Grab Bug Bounty – Terms & Conditions

GRAB INC. (“GRAB”) is always committed to security vigilance with respect to our customer information. We recognize the important role that security researchers and our user community play in helping to keep GRAB and our customers secure. If you discover a site or product vulnerability, please notify us using the guidelines below.

Program Terms

Please note that your participation in the Bug Bounty Program is voluntary and subject to the terms and conditions set forth on this page (“Program Terms”). By submitting a site or product vulnerability to GRAB you acknowledge that you have read and agreed to these Program Terms.

Program Scope

In principle, any GRAB-owned web service that handles reasonably sensitive user data is intended to be in scope. This includes virtually all the content in the following domains:


Bugs in GRAB developed mobile apps and extensions as well as some of our hardware devices (if any) will also qualify.

Responsible Disclosure Policy

To encourage responsible disclosures, GRAB commits that, if we conclude, in our sole discretion, that a disclosure respects and meets all the guidelines of these Program Terms, GRAB will not bring a private action against you or refer a matter for public inquiry.

Eligibility Requirements

To be eligible for the Bug Bounty Program, you must not:

  • Be a resident of, or make your Submission from, a country against which the United States has issued export sanctions or other trade restrictions (e.g., Cuba, Iran, North Korea, Sudan and Syria);
  • Be in violation of any national, state, or local law or regulation and your testing must not violate any law, or disrupt or compromise any data that is not your own.
  • Be employed by GRAB. or its subsidiaries or affiliates;
  • Be an immediate family member of a person employed by GRAB. or its subsidiaries or affiliates; or
  • Be less than 18 years of age. If you are at least 18 years old, but are considered a minor in your place of residence, you must get your parent’s or legal guardian’s permission prior to participating in the program.

If GRAB discovers that you do not meet any of the criteria above, GRAB will remove you from the Bug Bounty Program and disqualify you from receiving any bounty payments. Any submissions you make to GRAB, whether via your Bug Bounty Program account or via email shall be considered “Submission(s)” for purposes of these Program Terms.

Bug Submission Requirements and Guidelines

In researching vulnerabilities on GRAB’s sites, you may not engage in testing that (i) results in a degradation of GRAB systems, (ii) results in you, or any third party, accessing, storing, sharing or destroying GRAB or customer data, or (iii) may impact GRAB’s customers, such as but not limited to, denial of service, social engineering or spam.

You may not publicly disclose your findings or the contents of your Submission in any way without GRAB’s prior written approval.

Failure to follow these guidelines will result in immediate disqualification from the Bug Bounty Program and ineligibility for receiving any bounty payments.

For all submissions, you shall include:

  • Full description of the vulnerability being reported including the exploitability and impact.
  • Document all steps required to reproduce the exploit of the vulnerability.

Provide all:

  • URL(s)/application(s) affected in the submission (even if you provided us a code snippet\video as well).
  • IPs that were used while testing.
  • Always include the user ID that is used for the POC.
  • Always include all of the files that you attempted to upload.
  • Provide the complete PoC for your submission (e.g. For RCE’s do not change files, upload only “hello world” test files, etc.).
  • Please save all the attack logs and attach them to the submission.
  • Remote Code Execution (RCE).
  • Failure to include any of the above items may delay or jeopardize the bounty payment.

Ownership of Submissions

As between GRAB and you, as a condition of participation in the GRAB Bug Bounty Program, you hereby grant GRAB, its subsidiaries, affiliates and customers a perpetual, irrevocable, worldwide, royalty-free, transferrable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to GRAB in connection therewith, for any purpose. You should not send us any Submission that you do not wish to license to us.

You hereby represent and warrant that the Submission is original to you and you own all right, title and interest in and to the Submission. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure of the Submission to GRAB. In no event shall GRAB be precluded from discussing, reviewing, developing for itself, having developed, or developing for third parties, materials which are competitive with those set forth in the Submission irrespective of their similarity to the information in the Submission, so long as GRAB complies with the terms of participation stated herein.


This section contains issues that are not accepted under this program, because they are malicious and/or because they have low security impact and will be immediately marked as invalid.

The following findings are specifically excluded from the bounty:

  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • HTTP codes/pages or other HTTP non- codes/pages.
  • Fingerprinting / banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF in forms that are available to anonymous users (e.g. the contact form).
  • Login & Logout CSRF
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
  • Lack of Security Speed bump when leaving the site.
  • Weak Captcha / Captcha Bypass
  • Login or Forgot Password page brute force and account lockout not enforced.
  • OPTIONS HTTP method enabled
  • HTTPS Mixed Content Scripts
  • Content Spoofing without embedded links/html
  • Self-XSS
  • Missing HTTP security headers, specifically (, e.g.
    • Strict-Transport-Security
    • X-Frame-Options
    • X-XSS-Protection
    • Host Header
    • X-Content-Type-Options
    • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
    • Content-Security-Policy-Report-Only
  • Infrastructure vulnerabilities, including:
    • Certificates/TLS/SSL related issues
    • DNS issues (i.e. mx records, SPF records, etc.)
    • Server configuration issues (i.e., open ports, TLS, etc.)
  • Most vulnerabilities within our sandbox, uat, or staging environments.
  • Outdated web browsers: vulnerabilities contingent upon outdated or unpatched browsers will not be honored, including Internet Explorer versions prior to version 8
  • Vulnerabilities involving active content such as web browser add-ons

