BukuWarung is committed to security. We reward reporters for the responsible disclosure of in-scope issues and exploitation techniques. Whenever, someone discovers a bug, we appreciate the cooperation in responsibly investigating and reporting it to us so that we can address it as soon as possible. Help us make the MSMEs of Indonesia cyber-secured.
In-Scope
Rewards and Recognition
Depending on CVSS score v4.0 severity
- Critical: Hall of Fame
- High: Hall of Fame
- Medium: Hall of Fame
- Low: Hall of Fame (Minimum 3 vulnerabilities to get eligible)
Non-Qualifying Bugs
- Zero-day vulnerabilities or recently disclosed CVE will not be considered eligible until more than 90 days have passed since patch availability.
- Don’t target our physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDOS) attacks, etc.
- Targeting, attempting to access, or otherwise disrupt the accounts of other users without the express permission of our team.
- Clickjacking on pages with no sensitive actions.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing HttpOnly or Secure flags on cookies.
- Missing best practices in Content Security Policy.
- Vulnerabilities related to Password Policy.
- Version number information disclosure, banner grabbing, stack trace that do-not chains the severe attacks practically.
- Cross-Site Request Forgery (CSRF) with no proven sensitive effect.
- Attacks requiring MITM or physical access to a user’s device.
- Missing best practices in SSL/TLS configuration.
- Missing Content Security Policy headers.
- Rate limiting or brute force issues of no severe effect.
- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
- Self XSS
- Open redirect – with no security impact demonstrated.
- Deprecated or vulnerable libraries without no further attack demonstrated.
- IDOR with no severe attack.
- Invalid HTTP request method.
- Disclosure of known public files or directories, (e.g. robots.txt)
- Lack of Captcha.
- Improper session handling or session time out with no severe impact.
- Any third party services/URLs/assets incorporated with BukuWarung Web, Mobile or API platform. You may direct report to owner/vendor, as BukuWarung do-not holds the right to change or mitigate these targets.
Eligibility Criteria
Be the first to report the issue to us, the report will be considered as duplicate, if the bug reported already by any security researcher or internal security team, hence no eligible for monetary reward, but be eligible for Hall of Fame only for Critical, High and Medium Level severity.
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Include a video, screenshot, code, etc. where needed.
- Once the bug is found, share the POC report to us at bug-bounty-report@bukuwarung.com mentioning Report Title, Description, Affected asset/location/URL, Step to Reproduce, Mitigation, Related Reference and Video (if required), video will help our to team to reach out to you ASAP.
Don’t violate the privacy of other users, destroy data, disrupt our services, etc. Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Give enough time for us to assess your report. Spam impacts BukuWarung’s Vulnerability Disclosure Program efficiency.
Don’t target, attempt to access, or otherwise disrupt the accounts of other users without the express permission of our team.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
In case you find a severe vulnerability that allows system access, you must not proceed further.
It is BukuWarung’s decision to determine when and how bugs should be addressed and fixed.
Disclosing bugs to a party other than BukuWarung is forbidden, all bug reports are to remain at the reporter and BukuWarung’s discretion.
Threatening of any kind will automatically disqualify you from participating in the program.
Exploiting or misusing the vulnerability for your own or others’ benefit will automatically disqualify the report.
Do-not use or target any user’s account, only use number of dummy accounts as per your use case.
In case you find a severe vulnerability that allows system access, you must not proceed further.
If needed, you agree to participate in testing the effectiveness of the countermeasure applied to your report.
You agree to keep any communication with BukuWarung security team.
Once, the bug report is shared, the severity of the bug will be decided by our security team via latest CVSS Score v4.0.
- The bug shared is Out-of-Scope, will not be considered a valid bug.
- Bug disclosure communications with BukuWarung’s Security Team are to remain confidential. Researchers must destroy all artifacts created to document vulnerabilities (POC code, videos, screenshots) after the bug report is closed.
- We strictly do-not entertain the disclosure of bug report publicly, if found, a legal action will be taken against you, also you will be disqualified from our Vulnerability Disclosure Program forever.