GoalsHalodoc security vulnerability bounty is designed to :
Reward those who responsibly disclose vulnerabilities on Halodoc properties.
Help making Halodoc more secure for it's users.
How to SupportSend an email with all the details to firstname.lastname@example.org
The email should contain at least the following information:
Vulnerability type (XSS, Session Hijack, etc).
Vulnerable service (Mobile apps, API, public website etc).
Details about vulnerability.
A proof of concept of the vulnerability (logs, screenshots or video as applicable).
Impact of the vulnerability.
Please do not publicly disclose the vulnerability until it has been patched.
We will privately acknowledge each incident reported at email@example.com. Patching of the disclosed vulnerability may take some time depending on the complexity of the vulnerability. We request the security researcher to provide us reasonable amount of time before making the vulnerability public.
We will acknowledge each incident reported as soon as we can.
We will be fast in patching any vulnerability reported. We will keep the reporter informed about the progress.
We will pay a bounty once the vulnerability is patched.
EligibilityHalodoc security vulnerability bounty is designed to :
The reported vulnerability should be a bug that compromises integrity of user data, bypasses privacy protections or enables unauthorised access. Other types of bugs are not eligible.
Reporter should be the first to disclose the vulnerability.
Do not attempt to gain access to another user’s account or data.
Do not perform any attack that could harm the reliability/integrity of our services or data.
Do not publicly disclose a bug before it has been fixed.
Only test for vulnerabilities on sites you know to be operated by Halodoc. - Vulnerabilities on third-party applications are excluded
Do not impact other users with your testing; this includes testing for vulnerabilities in portals you do not own.
Automated scanners or automated tools to find vulnerabilities are forbidden and will be blocked.
Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
No Distributed denial of service (DDoS/DoS) - we prohibit this activity, and the testing cluster is not scaled for these attacks
Do not contact Halodoc call center, helpdesk, or employee for any bug-bounty-related concerns or any vulnerability report.
The following finding types are specifically excluded from the bounty
HTTP 404 codes/pages or other HTTP non-200 codes/pages.
Fingerprinting/banner disclosure on common/public services.
Disclosure of known public files or directories (e.g., robots.txt).
OTP issue for indian number apart for Indonesia number is intended behaviour.
Issues that require non-simple user interaction, such as Self-XSS, clickjacking, that require the victim to install a certain application and interact with it, and issues that require MITM or access to physical devices.
Clickjacking on pages with no sensitive actions.
CSRF on forms that are available to anonymous users (e.g., login or contact form).
Logout / Login Cross-Site Request Forgery (logout CSRF).
Presence of application or web browser ‘autocomplete' or ‘save password' functionality.
Lack of Security Speedbump when leaving the site.
No Captcha / Weak Captcha / Captcha Bypass
Login or Forgot Password page brute force and account lockout not enforced
HTTP method enabled
- OPTIONS, PUT,GET,DELETE,INFO
WebServer Type disclosures
Social engineering of our service desk, employees, or contractors
Physical attacks against Halodoc's offices and data centers
Error messages with non-sensitive data
Non-application layer Denial of Service or DDoS
Lack of HTTP Only / SECURE flag for cookies
Username / email enumeration
- via Login Page error message
- via Forgot Password error message
Missing HTTP security headers, specifically(https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
- Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
SPF / DMARC / DKIM Mail and Domain findings
Email Rate Limiting or Spamming
SSL Issues, e.g.
- SSL Attacks such as BEAST, BREACH, Renegotiation attack
- SSL Forward secrecy not enabled
- SSL weak/insecure cipher suites
- multiple cookie setting
- Anything to do with JSESSIONID
Service Rate Limiting
User or Org enumeration
Security Image Issues
Terms and conditions
Do not violate any legal laws. Don't be evil. Halodoc retains the right to pursue legal action if "Responsible Disclosure" is not followed.
Eligibility & amount given out as bounty is at the sole discretion of Halodoc.
For testing for vulnerabilities, use your own account. Testing should not violate any laws or access data of other users without their explicit approval.
Halodoc retains the right to modify or terminate this program at anytime without notice.
Hall of Fame
- Debby Nawang Sari
- Kusum Lata
- Roholesi Talaohy
- Aldi Saputra Wahyudi x2
- Alfons x2
- Arya Tunggal Narotama
- Faisal Yuda Hermawan
- Ibnu Batutah Zarizal x3
- Lu William Hanugra
- Muhammad Adib Arinanda
- Turab Ameer x2
- Yogeshwaran Chandrasekaran x2
- Zulfikar Adnan
- Abdullah x2
- Ade Yosep Yarmanto
- Adith Yogaswara
- Amurul Islam x2
- Ari Rosmiyati
- Emanual Beni
- Erlin Sulistyani
- M Arif Alfiki
- M Wahyudi
- Rendra Wahyu Febriyanto
- Rizky Sulistyo
- Root Bakar
- Yogeshwaran Chandrasekaran x2
- Yulianti Rahayu
- Erlin Silistyani St
- Erlin Sulistyani x2
- Mohamad Arifandy
- Pratama Aji Prisadi
- Zukhrufan Ramadhan