Out of Scope bugs for Android apps

  • Any URIs leaked because a malicious app has permission to view URIs opened
  • Absence of certificate pinning
  • Sensitive data in URLs/request bodies when protected by TLS
  • User data stored unencrypted on external storage
  • Lack of obfuscation is out of scope
  • OAuth & App secret hard-coded/recoverable in APK
  • Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceiver (exploiting these for sensitive data leakage is commonly in scope)
  • Any kind of sensitive data stored in app private directory
  • Lack of binary protection control in android app
  • Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)

Out of Scope bugs for iOS apps

  • Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
  • Absence of certificate pinning
  • Path disclosure in the binary
  • User data stored unencrypted on the file system
  • Lack of obfuscation is out of scope
  • Lack of jailbreak detection is out of scope
  • OAuth & app secret hard-coded/recoverable in IPA
  • Crashes due to malformed URL Schemes
  • Lack of binary protection (anti-debugging) controls
  • Snapshot/Pasteboard leakage
  • Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)

Bounty Payments

You may be eligible to receive a monetary reward, or “bounty,” if: (i) you are the first person to submit a site or product vulnerability; (ii) that vulnerability is verifiable, replicable, and determined to be a valid security issue by GRAB’s security team; and (iii) you have complied with all Program Terms.

Bounty payments, if any, will be determined solely by GRAB. In no event shall GRAB be obligated to pay you a bounty for any Submission. All bounty payments shall be considered gratuitous.

In the event GRAB elects to pay you a bounty, GRAB may make a partial payment when the vulnerability is first verified by GRAB and then an additional payment once the vulnerability has been fixed. The format and timing of all bounty payments shall be determined in GRAB’s sole discretion.

All bounty payments will be made in United States dollars (USD). You will be responsible for any tax implications related to bounty payments you receive, as determined by the laws of your jurisdiction of residence or citizenship.

GRAB will determine all bounty payout based on the risk and impact of the vulnerability. The minimum bounty amount for a validated bug submission is USD 100 and the maximum bounty for a validated bug submission is USD$10,000.

GRAB Bug Bounty Team retains the right to determine if the bug submitted to the Bug Bounty Program is eligible. All determinations as to the amount of a bounty made by the GRAB Bug Bounty Team are final.

Additional Terms

+Payout ranges are based on the classification and sensitivity of the data impacted, ease of exploit and overall risk to GRAB customers, GRAB brand and determined to be a valid security issue by GRAB’s security engineers. Common sensitive data elements include customer social security number, credit card number, card verification code, bank account number, login credentials and passwords. GRAB may pay beyond the range at times when bugs are found to have significant risk.

#Please note that Clickjacking and CSRF vulnerabilities are only reviewed for sites and pages where the ease of exploit and risk to GRAB is significant. Also, please note that, while “Logout CSRF” is a well-acknowledged issue, there are other techniques (like “cookie forcing” and “cookie bombardment”) that can make it futile to defend against this attack. Also, GRAB web sessions are relatively short lived and hence, the GRAB will not consider reports of the ability to log out users from GRAB as qualifying for a bounty.


In the event (i) you breach any of these Program or (ii) GRAB determines, in its sole discretion that your continued participation in the Bug Bounty Program could adversely impact GRAB (including, but not limited to, presenting any threat to GRAB’s systems, security, finances and/or reputation) GRAB may immediately terminate your participation in the Bug Bounty Program and disqualify you from receiving any bounty payments.


Any information you receive or collect about GRAB or any GRAB user through the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the GRAB sites, without GRAB’s prior written consent.


You hereby agree to defend, indemnify and hold GRAB, its subsidiaries, affiliates and the officers, directors, agents, joint ventures, employees and suppliers of GRAB, its subsidiaries, or our affiliates, harmless from any claim or demand (including attorneys’ fees) made or incurred by any third party due to or arising out of your Submissions, your breach of these Program Terms and/or your improper use of the Bug Bounty Program.

Changes to Program Terms

The Bug Bounty Program, including its policies, is subject to change or cancellation by GRAB at any time, without notice. As such, GRAB may amend these Program Terms and/or its policies at any time by posting a revised version on our website. By continuing to participate in the Bug Bounty Program after GRAB posts any such changes, you accept the Program Terms, as modified.