal is to assess and address all reported vulnerabilities to enhance the safety of our platform. We highly value your patience and cooperation during this phase.
We need time to patch our systems just like everyone else - please give us two months before reporting these types of issues. We will appreciate anyone raising awareness for new CVEs but such reports will not qualify for a reward either.
Vulnerabilities affecting assets not listed as part of Grab's scope are not eligible for a bounty. If you find a vulnerability in a vendor or third-party that directly affects Grab, we will accept it and work with the third party on a best-effort basis to remediate the issue. However, in certain exceptional cases, if we decide to reward, the decision will be at our discretion.
As we continue to innovate and integrate advanced technologies into our services, we recognize the potential for new types of vulnerabilities. This includes those related to Language Learning Models (LLM). For any Vulnerability related to LLM's please adhere to below guidelines:
Grab core properties and other assets usually experience a large amount of data traffic everyday. During testing, kindly make sure to include a custom HTTP header in your requests so you can make it easier for us to determine activities that belong to the HackerOne community against our normal data and the malicious actors out in the world. Please do add the following when participating and submitting reports to the Grab program:
| Identifier | Format | Examples |
|---|---|---|
| Username | X-Bug-Bounty:HackerOne- | X-Bug-Bounty:HackerOne-Th3Guardian |
| Testing Timestamp | X-Bug-Bounty:Timestamp- | X-Bug-Bounty:Timestamp-01-09-2022 23:49 |
Please always keep in mind and remember to abide by all program rules. To mitigate potential damage, stop further testing, report the matter to Grab and HackerOne immediately, and delete any related program data under your care.
This section contains issues that are not accepted under this program, because they are malicious and/or because they have a low-security impact and will be immediately marked as invalid.
The following findings are specifically excluded from the bounty:
Please note that the rules, rewards, and assets in this Policy Page (https://hackerone.com/grab) precedes all previous versions and updates that may have been made in the past. All final decisions are at the discretion of Grab.
We are looking forward to seeing your reports, Happy hunting !
🚗 Grab Application Security Team 🚗