avatar
Bug bounty
Public

GoTo Financial - Public Bounty Program

GoTo Group is the largest digital ecosystem in Indonesia, with a mission to “empower progress” by offering technology infrastructure and solutions that help everyone to access and thrive in the digital economy. GoTo’s ecosystem comprises of on-demand transport, e-commerce, food and grocery delivery, logistics and fulfillment, and financial services through the Gojek, Tokopedia and GoTo Financial platforms.

Reward

Bounty
$50
Low
$100
Medium
$800
High
$3,000
Critical
$7,000

Program

Avg reward
-
Max reward
-
Scopes
3

Supported languages
English

Hacktivity

Reports
20
1st response
< 1 day
Reports last 24h
11
Reports last week
20
Reports this month
20

GoTo Financial

GoTo Financial is rapidly expanding product offerings to our consumers. This growth is a win for everyone, but we want to ensure that our consumers remain safe on our platform. We take the security of our consumers very seriously and are thus taking steps to ensure we work closely with the broader security community to handle responsible disclosure of any bugs found on our platform.

We look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.

Program Rules

At GoTo financial, we recognize the important role that security researchers play in helping to keep GoTo financial and our customers secure.

By participating in this program you acknowledge that you have read and agreed to the Program Rules, which is defined as this entire document.

Testing Policy and Responsible Disclosure

Please adhere to the following rules while performing research on this program:

  • Denial of service (DoS) attacks on GoTo Financial applications, servers, networks or infrastructure are strictly forbidden.
  • Avoid tests that could cause degradation or interruption of our services.
  • Do not use automated scanners or tools that generate large amounts of network traffic.
  • Only perform tests against your own accounts to protect our users' privacy.
  • Do not leak, manipulate, or destroy any user data or files in any of our applications/servers.
  • Do not copy any files from our applications/servers and disclose them.
  • No vulnerability disclosure, full, partial or otherwise, is allowed.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.

Reward Eligibility and Amount

We are happy to thank everyone who submits valid reports which help us improve the security of GoTo Financial, however only those that meet the following eligibility requirements may receive a monetary reward:

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability (see below).
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • The report must contain the following elements:
    • Clear textual description of the vulnerability, how it can be exploited, the security impact it has on the application, its users and Gojek, and remediation advice on fixing the vulnerability
    • Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.
    • Proof of exploitation: screenshots and/or videos demonstrating the exploit was performed, and showing the final impact
    • Provide complete steps with the necessary information to reproduce the exploit, including (if necessary) code snippets, payloads, commands etc
  • You must not break any of the testing policy rules listed above
  • You must not be a former or current employee of GoTo Financial or one of its contractors.
  • We have 30 days delay for a CVE in order to be eligible for reward.

Recent CVE 30 Days Delay

To ensure we have reasonable time to patch recently released Common Vulnerabilities and Exposures (CVEs), any vulnerability based on a CVE released within the last 30 days will not be eligible for a bounty until after this period, This delay allows us to adequately assess, test, and deploy patches for newly disclosed vulnerabilities.

Reward amounts

Reward and amount will be decided based on GoTo Security team discretion. We will give our best to assess the vulnerability and use CVSS scoring and the actual business impact of the vulnerability upon performing risk analysis.

Special Situations

Some situations exist that may earn partial bounties or bonuses on top of a base bounty per report.

Here are a few of the most common examples:

  1. Same vulnerability, on different paths or hosts:
    If you believe a vulnerability may exist on a different (unique) path or host, please submit all affected paths and hosts in the same report. We will award an additional 5% bonus per path / per host for any valid ones you've included in the report. However, if you subsequently identify the same vulnerability on a different path / host on a new report submission, such reports will be treated as a duplicate. This is to allow GoTo Financial sufficient time to patch the related paths.
  2. Same Payload, Different Parameter
    In some cases, rewards may be consolidated into a single payout. For example, multiple reports of the same vulnerability across different parameters of a resource, or demonstrations of multiple attack vectors against a fundamental framework issue. We kindly ask you to consolidate reports rather than separate them.
  3. All vulnerabilities found in the staging environment will be out of scope (staging domain could be indicated by words like test/integration/staging, etc).
  4. any subdomain takeover findings will be reviewed case per case and it will not use the bounty table.

Third-Party Services

If you believe an issue with one of our third-party service providers is the result of GoTo Financial's misconfiguration or insecure usage of that service (or you’ve reported an issue affecting many customers of the service that you believe GoTo Financial can temporarily mitigate without stopping usage of the service while a fix is implemented upstream), we’d appreciate your report regarding the issue.

Keep in mind that any reports regarding third-party services are likely to not be eligible for a reward.

Scope

  • Valid submissions for the assets in the ‘Scope’ section will be rewarded accordingly in this bug bounty program.

  • Please note that we cannot promise you a bounty for valid report submissions that are outside of the in-scope assets. However, in certain exceptional cases, if we decide to reward, the decision will be at our discretion and it won’t probably go higher than a Tier 2 Medium bounty.

Focus Areas

We are happy for you to look over the entire suite of services that our Consumer App offers.
We would, however, be very interested to find out what you can do on our payment platform.

Anything around peer-to-peer transfer and withdrawal is particularly interesting for us.

Note that you will need an Indonesian phone number to transfer to and from.

Reward Grid(s)

Critical - Tiers One

Rating CVSS score Bounty
None 0.0 No bounty
Low 0.1 - 3.9 $100
Medium 4.0 - 6.9 $300 - 800
High 7.0 - 8.9 $2,000 – 3,000
Critical 9.0 - 10.0 $3,500 - 7,000

Goto Financial functions

In order to test the Goto Financial functions and the related APIs, please install and use GoPay mobile application:

Safe Harbor

Any activities in relation to your participation in this program conducted in a manner with full submission and compliance with this Policy Page will be considered authorized conduct and we will not initiate or suggest legal action against you.

