We will payout up to USD $1000 based on severity and novelty of the reported fraud. Grab reserves the rights to determine the payout value without explanation for the same. Our decision will be final and further queries on a resolved fraud case will not be entertained.
About the Programme
GRAB INC. (“GRAB”) strongly believes in protecting our passengers and our driver-partners' safety, security, and risk exposure. Our priority is to make sure our platform remain safe as possible for all our users, by eliminating fraudulent activities.
We believe that practicing ‘responsible disclosure’ is the best way to safeguard our users. Responsible disclosure allows individuals to notify companies of any fraudulent activities before going public with the information. If you suspect any Grab drivers, passengers or partners of fraudulent activities, we will work with you to not only resolve the issue promptly, but also ensure you are rewarded for discovering and reporting the case.
For the full terms and conditions, click to download.
We want to assure you that your responses are completely anonymous. Additionally, your responses will be summarized in a report to further protect your anonymity.
For all submissions, you shall include:
Full description of the vulnerability being reported including the exploitability and impact.
Document all steps required to reproduce the exploit of the vulnerability.
Submit all details here
Our rewards are impact-based. This means that the value of the reward will be dependent on the potential financial implication it has to Grab or it’s users. When we have our reward meetings, we always ask one question: If a fraudster abuses this, how worse off are we? We assume the worst and fix the fraud vulnerability accordingly.
If we receive several reports for the same issue, we will Reward the earliest report with enough actionable information to identify the issue. If a single fix fixes multiple fraud situations, we treat this as a single fraud. For example, if you find 3 ways to abuse a promotional campaign, and our fix is to stop the campaign, this will receive a single Reward, determined, as always, by impact.
Grab reserves the right to decide if the minimum severity threshold is met and whether it was previously reported. To qualify for a reward under this programme, you should:
Be the first to report a specific fraud.
Send a clear textual description of the report along with steps to reproduce the fraud pattern. Include attachments such as screenshots, videos or proof of concept when necessary.
Disclose the fraud report directly and exclusively to us. Disclosure to third parties including vulnerability brokers before we addressed your report will forfeit the reward.
In-Scope Fraud Cases
Wondering what would be considered as fraudulent activities? Here are some examples. For cases that are not stated here, do report it to us and we’ll review it accordingly.
(Hover over each case for more information)
Passenger creates multiple accounts to cheat on promo codes.
Driver self book or get a friend to book to hike up their ride count to receive incentives.
Driver uses illegal apps to pick and choose jobs without affecting acceptance rating.
Driver taps ‘Pick up’ and ‘Drop off’ without the rider on board to hit targets.
A driver’s account is hacked by someone else to sabotage the driver’s ratings.
Driver keys in extra toll charges or passenger uses invalid card to book rides to get free rides.
level data like GPS,
device IDs etc
Driver uses GPS manipulator to appear anywhere from the map or rooted devices that can create multiple rider accounts.
Driver uses his/her rider account to help other drivers hit the target.
Invalid Driver App
Driver uses old or unauthorised Grab Driver app version to capitalise on bug flaws.
Out-of-Scope Fraud Cases
There are certain cases that are not accepted under this programme because they are not malicious and/or because they have low impact. Therefore, they will be immediately marked as invalid.
The following findings are specifically excluded from the programme:
• Passenger self referrals
This is not a bug bounty programme. Any security vulnerabilities or bug reports will not be entertained by this programme.
We don’t need specific fraudster accounts but need your reports on new fraud patterns that are being employed by fraudsters