Gojek launches its public bug bounty program on HackerOne


Gojek launches its public bug bounty program on HackerOne

We are pleased to announce that Gojek has launched its public bug bounty program on HackerOne on May 10, 2022. It offers exciting bounties upon finding in-scope vulnerabilities in Gojek’s servers, applications, website, and backend services, ranging from $100 for minor bugs to $5,000 for critical flaws.

We have been running a private bug bounty program for over a year now. With our ever-growing massive scale and rapidly expanding product offerings to our customers and merchants alike, securing our platforms and products becomes paramount. One way to solve this is to expand the scope of the program and rely on the contribution of the security researcher community as an additional layer of defense to protect our systems and users.We are particularly interested in vulnerability reports pertaining to our mobile applications.

If you’re an ethical hacker/researcher willing to participate, get started by visiting our program page where you can also find details about bounty tier, policy, and scope.

What is a bug bounty program?

With a bug bounty program, organizations offer ethical hackers a monetary reward - a bounty - for finding valid security vulnerabilities and safely reporting them so they can be resolved. Bug bounty programs incentivize third-party researchers to hunt for bugs and report them to the organizations that can fix these bugs before they can be exploited.

Why HackerOne?

HackerOne empowers the world to build a safer internet. As one of the most trusted hacker-powered security platforms, HackerOne gives organizations access to the largest community of ethical hackers on the planet. Armed with the most robust database of vulnerability trends and industry benchmarks, the hacker community mitigates cyber risk by searching, finding, and safely reporting real-world security weaknesses for organizations across all industries and attack surfaces. HackerOne was ranked fifth on the Fast Company World’s Most Innovative Companies list for 2020.

What’s new this time around?

Since last year our program has been run in a private mode where a set of researchers or ethical hackers are signed up for the program on an invite-only basis. Whereas now, since the public launch of the program, anyone can sign up and join the program.

With the scope of the program now being increased, researchers can find vulnerabilities on our partner domains such as GoFood, GoSend etc,.

How to go about it?

Researchers willing to participate can visit our program page on HackerOne and submit a vulnerability report. This report  will be triaged by the HackerOne team and later evaluated by the Gojek security teams. After careful evaluation of the reports, we fix the in-scope issues, and bounties will be paid according to the severity of vulnerabilities as mentioned in our program page.