raw-html-encoded
raw-html-encoded

About the Programme

GRAB INC. (“GRAB”) strongly believes in protecting our passengers and our driver-partners' safety, security, and risk exposure. Our priority is to make sure our platform remain safe as possible for all our users, by eliminating fraudulent activities.

We believe that practicing ‘responsible disclosure’ is the best way to safeguard our users. Responsible disclosure allows individuals to notify companies of any fraudulent activities before going public with the information. If you suspect any Grab drivers, passengers or partners of fraudulent activities, we will work with you to not only resolve the issue promptly, but also ensure you are rewarded for discovering and reporting the case.

For the full terms and conditions, click to download.

Submission Procedure

We want to assure you that your responses are completely anonymous. Additionally, your responses will be summarized in a report to further protect your anonymity.

For all submissions, you shall include:

    1. 01

    2. Full description of the vulnerability being reported including the exploitability and impact.

    1. 02

    2. Document all steps required to reproduce the exploit of the vulnerability.

    1. 03

    2. Submit all details here

Rewards

Our rewards are impact-based. This means that the value of the reward will be dependent on the potential financial implication it has to Grab or it’s users. When we have our reward meetings, we always ask one question: If a fraudster abuses this, how worse off are we? We assume the worst and fix the fraud vulnerability accordingly.

If we receive several reports for the same issue, we will Reward the earliest report with enough actionable information to identify the issue. If a single fix fixes multiple fraud situations, we treat this as a single fraud. For example, if you find 3 ways to abuse a promotional campaign, and our fix is to stop the campaign, this will receive a single Reward, determined, as always, by impact.

Rewards Eligibility

Grab reserves the right to decide if the minimum severity threshold is met and whether it was previously reported. To qualify for a reward under this programme, you should:

  • Be the first to report a specific fraud.

  • Send a clear textual description of the report along with steps to reproduce the fraud pattern. Include attachments such as screenshots, videos or proof of concept when necessary.

  • Disclose the fraud report directly and exclusively to us. Disclosure to third parties including vulnerability brokers before we addressed your report will forfeit the reward.

Reward Payments

We will payout up to USD $1000 based on severity and novelty of the reported fraud. Grab reserves the rights to determine the payout value without explanation for the same. Our decision will be final and further queries on a resolved fraud case will not be entertained.

Fraud Scope

In-Scope Fraud Cases

Wondering what would be considered as fraudulent activities? Here are some examples. For cases that are not stated here, do report it to us and we’ll review it accordingly.

(Hover over each case for more information)

  • Passenger
    promo abuse

    Passenger creates multiple accounts to cheat on promo codes.

  • Driver incentive
    gaming

    Driver self book or get a friend to book to hike up their ride count to receive incentives.

  • Driver selective
    job acceptance

    Driver uses illegal apps to pick and choose jobs without affecting acceptance rating.

  • Ghost Rides

    Driver taps ‘Pick up’ and ‘Drop off’ without the rider on board to hit targets.

  • Account
    takeovers

    A driver’s account is hacked by someone else to sabotage the driver’s ratings.

  • Fare payment
    fraud

    Driver keys in extra toll charges or passenger uses invalid card to book rides to get free rides.

  • Spoofing device
    level data like GPS,
    device IDs etc

    Driver uses GPS manipulator to appear anywhere from the map or rooted devices that can create multiple rider accounts.

  • Driver passenger
    collusion

    Driver uses his/her rider account to help other drivers hit the target.

  • Invalid Driver App
    versions

    Driver uses old or unauthorised Grab Driver app version to capitalise on bug flaws.

Out-of-Scope Fraud Cases

There are certain cases that are not accepted under this programme because they are not malicious and/or because they have low impact. Therefore, they will be immediately marked as invalid.

The following findings are specifically excluded from the programme:

• Passenger self referrals

Exclusions

This is not a bug bounty programme. Any security vulnerabilities or bug reports will not be entertained by this programme.

We don’t need specific fraudster accounts but need your reports on new fraud patterns that are being employed by fraudsters