We will payout up to USD $1000 based on severity and novelty of the reported fraud. Grab reserves the rights to determine the payout value without explanation for the same. Our decision will be final and further queries on a resolved fraud case will not be entertained.
WHAT IS GRAB FAIRPLAY PROGRAMME?
Grab FairPlay programme is a platform where Grab users can report any fraudulent activities within the Grab community.
The main objective of this programme is to ensure our platform remains as safe as possible for all our users as Grab strongly believes in protecting our passengers, drivers and partner's safety, security, and risk exposure.
A reward of up to US$1000 will be paid based on the severity and novelty of the reported fraud. Grab reserves the right to determine the payout value. Our decision will be final and further queries on a resolved fraud case will not be entertained.
For the full terms and conditions, click to download.
HOW TO SUBMIT A FAIRPLAY REPORT?
If you have information on any fraudulent activities involving our driver-partners, passengers or corporate partners, you may submit the information via our FairPlay submission Form.
Rest assured that all submissions are completely anonymous to protect your identity.
For all submissions, you shall include:
Full description of the vulnerability being reported including the exploitability and impact.
Document all steps required to reproduce the exploit of the vulnerability.
Our rewards are impact-based. This means that the value of the reward will be dependent on the potential financial implication it has to Grab or it’s users. When we have our reward meetings, we always ask one question: If a fraudster abuses this, how worse off are we? We assume the worst and fix the fraud vulnerability accordingly.
If we receive several reports for the same issue, we will Reward the earliest report with enough actionable information to identify the issue. If a single fix fixes multiple fraud situations, we treat this as a single fraud. For example, if you find 3 ways to abuse a promotional campaign, and our fix is to stop the campaign, this will receive a single Reward, determined, as always, by impact.
Grab reserves the right to decide if the minimum severity threshold is met and whether it was previously reported. To qualify for a reward under this programme, you should:
Be the first to report a specific fraud.
Send a clear textual description of the report along with steps to reproduce the fraud pattern. Include attachments such as screenshots, videos or proof of concept when necessary.
Disclose the fraud report directly and exclusively to us. Disclosure to third parties including vulnerability brokers before we addressed your report will forfeit the reward.
In-Scope Fraud Cases
Wondering what would be considered as fraudulent activities? Here are some examples. For cases that are not stated here, do report it to us and we’ll review it accordingly.
(Hover over each case for more information)
Passenger creates multiple accounts to cheat on promo codes.
Driver self book or get a friend to book to hike up their ride count to receive incentives.
Driver uses illegal apps to pick and choose jobs without affecting acceptance rating.
Driver taps ‘Pick up’ and ‘Drop off’ without the rider on board to hit targets.
A driver’s account is hacked by someone else to sabotage the driver’s ratings.
Driver keys in extra toll charges or passenger uses invalid card to book rides to get free rides.
level data like GPS,
device IDs etc
Driver uses GPS manipulator to appear anywhere from the map or rooted devices that can create multiple rider accounts.
Driver uses his/her rider account to help other drivers hit the target.
Invalid Driver App
Driver uses old or unauthorised Grab Driver app version to capitalise on bug flaws.
Out-of-Scope Fraud Cases
There are certain cases that are not accepted under this programme because they are not malicious and/or because they have low impact. Therefore, they will be immediately marked as invalid.
The following findings are specifically excluded from the programme:
• Passenger self referrals
This is not a bug bounty programme. Any security vulnerabilities or bug reports will not be entertained by this programme.
We don’t need specific fraudster accounts but need your reports on new fraud patterns that are being employed by fraudsters