Calling All Ethical Hackers & Bug Hunters: Join Tokopedia Bug Bounty Program!
Applications and electronic systems will always be haunted by the risk of security threats and vulnerabilities. As companies improve their technological advancement, cybercriminals are finding small gaps and constantly advancing their techniques to attack targets, which causes more and more cybercrime cases each day.
Delivering reliable services whilst protecting and securing company data and user information are a company’s top priority, especially in Tokopedia.
At Tokopedia, we rely heavily on systems and applications, hence keeping our users’ information safe and secure is critical in our daily operations. As part of our commitment is to secure all application development practices, bugs and security loopholes are one of many flaws that the team should look out for. If those bugs or holes are left untreated, there’s a high chance and opportunity for unauthorized parties to exploit these systems and compromise our services and security.
It is always nice to have a second pair of eyes to help us detect something that we might have missed. So, Ethical Hackers Bug Hunters, this is your chance to help us out and determine the undetected vulnerabilities and be our tech heroes!
Getting to Know Tokopedia Bug Bounty Program
As part of Tokopedia’s commitment to deliver an unmatchable service quality and security, we are excited to introduce you to Tokopedia’s Bug Bounty program. In this program, we invite Security Researchers all over the world to report security bugs or vulnerabilities within Tokopedia’s environment.
What’s in It for You
Tokopedia appreciates every good-faith research effort and provides bounty for researchers who report valid security bugs. A valid report is rewarded with Wall of Fame points and monetary bounty depending on the issue’s severity. Grab the chance to shine on our Bug Bounty Wall of Fame and receive up to IDR 50 million!
However, there are certain cases that make you ineligible to receive our bounty. Make sure to avoid doing the points below:
- Exploit issues that you discovered
- Publicly disclose the report without written consent from Tokopedia
- Use other people’s account, apart from your own, while participating in this research
- Report any issues that are outside of our property and vulnerability scope
- Distributed denial of service (DDoS) and social engineering
Check out Tokopedia Bug Bounty Rules for more information.
The Scope
To ensure that your research is structured and on the right track, we have defined our Bug Bounty scope. Below are quick overviews of properties and vulnerabilities that do qualify to be included in your research:
Property
- *.tokopedia.com
- *.tokopedia.net
- payment.tokopedia.id
- iOS and Android Application
- Android Seller Application
Vulnerability
- SQL Injection
- Cross-site Scripting (XSS)
- Significant Authentication Bypass
- OWASP Top 10 Vulnerabilities
That’s not all. We have more vulnerabilities that are allowed to be included in your research. Check out our Bug Bounty Portal for the complete list of vulnerabilities that you can discover and report.
How to Participate
Try to explore the aforementioned vulnerabilities in our in-scope properties. If you find one, report it to us through bounty.tokopedia.net. Here are the steps to follow:
- First, you simply have to sign in or sign up, if you haven’t.
- Next, complete your profile and go to ‘Create New’. In this step, tell us in detail what kind of vulnerabilities that you’ve discovered.
- Don’t forget to check the system and vulnerabilities scope to make sure that your report is valid. Also, make sure to fill in the following:
- Issue title
- Description
- Affected Endpoint
- Impact
- Step to Reproduce
- Attachment POC
- Remediation
- For the last one please fill Reference
Before submitting it, give us some time to validate your report and fix the issues. We will contact you regarding the details of your reward.
Let’s Participate and Take Pride in Your Achievements
Tokopedia acknowledges every valid report you contribute, as we present you with our own Bug Bounty Wall of Fame. You also can publish your discoveries as long as the following conditions are met:
- You may only publish the issue you discovered at least 3 months after the issue has been fixed by Tokopedia.
- You need to obtain approval from Tokopedia before publishing the issue.
With keeping the above rules and scope in mind, we are excited for your participation and for working closely with you to detect bugs and flaws in our environment. Also, remember that your award is waiting for you!
What are you waiting for? Let’s learn together, and help one another through the Tokopedia Bug Bounty program now!
Go to bounty.tokopedia.net to participate.
