Ant Group Security Response Center - Bug Bounty Program
Headquartered in Singapore, Ant International powers the future of global commerce with digital innovation for everyone and every business to thrive. In close collaboration with partners, we support merchants of all sizes worldwide to realize their growth aspirations through a comprehensive range of tech-driven digital payment and financial services solutions. Ant International pays special attention to its product and business security. We are truly aware that discovering vulnerabilities requires long time and tedium. We promise that each reported issue will be assigned with a dedicated staff, for the aim of timely communication and proper disposition. Meanwhile, for those who help improve the enterprise security of Ant International, we will show our thankfulness by rewards.
Reward
Program
Hacktivity
Ant Group looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe. If you believe you have discovered a vulnerability, kindly disclose to us responsibly via the https://mysrc.group/home (MySRC).
Submission Requirements
For all submissions, please append - [YWH] to your report title.
Example Title : [YWH] SQLI on example.net at /example/register
Contact AntSRC
For any questions or clarifications, you may contact the Ant Group Security Response Center at antsrc@service.alipay.com.
Other links:
- Ant Group Security Response Cente
- WeChat Account ID: antsrc_xiaofen
- DingDing Talk ID: afsrc007
- Twitter: My Security Response Center
Reward
| Asset value | CVSS | CVSS | CVSS | CVSS |
|---|---|---|---|---|
| $80 | $250 | $1,100 | $2,500 |
Scopes
| Scope | Type | Asset value | Expand rewards grid |
|---|---|---|---|
| In-Scope Applications can be found here: https://mysrc.group/project_detail?id=11 | other | ||
Low Medium High Critical | |||
Out of scopes
- All domains or subdomains not listed in the above list of 'Scopes'.
- Third-party applications and websites
- Not Belonging to Ant Group’s Products or Systems.
Vulnerability types
Qualifying vulnerabilities
- SQL Injection (SQLi)
- Cross-Site Scripting (XSS)
- Remote Code Execution (RCE)
- Insecure Direct Object Reference (IDOR)
- Horizontal and vertical privilege escalation
- Authentication bypass & broken authentication
- Business Logic Errors vulnerability with real security impact
- Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
- Cross-Origin Resource Sharing (CORS) with real security impact
- Cross-site Request Forgery (CSRF) with real security impact
- Open Redirect
- Exposed Administrative Panels that without strong protection
- Directory Traversal Issues
- Local File Disclosure (LFD)
- Vast Users’ Sensitive Information Leakage
- Vast Order details Leakage
Non-qualifying vulnerabilities
- Tabnabbing
- Missing cookie flags
- Content/Text injections
- Mixed content warnings
- Clickjacking/UI redressing
- Denial of Service (DoS) attacks
- Known CVEs without working PoC
- Open ports without real security impact
- Social engineering of staff or contractors
- Presence of autocomplete attribute on web forms
- Vulnerabilities affecting outdated browsers or platforms
- Self-XSS or XSS that cannot be used to impact other users
- Outdated libraries without a demonstrated security impact
- Any hypothetical flaw or best practices without exploitable PoC
- Expired certificate, best practices and other related issues for TLS/SSL certificates
- Unexploitable vulnerabilities (ex: XSS or Open Redirect in HTTP Host Header)
- Reports with attack scenarios requiring MITM or physical access to victim's device
- Missing security-related HTTP headers which do not lead directly to a vulnerability
- Unauthenticated / Logout / Login and other low-severity Cross-Site Request Forgery (CSRF)
- Invalid or missing SPF (Sender Policy Framework), DKIM, DMARC records
- Session expiration policies (no automatic logout, invalidation after a certain time or after a password change)
- Disclosure of information without direct security impact (e.g. stack traces, path disclosure, directory listings, software versions, IP disclosure, 3rd party secrets)
- CSV injection
- HTTP Strict Transport Security Header (HSTS)
- Subdomain takeover without a full working PoC
- Blind SSRF without direct impact (e.g. DNS pingback)
- Lack of rate-limiting, brute-forcing or captcha issues
- User enumeration (email, alias, GUID, phone number)
- Password requirements policies (length / complexity / reuse)
- Ability to spam users (email / SMS / direct messages flooding)
- Disclosed / misconfigured Google API key (including Google Maps)
- Recently disclosed 0-day vulnerabilities (less than 90 days since patch release)
- Password reset token leak on trusted third-party website via Referer header (eg Google Analytics, Facebook…)
Hunting requirements
Account access
To expand its community of researchers and recruit global talent, Ant Group Security Response Center is partnering YesWeHack to run its Bug Bounty Program.
Please note that the program will be externally hosted on the Ant Group Security Response Center (AntSRC) and Ant Group will only be accepting report submissions through the AntSRC platform https://mysrc.group/home. Rewards offered on AntSRC are entirely driven and decided by Ant Group
If you believe you have discovered a vulnerability, kindly disclose to Ant Group responsibly and we’ll work with you to ensure we remediate the issue to the best of our ability.
Submission Requirements
For all submissions, please append - [YWH] to your report title.
Example Title : [YWH] SQLI on example.net at /example/register
Hunters collaboration
When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.
For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.
