avatar
Bug bounty
Public

Ant Group Security Response Center - Bug Bounty Program

Headquartered in Singapore, Ant International powers the future of global commerce with digital innovation for everyone and every business to thrive. In close collaboration with partners, we support merchants of all sizes worldwide to realize their growth aspirations through a comprehensive range of tech-driven digital payment and financial services solutions. Ant International pays special attention to its product and business security. We are truly aware that discovering vulnerabilities requires long time and tedium. We promise that each reported issue will be assigned with a dedicated staff, for the aim of timely communication and proper disposition. Meanwhile, for those who help improve the enterprise security of Ant International, we will show our thankfulness by rewards.

Reward

Bounty
Hall of fame
$10
Low
$80
Medium
$250
High
$1,100
Critical
$2,500

Program

Avg reward
-
Max reward
-
Scopes
8
Supported languages
English
Chinese

Hacktivity

Reports
-
1st response
-
Reports last 24h
-
Reports last week
-
Reports this month
-

Ant Group looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe. If you believe you have discovered a vulnerability, kindly disclose it responsibly via MySRC.

Annoucement: Additional Qualifying Vulnerability Framework

Dear Hunters,

We are excited to announce the launch of our Additional Qualifying Vulnerability Framework. This new framework is designed to recognize and reward findings that demonstrate significant risk or organized abuse against Ant International’s business:

Category Qualifying Scenarios Reward Range (USD)
Critical • Clear, verifiable evidence of large-scale organized group activity impacting Ant International’s business (account transactions, fake registrations, loan fraud), involving >100 independent accounts/domains/emails.
• Confirmed money laundering networks/organizations with detailed transactions, initial cash-out methods, organization info, and direct Ant International links.
• Effective first-time face recognition bypass method (video + tools/methods).		 $800 – $1,000
High • Confirmed organized activity involving 50–100 accounts/domains/emails.
• Cryptocurrency websites actively using A+ for payments (30+ valid accounts with screenshots and transaction evidence).
• Forged identities/documents successfully passed WF/AlipayHK/Ant Bank/ANEXT verification.
• Detailed reusable cash-out schemes exploiting Ant International’s business.		 $200 – $400
Medium • 3–5 cryptocurrency websites displaying A+/Alipay branding without authorization.
• 2–9 accounts/domains tied to organized activity impacting Ant International.
• Evidence of a single attempted face recognition bypass with only partial PoC (e.g., fake photo/video, no full exploit chain).
• Loan fraud method described but lacking transaction proof.		 $50 – $150
Low • Unverified general leads (e.g., suspected crypto sites, unverified email/domain lists).
• Public but related account transaction samples (not yet linked to Ant).
• Single confirmed cryptocurrency website using A+ for payments/branding.
• Incomplete records of suspected fraud/money laundering methods.		 $0 – $40

Please review the updated framework and continue to submitting high-quality findings. We appreciate your contributions in strengthening Ant International’s ecosystem.

Thank you for your ongoing support and dedication.

Program Policy

  • Malicious reporters will be banned.
  • Irrelevant problems will be ignored.
  • Employees of Ant Group and Alibaba Group cannot participate in the award plan, directly or indirectly.
  • The award plan is only available to users submitting reports through AntSRC or through YWH.
  • AntSRC holds the right of final interpretation for the award plan.

Report Submission

Please fill in all relevant vulnerability details and submit via mysrc.group according to the required standards.

Important: Please keep your vulnerability strictly confidential. No credit or rewards will be given if the issue is disclosed publicly before it is fixed.

Vulnerability Evaluation Process

Once submitted, AntSRC will evaluate your report within 48 hours

AntSRC will contact you if necessary for clarification or further testing.

Additional Incentives: Critical Vulnerabilities

Submissions that meet Critical severity may qualify for a cash bonus ranging from USD 1337 to USD 31337, in addition to the swag.

What qualifies as "Critical"?

  1. Vulnerabilities that can lead to escalation of privileges on core servers, including but not limited to:

    • Memory corruption
    • WEBSHELL upload
    • Remote Code Execution (RCE)

      Note: Core servers refer to those storing information on funds, identities, and transactions.

  2. Core sensitive information leakage vulnerabilities, including those caused by loose permission controls.

  3. Logic vulnerabilities in core business processes that can be massively exploited to cause financial or reputational damage to the company or users, including but not limited to:

    • Account credential validation logic
    • Data verification logic in core APIs
    • Payment logic flaws

  4. SQL injection vulnerabilities that:

    • Allow direct command execution
    • Leak sensitive data from core databases, such as user IDs, order information, or bank card details

Additional Cash Bonus (USD 1337 – USD 31337)

Eligible vulnerabilities include:

  • Large-scale user account information leakage or unauthorized privilege changes
  • Ability to massively acquire sensitive user data, such as orders
  • Capability to take control of important servers

Submission Requirements

To help us process reports efficiently, please append [YWH] to your report title.

Example Title:
[YWH] SQL Injection on example.net at /example/register

Submissions with the [YWH] tag will be prioritized for review and processing during the promotional period. This helps us quickly identify participants eligible for the swag reward and ensures faster triage.