If legal action is initiated by a third party against you in connection with your participation in this program, provided that you have fully submitted and complied with this program’s Policy Page, we will make it known that your actions were conducted pursuant to this program and have complied with the Policy Page.

Thank you for helping keep Financial and our users safe!

FAQ

Q: I want swag, how do I get it?
A: Unfortunately, GoTo Financial does not currently offer any swag.
Q: Can GoTo Financial provide me with a pre-configured test account?
A: As of now, Financial doesn’t provide any test accounts.
Q: Can we test Goto Financial Apps outside of the operating country?
A: Yes, we would love to have you participate.


Reward

Asset value CVSS
Low
CVSS
Medium
CVSS
High
CVSS
Critical
Critical
$100$800$3,000$7,000

Scopes

ScopeTypeAsset value
https://apps.apple.com/id/app/gopay-transfer-pulsa-bills/id6446321594 Mobile application IOS
Critical
Low
$100
Medium
$800
High
$3,000
Critical
$7,000
https://play.google.com/store/apps/details?id=com.gojek.gopay&hl=id Mobile application Android
Critical
Low
$100
Medium
$800
High
$3,000
Critical
$7,000
*.gopayapi.com Web application
Critical
Low
$100
Medium
$800
High
$3,000
Critical
$7,000

Out of scopes

  • - Any staging environment will be out of scope (staging domain could be indicated by words like test/integration/staging, etc)
  • - All other Goto Financial assets not listed above are to be considered as out of scope

Vulnerability types

Qualifying vulnerabilities

  • Cross-Origin Resource Sharing (CORS)/Cross-site Request Forgery (CSRF) with real security impact
  • Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
  • Business logic vulnerability with real security impact
  • Authentication bypass & broken authentication
  • Horizontal and vertical privilege escalation
  • Insecure Direct Object References (IDOR)
  • Code injections (JS, SQL, PHP, ...)
  • Remote Code Execution (RCE)
  • Cross-Site Scripting (XSS)

Non-qualifying vulnerabilities

  • Broken Link/Social media Hijacking
  • Tabnabbing
  • Missing cookie flags
  • Content/Text injections
  • Clickjacking/UI redressing
  • Denial of Service (DoS) attacks
  • Recently disclosed CVEs (less than 30 days sinces patch release)
  • CVEs without exploitable vulnerabilities and PoC
  • Open ports or services without exploitable vulnerabilities and PoC
  • Social engineering of staff or contractors
  • Presence of autocomplete attribute on web forms
  • Vulnerabilities affecting outdated browsers or platforms
  • Self-XSS or XSS that cannot be used to impact other users
  • Any hypothetical flaw or best practices without exploitable vulnerabilities and PoC
  • SSL/TLS issues (e.g. expired certificates, best practices)
  • Unexploitable vulnerabilities (e.g. Self-XSS, XSS or Open Redirect through HTTP headers...)
  • Reports with attack scenarios requiring MITM or physical access to victim's device
  • Missing security-related HTTP headers which do not lead directly to an exploitable vulnerability and PoC
  • Low severity Cross-Site Request Forgery (CSRF) (e.g. Unauthenticated / Logout / Login / Products cart updates...)
  • Invalid or missing email security records (e.g. SPF, DKIM, DMARC)
  • Session management issues (e.g. lack of expiration, no logout on password change, concurrent sessions)
  • Disclosure of information without exploitable vulnerabilities and PoC (e.g. stack traces, path disclosure, directory listings, software versions, IP disclosure, 3rd party secrets, EXIF Metadata, Origin IP)
  • CSV injection
  • Malicious file upload (e.g. EICAR files, .EXE)
  • HTTP Strict Transport Security Header (HSTS)
  • Subdomain takeover without a full exploitable vulnerability and PoC or not applicable to the scope
  • Blind SSRF without exploitable vulnerabilities and PoC (e.g. DNS & HTTP pingback, Wordpress XMLRPC)
  • Lack or bypass of rate-limiting, brute-forcing or captcha issues
  • User enumeration (e.g. email, alias, GUID, phone number, common CMS endpoints)
  • Weak password policies (e.g. length, complexity, reuse)
  • Ability to spam users (email / SMS / direct messages flooding)
  • Disclosed or misconfigured public API keys (e.g. Google Maps, Firebase, analytics tools...)
  • Password reset token sent via HTTP referer to external services (e.g. analytics / ads platforms)
  • Pre-account takeover (e.g. account creation via oAuth)
  • GraphQL Introspection is enabled
  • Reports with attack scenarios requiring MITM or physical access to victim's device
  • Exploits that are only possible on Android version 7 and below
  • Exploits that are only possible on IOS version 10 and below
  • Exploits that are only possible on a jailbroken device
  • Generic Android or iOS vulnerabilities

Hunting requirements

Account access

No test accounts will be provided.

You can download our consumer app from the Google Play Store or Apple App Store.

The Gopay Consumer app allows for self-registration. You may sign up for an account with your own phone number.

We operate in Indonesia, Singapore, Vietnam and Thailand.

Note: You may get suspended or blocklisted from our platform if we see your profile as one that is making too many fake bookings or one that is not making a single completed booking or for any rate limiting issues as part of our controls.

User agent

Please append to your user-agent header the following value: ' X-YesWeHack-Research: [Your YWH Username] '.


Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.

To submit a vulnerability report, you need to login with your hunter account.