GoTo Financial - Public Bounty Program
GoTo Group is the largest digital ecosystem in Indonesia, with a mission to “empower progress” by offering technology infrastructure and solutions that help everyone to access and thrive in the digital economy. GoTo’s ecosystem comprises of on-demand transport, e-commerce, food and grocery delivery, logistics and fulfillment, and financial services through the Gojek, Tokopedia and GoTo Financial platforms.
Reward
Program
Hacktivity
GoTo Financial
GoTo Financial is rapidly expanding product offerings to our consumers. This growth is a win for everyone, but we want to ensure that our consumers remain safe on our platform. We take the security of our consumers very seriously and are thus taking steps to ensure we work closely with the broader security community to handle responsible disclosure of any bugs found on our platform.
We look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.
Program Rules
At GoTo financial, we recognize the important role that security researchers play in helping to keep GoTo financial and our customers secure.
By participating in this program you acknowledge that you have read and agreed to the Program Rules, which is defined as this entire document.
Testing Policy and Responsible Disclosure
Please adhere to the following rules while performing research on this program:
- Denial of service (DoS) attacks on GoTo Financial applications, servers, networks or infrastructure are strictly forbidden.
- Avoid tests that could cause degradation or interruption of our services.
- Do not use automated scanners or tools that generate large amounts of network traffic.
- Only perform tests against your own accounts to protect our users' privacy.
- Do not leak, manipulate, or destroy any user data or files in any of our applications/servers.
- Do not copy any files from our applications/servers and disclose them.
- No vulnerability disclosure, full, partial or otherwise, is allowed.
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Reward Eligibility and Amount
We are happy to thank everyone who submits valid reports which help us improve the security of GoTo Financial, however only those that meet the following eligibility requirements may receive a monetary reward:
- You must be the first reporter of a vulnerability.
- The vulnerability must be a qualifying vulnerability (see below).
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- The report must contain the following elements:
- Clear textual description of the vulnerability, how it can be exploited, the security impact it has on the application, its users and Gojek, and remediation advice on fixing the vulnerability
- Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.
- Proof of exploitation: screenshots and/or videos demonstrating the exploit was performed, and showing the final impact
- Provide complete steps with the necessary information to reproduce the exploit, including (if necessary) code snippets, payloads, commands etc
- You must not break any of the testing policy rules listed above
- You must not be a former or current employee of GoTo Financial or one of its contractors.
- We have 30 days delay for a CVE in order to be eligible for reward.
Recent CVE 30 Days Delay
To ensure we have reasonable time to patch recently released Common Vulnerabilities and Exposures (CVEs), any vulnerability based on a CVE released within the last 30 days will not be eligible for a bounty until after this period, This delay allows us to adequately assess, test, and deploy patches for newly disclosed vulnerabilities.
Reward amounts
Reward and amount will be decided based on GoTo Security team discretion. We will give our best to assess the vulnerability and use CVSS scoring and the actual business impact of the vulnerability upon performing risk analysis.
Special Situations
Some situations exist that may earn partial bounties or bonuses on top of a base bounty per report.
Here are a few of the most common examples:
- Same vulnerability, on different paths or hosts:
If you believe a vulnerability may exist on a different (unique) path or host, please submit all affected paths and hosts in the same report. We will award an additional 5% bonus per path / per host for any valid ones you've included in the report. However, if you subsequently identify the same vulnerability on a different path / host on a new report submission, such reports will be treated as a duplicate. This is to allow GoTo Financial sufficient time to patch the related paths. - Same Payload, Different Parameter
In some cases, rewards may be consolidated into a single payout. For example, multiple reports of the same vulnerability across different parameters of a resource, or demonstrations of multiple attack vectors against a fundamental framework issue. We kindly ask you to consolidate reports rather than separate them. - All vulnerabilities found in the staging environment will be out of scope (staging domain could be indicated by words like test/integration/staging, etc).
- any subdomain takeover findings will be reviewed case per case and it will not use the bounty table.
Third-Party Services
If you believe an issue with one of our third-party service providers is the result of GoTo Financial's misconfiguration or insecure usage of that service (or you’ve reported an issue affecting many customers of the service that you believe GoTo Financial can temporarily mitigate without stopping usage of the service while a fix is implemented upstream), we’d appreciate your report regarding the issue.
Keep in mind that any reports regarding third-party services are likely to not be eligible for a reward.
Scope
-
Valid submissions for the assets in the ‘Scope’ section will be rewarded accordingly in this bug bounty program.
-
Please note that we cannot promise you a bounty for valid report submissions that are outside of the in-scope assets. However, in certain exceptional cases, if we decide to reward, the decision will be at our discretion and it won’t probably go higher than a Tier 2 Medium bounty.
Focus Areas
We are happy for you to look over the entire suite of services that our Consumer App offers.
We would, however, be very interested to find out what you can do on our payment platform.
Anything around peer-to-peer transfer and withdrawal is particularly interesting for us.
Note that you will need an Indonesian phone number to transfer to and from.
Reward Grid(s)
Critical - Tiers One
Rating | CVSS score | Bounty |
---|---|---|
None | 0.0 | No bounty |
Low | 0.1 - 3.9 | $100 |
Medium | 4.0 - 6.9 | $300 - 800 |
High | 7.0 - 8.9 | $2,000 – 3,000 |
Critical | 9.0 - 10.0 | $3,500 - 7,000 |
Goto Financial functions
In order to test the Goto Financial functions and the related APIs, please install and use GoPay mobile application:
Safe Harbor
Any activities in relation to your participation in this program conducted in a manner with full submission and compliance with this Policy Page will be considered authorized conduct and we will not initiate or suggest legal action against you.
