We are rapidly expanding our product offerings to our consumers. This growth is a win for everyone, but we want to ensure that our consumers remain safe on our platform. We take the security of our consumers very seriously and are thus taking steps to ensure we work closely with the broader security community to handle responsible disclosure of any bugs found on our platform.
Responsible disclosure benefits all parties involved and as a security researcher, it tells us that you are aware of the intricacies of running a large scale, multi-product platform and are willing to give us a chance to rectify our bugs. Work with us and you will find a responsive team that is committed to resolving issues fast.
Rules of Engagement
We are very interested in hearing about any security issues on our apps or platform. We list a set of in-scope targets below and your bug reports should be related to one or more of these in-scope targets.
This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.
Please also note that we will use this as the benchmark for determining Vulnerability Rating, however, we will also include our own Risk/Impact Rating. The final rating can go Higher or Lower from those that are indicated in the pdf document.
|Technical severity||Reward range|
|p1 Critical||Starting at: $5,000|
|p2 Severe||$1,500 - $2,500|
|p3 Moderate||$500 - $1,000|
|p4 Low||$200 - $300|
Out of scope
For this bounty program, only our Consumer Apps are in scope. There are two Consumer Apps for the Android and iOS platforms and both are fair game. You can use the ones that are published in either of the App stores. Along with the apps, the domains that the apps are talking to are also fair game. Just to be certain, the following domains are what we expect you to test against:
3rd party services
If you believe an issue with one of our third-party service providers is the result of Gojek’s misconfiguration or insecure usage of that service (or you’ve reported an issue affecting many customers of the service that you believe Gojek can temporarily mitigate without stopping usage of the service while a fix is implemented upstream), we’d appreciate your report regarding the issue.
Keep in mind that any reports regarding third-party services are likely to not be eligible for a reward – but will receive kudos points.
Some features such as transferring money between user accounts require an Indonesian mobile phone number. We are currently not able to provide virtual numbers for testing but are working on a mechanism to allow for testers from BugCrowd to bypass our SMS verification feature; we will update the program when this feature becomes available. Researchers can obtain an Indonesian phone number by signing up for an account from Nexmo, Twilio or other similar services. We use SMS messages to verify that you own the phone number you are registering with. Payment related bugs are looked upon very favorably!
The GO-JEK Consumer app allows for self-registration. Please register for an account after downloading the app.
We're based in Indonesia. All our services are based out of Indonesia. To help you along, you have to keep a few things in mind:
- When you sign up with us please send us the email address that you used to sign up. We will credit you with some Indonesian currency with which you can embark on your payment testing journey.
- When you make a booking for the production app, your booking will be sent out to an actual physical, human driver. Be wary of this and be kind. This is their livelihood so don't bomb the platform with bookings. We also have rate limiting in place to stop you from using up our entire driver supply.
- You will have to always make your bookings by simulating the fact that you are in Jakarta. You can do this by manually choose or set a pick-up location in our application. Alternatively, just use the standard latitude, longitude for Jakarta here: 6.1745° S, 106.8227° E
- To make things more simple, you may want to use our office address as the destination for all of your ride, food, shopping, bookings. Our office address is Pasaraya Mall, Jalan Iskandarsyah II, No 20.
- You may get suspended or blacklisted from our platform if we see your profile as one that is making too many fake bookings or one that is not making a single completed booking. If this happens, you will receive an error when you try to make a booking. As soon as this happens, please get in touch with us with your email address used on our app and we will remove the suspension.
We are happy for you to look over the entire suite of services that our Consumer App offers. We would, however, be very interested to find out what you can do on our payment platform. Anything around peer to peer transfer and withdrawal is of particular interest to us. Note that you will need an Indonesian phone number to transfer to and from.
Out of Scope
*Missing or incorrect SPF records of any kind
*Missing or incorrect DMARC records of any kind
*DoS and DDoS submissions are out of scope
If you have a concern about whether a potential submission is in-scope, please first validate that it is demonstrably owned by Go-Jek, and carefully read the "Out of Scope", and the "Targets" sections. If it is still unclear but you believe it should still be considered, please submit via the program ONLY (instead of alternate channels like email), and include a few sentences describing your judgement regarding scope. Submissions that demonstrate thoughtful consideration for scope but that we ultimately do not act on will receive a "Not Applicable" status, rather than "Out Of Scope" with negative points.
To Request Top-Up of wallet please submit your submission first and do the credit request by leaving a note.
We will send you a form to fill in afterwards.
Send all your queries to firstname.lastname@example.org.