Instruction: **Please note: This asset is only in-scope during the March 4 to April 3 2023 Grab promotion.**
Integrity requirements:
Max severity: critical
Asset identifier: *.grab.co
Asset type: URL
Availability requirement: low
Confidentiality requirement: low
Eligible for bounty: true
Eligible for submissions: true
Instruction:
Integrity requirements: low
Max severity: medium
Asset identifier: *.grab.com
Asset type: URL
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction:
Integrity requirements:
Max severity: critical
Asset identifier: *.grabpay.com
Asset type: URL
Availability requirement:
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction:
Integrity requirements:
Max severity: critical
Asset identifier: *.grabtaxi.com
Asset type: URL
Availability requirement: low
Confidentiality requirement: low
Eligible for bounty: true
Eligible for submissions: true
Instruction:
Integrity requirements: low
Max severity: medium
Asset identifier: *.myteksi.com
Asset type: URL
Availability requirement: none
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction:
Integrity requirements: high
Max severity: critical
Asset identifier: *.myteksi.net
Asset type: URL
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction:
Integrity requirements:
Max severity: critical
Asset identifier: 1257641454
Asset type: APPLE_STORE_APP_ID
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: Grab Driver
* Eligible for updated mobile Apps bounty rewards offering (up to $15,000 for a Critical vulnerability)
Integrity requirements:
Max severity: critical
Asset identifier: 1343620481
Asset type: APPLE_STORE_APP_ID
Availability requirement: none
Confidentiality requirement: low
Eligible for bounty: true
Eligible for submissions: true
Instruction: GrabPay Merchant
Integrity requirements: low
Max severity: medium
Asset identifier: 647268330
Asset type: APPLE_STORE_APP_ID
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: Grab (iOS)
* Eligible for updated mobile Apps bounty rewards offering (up to $15,000 for a Critical vulnerability)
Integrity requirements: high
Max severity: critical
Asset identifier: C100447517
Asset type: OTHER
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: Grab Superapp for Huawei Devices(using HMS)
https://appgallery.huawei.com/#/app/C100447517
Integrity requirements: high
Max severity: critical
Asset identifier: C103149579
Asset type: OTHER
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: Grab Driver app for Huawei Devices(using HMS)
https://appgallery.huawei.com/#/app/C103149579
Integrity requirements: high
Max severity: critical
Asset identifier: api.grabpay.com
Asset type: URL
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: **What it does:** Grab iOS and Android apps communicate with this service while you use Grab specifically for newer payment features. This endpoint acts as an API gateway proxy to all of our services. This API exposes the largest attack surface of any service here at GrabPay.
**What to look for:** Much like our external API, `api.grabpay.com` is a RESTful API performed over HTTPS requests. The best way to hunt for bugs here is to use your own auth token via the `X-mts-ssid` header and look for authorization and access control issues, business logic and etc. Please keep in mind that you should only ever perform this testing against accounts you own, accessing any data not owned by you can result in disqualification.
**What it runs on:** Golang / Java
Integrity requirements: high
Max severity: critical
Asset identifier: com.grab.merchant
Asset type: GOOGLE_PLAY_APP_ID
Availability requirement: medium
Confidentiality requirement: medium
Eligible for bounty: true
Eligible for submissions: true
Instruction:
Integrity requirements: medium
Max severity: critical
Asset identifier: com.grabpay.merchant
Asset type: GOOGLE_PLAY_APP_ID
Availability requirement: low
Confidentiality requirement: low
Eligible for bounty: true
Eligible for submissions: true
Instruction: GrabPay Merchant
Integrity requirements: low
Max severity: medium
Asset identifier: com.grabtaxi.driver2
Asset type: GOOGLE_PLAY_APP_ID
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: Grab Driver
* Eligible for updated mobile Apps bounty rewards offering (up to $15,000 for a Critical vulnerability)
Integrity requirements:
Max severity: critical
Asset identifier: com.grabtaxi.passenger
Asset type: GOOGLE_PLAY_APP_ID
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: Grab (Android)
* Eligible for updated mobile Apps bounty rewards offering (up to $15,000 for a Critical vulnerability)
Integrity requirements:
Max severity: critical
Asset identifier: gamma.grab.co
Asset type: URL
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction:
Integrity requirements:
Max severity: critical
Asset identifier: gifts.grab.com
Asset type: URL
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: **Please note: This asset is only in-scope during the March 4 to April 3 2023 Grab promotion.**
Integrity requirements:
Max severity: critical
Asset identifier: grab.careers
Asset type: URL
Availability requirement: low
Confidentiality requirement: low
Eligible for bounty: true
Eligible for submissions: true
Instruction:
Integrity requirements: low
Max severity: medium
Asset identifier: jira.grab.com
Asset type: URL
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: Please note that since this is a third-party application, most reports will typically be marked with a maximum of medium-severity (especially due to modifications not controlled by the Grab team, but by the vendor). In cases where the vulnerability is severe enough, such as an RCE, mass retrieval of personal information etc, we will review them on a case-by-case basis and will reward a bounty accordingly at our discretion.
Integrity requirements:
Max severity: critical
Asset identifier: kartaview.org
Asset type: URL
Availability requirement: low
Confidentiality requirement: low
Eligible for bounty: true
Eligible for submissions: true
Instruction:
Integrity requirements: low
Max severity: medium
Asset identifier: manage.grab.co
Asset type: URL
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction:
Integrity requirements:
Max severity: critical
Asset identifier: p.grabtaxi.com
Asset type: URL
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: **What it does:** Grab iOS and Android apps communicate with this service while you use Grab. This endpoint acts as an API gateway proxy to all of our services. This API exposes the largest attack surface of any service here at Grab.
**What to look for:** Much like our external API, p.grabtaxi.com is a RESTful API performed over certificate-pinned HTTPS requests. The best way to hunt for bugs here is to use your own auth token via the X-mts-ssid header and look for authorization and access control issues, user enumeration, business logic etc. Please keep in mind that you should only ever perform this testing against accounts you own, failure to do so could result in ban from the program, which nobody wants!.
**What it runs on:** Golang
Integrity requirements: high
Max severity: critical
Asset identifier: wiki.grab.com
Asset type: URL
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: Please note that since this is a third-party application, most reports will typically be marked with a maximum of medium-severity (especially due to modifications not controlled by the Grab team, but by the vendor). In cases where the vulnerability is severe enough, such as an RCE, mass retrieval of personal information etc, we will review them on a case-by-case basis and will reward a bounty accordingly at our discretion.
