Program stats

19 vulnerabilities rewarded

Validation within 7 days
75% of submissions are accepted or rejected within 7 days

$1,700 average payout (last 3 months)

Latest hall of famers

Recently joined this program

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

We are rapidly expanding our product offerings to our consumers. This growth is a win for everyone, but we want to ensure that our consumers remain safe on our platform. We take the security of our consumers very seriously and are thus taking steps to ensure we work closely with the broader security community to handle responsible disclosure of any bugs found on our platform.

Responsible disclosure benefits all parties involved and as a security researcher, it tells us that you are aware of the intricacies of running a large scale, multi-product platform and are willing to give us a chance to rectify our bugs. Work with us and you will find a responsive team that is committed to resolving issues fast.

Rules of Engagement

We are very interested in hearing about any security issues on our apps or platform. We list a set of in-scope targets below and your bug reports should be related to one or more of these in-scope targets.

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.

Please also note that we will use this as the benchmark for determining Vulnerability Rating, however, we will also include our own Risk/Impact Rating. The final rating can go Higher or Lower from those that are indicated in the pdf document.

Targets

Out of scope

For this bounty program, only our Consumer Apps are in scope. There are two Consumer Apps for the Android and iOS platforms and both are fair game. You can use the ones that are published in either of the App stores. Along with the apps, the domains that the apps are talking to are also fair game. Just to be certain, the following domains are what we expect you to test against:

  • api.gojek.co.id
  • *.gojekapi.com

iOS: Here
Android: Here

Access

Some features such as transferring money between user accounts require an Indonesian mobile phone number. We are currently not able to provide virtual numbers for testing but are working on a mechanism to allow for testers from BugCrowd to bypass our SMS verification feature; we will update the program when this feature becomes available. Researchers can obtain an Indonesian phone number by signing up for an account from Nexmo, Twilio or other similar services. We use SMS messages to verify that you own the phone number you are registering with. Payment related bugs are looked upon very favorably!

Credentials

The GO-JEK Consumer app allows for self-registration. Please register for an account after downloading the app.

Effective Testing

We're based in Indonesia. All our services are based out of Indonesia. To help you along, you have to keep a few things in mind:

  • When you sign up with us please send us the email address that you used to sign up. We will credit you with some Indonesian currency with which you can embark on your payment testing journey.
  • When you make a booking for the production app, your booking will be sent out to an actual physical, human driver. Be wary of this and be kind. This is their livelihood so don't bomb the platform with bookings. We also have rate limiting in place to stop you from using up our entire driver supply.
  • You will have to always make your bookings by simulating the fact that you are in Jakarta. You can do this by manually choose or set a pick-up location in our application. Alternatively, just use the standard latitude, longitude for Jakarta here: 6.1745° S, 106.8227° E
  • To make things more simple, you may want to use our office address as the destination for all of your ride, food, shopping, bookings. Our office address is Pasaraya Mall, Jalan Iskandarsyah II, No 20.
  • You may get suspended or blacklisted from our platform if we see your profile as one that is making too many fake bookings or one that is not making a single completed booking. If this happens, you will receive an error when you try to make a booking. As soon as this happens, please get in touch with us with your email address used on our app and we will remove the suspension.

Focus Areas

We are happy for you to look over the entire suite of services that our Consumer App offers. We would, however, be very interested to find out what you can do on our payment platform. Anything around peer to peer transfer and withdrawal is of particular interest to us. Note that you will need an Indonesian phone number to transfer to and from.

Rewards:

Priority Reward ($)
P1 $5000
P2 $1500 - $2500
P3 $500 - $1000
P4 $200 - 300

Contacting Us

To Request Top-Up of wallet please fill in this form:
https://goo.gl/forms/HUFo3Nsh8EOuxaPG2

Send all your queries to bugcrowd@go-jek.com.

Rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.