avatar
Bug bounty
Public

DANA Bug Bounty Program

DANA is an Indonesian digital wallet that is safe, trusted and reliable anytime, anywhere. With DANA, you can do non-cash and even non-card transactions for your daily needs, from offline payment transactions, to paying bills and installments online. DANA also has many features that make your transaction experience more practical and fast. DANA as Indonesia’s digital wallet is currently holding a bug bounty program with the scope and rules of the game as written below. Please read it carefully so that your report can be recognized as a valid report.

Reward

Bounty
$0
Low
$0
Medium
$200
High
$1,000
Critical
$2,000

Program

Avg reward
-
Max reward
-
Scopes
7

Supported languages
English

Hacktivity

Reports
167
1st response
< 3 days
Reports last 24h
-
Reports last week
-
Reports this month
-

DANA

DANA Wallet is an e-wallet provider in Indonesia. It began operation in July 2017. DANA Wallet Indonesia's headquarter is in Jakarta, Indonesia.

Pay for anything & everything with just a tap of your finger. Experience the convenience of carrying out transactions with ease; from bills, e-commerce payments, to barcode scans in merchants. #GantiDompet now & switch to DANA Digital wallet for faster, safer & more practical payment methods.

Program Rules

Thank you for your interest in the DANA bug bounty program.

  • We believe that no technology is perfect and that working with skilled security researchers is crucial in identifying weaknesses in our systems.
  • If you believe you've found a security bug in our service, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.
  • Any type of denial of service attacks is strictly forbidden, as well as any interference with network equipment and DANA infrastructure.

Eligibility and Responsible Disclosure

We are happy to thank everyone who submits valid reports which help us improve the security of DANA, however only those that meet the following eligibility requirements may receive a monetary reward:

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability (see below).
  • "OneFixOneReward": If two or more endpoints use the same codebase and a single fix can be deployed to fix all the different endpoints, only one endpoint will be considered as eligible for a reward and other reports will be closed as Informative. Regardless, such reports will be reviewed on a case by case basis.
  • You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
  • You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit yourself about requests per second).
  • You must not leak, manipulate, or destroy any user data.
  • You must not be a former or current employee of DANA or one of its contractor.
  • Our analysis is always based on worst case exploitation of the vulnerability, as is the reward we pay.
  • No vulnerability disclosure, including partial is allowed.

Testing Policy

Please test vulnerabilities only against your own accounts. Only use authorized accounts so as not to inadvertently compromise the privacy of our users.

  • Avoid tests that could cause degradation or interruption of our services.
  • Do not use automated scanners or tools that generate large amount of network traffic.
  • Do not leak, manipulate, or destroy any user data or files in any system.
  • Do not copy any files from the system and disclose them.

Known vulnerabilities

The following list are known vulnerabilities that are known from previous security testing. They are in the process of being fixed, and will not be rewarded.

  • Overly permissive Google API key in application binaries. This is known and will be fixed in a near future release
  • Open Redirect on m.dana.id

Rewards Grid

Rewards are given based on CVSS scoring and actual business impact.

Rating CVSS score Bounty
None 0.0 No bounty
Low 0.1 - 3.9 No bounty
Medium 4.0 - 6.9 $50 - 200
High 7.0 - 8.9 $400 – 1000
Critical 9.0 - 10.0 $1500 - 2000

REPORTS OF LEAKS AND EXPOSED CREDENTIALS

In the context of this program, we do not accept or reward reports of leaks that are not applicable to our program’s scope and identified outside of our program’s scope.

Also, in order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behavior (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees/service providers.