If legal action is initiated by a third party against you in connection with your participation in this program, provided that you have fully submitted and complied with this program’s Policy Page, we will make it known that your actions were conducted pursuant to this program and have complied with the Policy Page.
Thank you for helping keep Financial and our users safe!
FAQ
Q: I want swag, how do I get it?
A: Unfortunately, GoTo Financial does not currently offer any swag.
Q: Can GoTo Financial provide me with a pre-configured test account?
A: As of now, Financial doesn’t provide any test accounts.
Q: Can we test Goto Financial Apps outside of the operating country?
A: Yes, we would love to have you participate.
Reward
Asset value | CVSS | CVSS | CVSS | CVSS |
---|---|---|---|---|
$100 | $800 | $3,000 | $7,000 |
Scopes
Scope | Type | Asset value | Expand rewards grid |
---|---|---|---|
https://apps.apple.com/id/app/gopay-transfer-pulsa-bills/id6446321594 | Mobile application IOS | ||
Low Medium High Critical | |||
https://play.google.com/store/apps/details?id=com.gojek.gopay&hl=id | Mobile application Android | ||
Low Medium High Critical | |||
*.gopayapi.com | Web application | ||
Low Medium High Critical |
Out of scopes
- - Any staging environment will be out of scope (staging domain could be indicated by words like test/integration/staging, etc)
- - All other Goto Financial assets not listed above are to be considered as out of scope
Vulnerability types
Qualifying vulnerabilities
- Cross-Origin Resource Sharing (CORS)/Cross-site Request Forgery (CSRF) with real security impact
- Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
- Business logic vulnerability with real security impact
- Authentication bypass & broken authentication
- Horizontal and vertical privilege escalation
- Insecure Direct Object References (IDOR)
- Code injections (JS, SQL, PHP, ...)
- Remote Code Execution (RCE)
- Cross-Site Scripting (XSS)
Non-qualifying vulnerabilities
- Broken Link/Social media Hijacking
- Tabnabbing
- Missing cookie flags
- Content/Text injections
- Clickjacking/UI redressing
- Denial of Service (DoS) attacks
- Recently disclosed CVEs (less than 30 days sinces patch release)
- CVEs without exploitable vulnerabilities and PoC
- Open ports or services without exploitable vulnerabilities and PoC
- Social engineering of staff or contractors
- Presence of autocomplete attribute on web forms
- Vulnerabilities affecting outdated browsers or platforms
- Self-XSS or XSS that cannot be used to impact other users
- Any hypothetical flaw or best practices without exploitable vulnerabilities and PoC
- SSL/TLS issues (e.g. expired certificates, best practices)
- Unexploitable vulnerabilities (e.g. Self-XSS, XSS or Open Redirect through HTTP headers...)
- Reports with attack scenarios requiring MITM or physical access to victim's device
- Missing security-related HTTP headers which do not lead directly to an exploitable vulnerability and PoC
- Low severity Cross-Site Request Forgery (CSRF) (e.g. Unauthenticated / Logout / Login / Products cart updates...)
- Invalid or missing email security records (e.g. SPF, DKIM, DMARC)
- Session management issues (e.g. lack of expiration, no logout on password change, concurrent sessions)
- Disclosure of information without exploitable vulnerabilities and PoC (e.g. stack traces, path disclosure, directory listings, software versions, IP disclosure, 3rd party secrets, EXIF Metadata, Origin IP)
- CSV injection
- Malicious file upload (e.g. EICAR files, .EXE)
- HTTP Strict Transport Security Header (HSTS)
- Subdomain takeover without a full exploitable vulnerability and PoC or not applicable to the scope
- Blind SSRF without exploitable vulnerabilities and PoC (e.g. DNS & HTTP pingback, Wordpress XMLRPC)
- Lack or bypass of rate-limiting, brute-forcing or captcha issues
- User enumeration (e.g. email, alias, GUID, phone number, common CMS endpoints)
- Weak password policies (e.g. length, complexity, reuse)
- Ability to spam users (email / SMS / direct messages flooding)
- Disclosed or misconfigured public API keys (e.g. Google Maps, Firebase, analytics tools...)
- Password reset token sent via HTTP referer to external services (e.g. analytics / ads platforms)
- Pre-account takeover (e.g. account creation via oAuth)
- GraphQL Introspection is enabled
- Reports with attack scenarios requiring MITM or physical access to victim's device
- Exploits that are only possible on Android version 7 and below
- Exploits that are only possible on IOS version 10 and below
- Exploits that are only possible on a jailbroken device
- Generic Android or iOS vulnerabilities
Hunting requirements
Account access
No test accounts will be provided.
You can download our consumer app from the Google Play Store or Apple App Store.
The Gopay Consumer app allows for self-registration. You may sign up for an account with your own phone number.
We operate in Indonesia, Singapore, Vietnam and Thailand.
Note: You may get suspended or blocklisted from our platform if we see your profile as one that is making too many fake bookings or one that is not making a single completed booking or for any rate limiting issues as part of our controls.
User agent
Please append to your user-agent header the following value: ' X-YesWeHack-Research: [Your YWH Username] '.
Hunters collaboration
When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.
For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.