Contact AntSRC

For any questions or clarifications, you may contact the Ant Group Security Response Center at
antsrc@service.alipay.com

Other Links

  • Ant Group Security Response Center: https://mysrc.group/home
  • WeChat Account ID: antsrc_xiaofen
  • DingTalk ID: afsrc007
  • Twitter: My Security Response Center

Reward

Asset value CVSS
Low
 CVSS
Medium
 CVSS
High
 CVSS
Critical
High
$80$250$1,100$2,500

Scopes

ScopeTypeAsset value
*.alipayplus.com Web application
High
Low
$80
Medium
$250
High
$1,100
Critical
$2,500
*.antom.com Web application
High
Low
$80
Medium
$250
High
$1,100
Critical
$2,500
*.worldfirst.com Web application
High
Low
$80
Medium
$250
High
$1,100
Critical
$2,500
bettrfinancing.com Web application
High
Low
$80
Medium
$250
High
$1,100
Critical
$2,500
anext.com.sg Web application
High
Low
$80
Medium
$250
High
$1,100
Critical
$2,500
alipayhk.com Web application
High
Low
$80
Medium
$250
High
$1,100
Critical
$2,500
antbank.hk Web application
High
Low
$80
Medium
$250
High
$1,100
Critical
$2,500
Any Other Applications found here: https://mysrc.group/project_detail?id=11 Other
High
Low
$80
Medium
$250
High
$1,100
Critical
$2,500

Out of scopes

  • All domains or subdomains not listed in the above list of 'Scopes'.
  • Third-party applications and websites
  • Not Belonging to Ant Group’s Products or Systems.

Vulnerability types

Qualifying vulnerabilities

  • SQL Injection (SQLi)
  • Cross-Site Scripting (XSS)
  • Remote Code Execution (RCE)
  • Insecure Direct Object Reference (IDOR)
  • Horizontal and vertical privilege escalation
  • Authentication bypass & broken authentication
  • Business Logic Errors vulnerability with real security impact
  • Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
  • Cross-Origin Resource Sharing (CORS) with real security impact
  • Cross-site Request Forgery (CSRF) with real security impact
  • Open Redirect
  • Exposed Administrative Panels that without strong protection
  • Directory Traversal Issues
  • Local File Disclosure (LFD)
  • Vast Users’ Sensitive Information Leakage
  • Vast Order details Leakage

Non-qualifying vulnerabilities

  • Tabnabbing
  • Missing cookie flags
  • Content/Text injections
  • Mixed content warnings
  • Clickjacking/UI redressing
  • Denial of Service (DoS) attacks
  • Known CVEs without working PoC
  • Open ports without real security impact
  • Social engineering of staff or contractors
  • Presence of autocomplete attribute on web forms
  • Vulnerabilities affecting outdated browsers or platforms
  • Self-XSS or XSS that cannot be used to impact other users
  • Outdated libraries without a demonstrated security impact
  • Any hypothetical flaw or best practices without exploitable PoC
  • Expired certificate, best practices and other related issues for TLS/SSL certificates
  • Unexploitable vulnerabilities (ex: XSS or Open Redirect in HTTP Host Header)
  • Reports with attack scenarios requiring MITM or physical access to victim's device
  • Missing security-related HTTP headers which do not lead directly to a vulnerability
  • Unauthenticated / Logout / Login and other low-severity Cross-Site Request Forgery (CSRF)
  • Invalid or missing SPF (Sender Policy Framework), DKIM, DMARC records
  • Session expiration policies (no automatic logout, invalidation after a certain time or after a password change)
  • Disclosure of information without direct security impact (e.g. stack traces, path disclosure, directory listings, software versions, IP disclosure, 3rd party secrets)
  • CSV injection
  • HTTP Strict Transport Security Header (HSTS)
  • Subdomain takeover without a full working PoC
  • Blind SSRF without direct impact (e.g. DNS pingback)
  • Lack of rate-limiting, brute-forcing or captcha issues
  • User enumeration (email, alias, GUID, phone number)
  • Password requirements policies (length / complexity / reuse)
  • Ability to spam users (email / SMS / direct messages flooding)
  • Disclosed / misconfigured Google API key (including Google Maps)
  • Recently disclosed 0-day vulnerabilities (less than 90 days since patch release)
  • Password reset token leak on trusted third-party website via Referer header (eg Google Analytics, Facebook…)

Hunting requirements

Account access

To expand its community of researchers and recruit global talent, Ant Group Security Response Center is partnering YesWeHack to run its Bug Bounty Program.

Please note that the program will be externally hosted on the Ant Group Security Response Center (AntSRC) and Ant Group will only be accepting report submissions through the AntSRC platform https://mysrc.group/home. Rewards offered on AntSRC are entirely driven and decided by Ant Group
If you believe you have discovered a vulnerability, kindly disclose to Ant Group responsibly and we’ll work with you to ensure we remediate the issue to the best of our ability.

Submission Requirements

For all submissions, please append - [YWH] to your report title.

Example Title : [YWH] SQLI on example.net at /example/register

Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.

To submit a vulnerability report, you need to login with your hunter account.
program thumbnail
To submit a vulnerability report, you need to login with your hunter account.