To summarize our policy, you may refer to this table :

TYPE OF LEAK SOURCE OF LEAK IS IN-SCOPE SOURCE OF LEAK BELONGS TO DANA BUT IS OUT-OF-SCOPE SOURCE OF LEAK DOES NOT BELONG TO DANA AND IS OUT-OF-SCOPE
Impact is in-scope (e.g. valid credentials on an in-scope asset) Eligible Eligible Not eligible
Impact is out-of-scope (e.g. valid credentials for an out-of-scope asset) Eligible Not eligible Not eligible

This excludes, but is not limited to:

  • Stolen credentials gathered from unidentified sources
  • Exposed credentials that are not applicable on the program’s scope
  • Exposed GitHub/GitLab (or similar) instance with no direct relation with our program’s scope
  • Exposed secrets (e.g. API tokens/keys or other technical credentials) that are not directly related to the program’s scope
  • Exposed PII on an out-of-scope asset

Special Case

  • If you can bypass our face verification method in Login feature, we will give you a bonus up to 2000$

Reward

Asset value CVSS
Low
CVSS
Medium
CVSS
High
CVSS
Critical
Low
$0$200$1,000$2,000

Scopes

ScopeTypeAsset value
https://play.google.com/store/apps/details?id=id.dana&hl=en mobile-application-android
Low
Low
$0
Medium
$200
High
$1,000
Critical
$2,000
https://apps.apple.com/id/app/dana/id1437123008 mobile-application-ios
Low
Low
$0
Medium
$200
High
$1,000
Critical
$2,000
https://appgallery.huawei.com/#/app/C100570215 other
Low
Low
$0
Medium
$200
High
$1,000
Critical
$2,000
mgs-gw.m.dana.id api
Low
Low
$0
Medium
$200
High
$1,000
Critical
$2,000
api-saas.dana.id api
Low
Low
$0
Medium
$200
High
$1,000
Critical
$2,000
sec.m.dana.id web-application
Low
Low
$0
Medium
$200
High
$1,000
Critical
$2,000
m.dana.id web-application
Low
Low
$0
Medium
$200
High
$1,000
Critical
$2,000

Out of scopes

  • webdev.dana.id
  • wp.dana.id
  • fiat.dana.id
  • cmsdev.dana.id
  • techops.dana.id
  • dm.dana.id
  • encrypt.dana.id

Vulnerability types

Qualifying vulnerabilities

  • Business logic vulnerability with real security impact
  • Authentication bypass & broken authentication
  • Horizontal and vertical privilege escalation
  • Code injections (HTML, JS, SQL, PHP, ...)
  • Remote Code Execution (RCE)
  • Cross-Site Scripting (XSS)
  • CORS with real security impact
  • Cross-site Request Forgery (CSRF) with real security impact
  • Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
  • Insecure Direct Object References (IDOR)
  • Sensitive Information Exposure through insecure data storage on device
  • Lack of SSL Pinning/jailbreak or root detection/anti-debugging controls etc on latest version in playstore or appstore
  • Bypassing Verification Methods

Non-qualifying vulnerabilities

  • Lack of expiration on auth tokens
  • Vulnerabilities affecting outdated versions - we only consider reports in the latest versions of our application that are currently in the Google Play/Apple Play Stores
  • Exploiting a generic Android or iOS vulnerability
  • Lack of encryption on internal database/preference files without real security impact
  • Exploits that are only possible on a jailbroken device
  • Denial of Service (DoS) attacks
  • Self XSS
  • "HTTP Host Header" XSS
  • Missing cookie flags
  • Mixed content warnings
  • Lack of HTTP security headers (CSP, X-XSS, etc.)
  • SSL/TLS best practices
  • No rate-limiting enforced
  • Clickjacking/UI redressing
  • Software version disclosure
  • Stack traces, path disclosure, directory listings, etc
  • Physical or social engineering attempts like phishing
  • Recently disclosed 0-day vulnerabilities
  • Presence of autocomplete attribute on web forms
  • Issues that require physical access to a victim's mobile device
  • Logout and other instances of low-severity CSRF
  • Missing security-related HTTP headers which do not lead directly to a vulnerability
  • Reports from automated web vulnerability scanners (Acunetix, Vega etc) that has not been validated
  • Incomplete or missing SPF/DKIM/DMARC on mail servers
  • Security best practices without real security impact
  • Attacks requiring MITM or physical access to a user's device
  • Enumeration/account oracles: possibility to enumerate phone numbers, emails, GUID etc and receive indication that it exists
  • Subdomain takeover which not included in main scope

Hunting requirements

Account access

An Indonesian mobile number that can receive SMS is required to create an account and use the mobile application. Please use services such as Nexmo to obtain one and perform testing.


Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.