Grab icon Grab HackerOne

Target Policy
https://hackerone.com/grab?type=team
Structured Scope
  • Asset Identifier
    Asset Type
    Max Severity
  • kios.grab.com
    URL
    none
  • drive.grab.co
    URL
    critical
  • *.grabpay.com
    WILDCARD
    critical
  • api.grabpay.com

    **What it does:** Grab iOS and Android apps communicate with this service while you use Grab specifically for newer payment features. This endpoint acts as an API gateway proxy to all of our services. This API exposes the largest attack surface of any service here at GrabPay.

    **What to look for:** Much like our external API, `api.grabpay.com` is a RESTful API performed over HTTPS requests. The best way to hunt for bugs here is to use your own auth token via the `X-mts-ssid` header and look for authorization and access control issues, business logic and etc. Please keep in mind that you should only ever perform this testing against accounts you own, accessing any data not owned by you can result in disqualification.

    **What it runs on:** Golang / Java

    URL
    critical
  • xtramile.grabpay.com
    URL
    critical
  • wiki.grab.com

    Please note that since this is a third-party application, most reports will typically be marked with a maximum of medium-severity (especially due to modifications not controlled by the Grab team, but by the vendor). In cases where the vulnerability is severe enough, such as an RCE, mass retrieval of personal information etc, we will review them on a case-by-case basis and will reward a bounty accordingly at our discretion.

    URL
    critical
  • *.taralite.com

    Staging/Development/UAT environments are considered out-of-scope, such as:
    - *.byte-stack.net
    - *.dududev
    - *.uat-ovo.net
    and other assets that might not be explicitly listed

    WILDCARD
    high
  • ovo.id

    OVO's Android App:
    https://play.google.com/store/apps/details?id=ovo.id

    Staging/Development/UAT environments are considered out-of-scope, such as:
    *.byte-stack.net
    *.dududev
    *.uat-ovo.net and other assets that might not be explicitly listed.

    GOOGLE_PLAY_APP_ID
    critical
  • mos.grabpay.com
    URL
    medium
  • hungrygowhere.com

    HungryGoWhere is a food discovery platform that helps users explore dining options, reviews, and deals, primarily in Singapore.

    URL
    high
  • *.ovo.id

    Staging/Development/UAT environments are considered out-of-scope, such as:
    - *.byte-stack.net
    - *.dududev
    - *.uat-ovo.net
    and other assets that might not be explicitly listed.

    WILDCARD
    high
  • hungrygowhere.com

    In-scope only in November to December 2022 Promotion

    URL
    critical
  • https://paysuite.grab.com/hub

    In-scope only in November to December 2022 Promotion

    URL
    critical
  • com.grab.merchant
    GOOGLE_PLAY_APP_ID
    critical
  • 1481198245

    MoveIt is an independent two-wheeler taxi platform serving the Philippines.

    APPLE_STORE_APP_ID
    critical
  • http://*.myteksi.com
    WILDCARD
    critical
  • http://*.myteksi.net
    WILDCARD
    critical
  • http://*.grab.com
    WILDCARD
    critical
  • http://*.grabpay.com
    WILDCARD
    critical
  • http://*.grab-sure.com

    **Please note: This asset is only in-scope during the March 4 to April 3 2023 Grab promotion.**

    WILDCARD
    critical
  • http://*.grabtaxi.com
    WILDCARD
    medium
  • http://*.grab.co
    WILDCARD
    medium
  • jira.grab.com

    Please note that since this is a third-party application, most reports will typically be marked with a maximum of medium-severity (especially due to modifications not controlled by the Grab team, but by the vendor). In cases where the vulnerability is severe enough, such as an RCE, mass retrieval of personal information etc, we will review them on a case-by-case basis and will reward a bounty accordingly at our discretion.

    URL
    critical
  • 1142114207

    OVO iOS application
    https://apps.apple.com/ID/app/id1142114207
    Staging/Development/UAT environments are considered out-of-scope, such as:
    - *.byte-stack.net
    - *.dududev
    - *.uat-ovo.net
    and other assets that might not be explicitly listed.

    APPLE_STORE_APP_ID
    critical
  • com.moveit.app.customer

    MoveIt is an independent two-wheeler taxi platform serving the Philippines.

    GOOGLE_PLAY_APP_ID
    critical
  • *.myteksi.net
    WILDCARD
    critical
  • kartaview.org

    URL
    medium
  • p.grabtaxi.com

    **What it does:** Grab iOS and Android apps communicate with this service while you use Grab. This endpoint acts as an API gateway proxy to all of our services. This API exposes the largest attack surface of any service here at Grab.

    **What to look for:** Much like our external API, p.grabtaxi.com is a RESTful API performed over certificate-pinned HTTPS requests. The best way to hunt for bugs here is to use your own auth token via the X-mts-ssid header and look for authorization and access control issues, user enumeration, business logic etc. Please keep in mind that you should only ever perform this testing against accounts you own, failure to do so could result in ban from the program, which nobody wants!.

    **What it runs on:** Golang

    URL
    critical
  • *.ovofinansial.com

    *.taralite.com has been rebranded as OVO Finansial

    WILDCARD
    critical
  • C103149579

    Grab Driver app for Huawei Devices(using HMS)
    https://appgallery.huawei.com/#/app/C103149579

    OTHER
    critical
  • 647268330

    Grab (iOS)

    * Eligible for updated mobile Apps bounty rewards offering (up to $15,000 for a Critical vulnerability)

    APPLE_STORE_APP_ID
    critical
  • com.grabpay.merchant

    GrabPay Merchant

    GOOGLE_PLAY_APP_ID
    medium
  • 1343620481

    GrabPay Merchant

    APPLE_STORE_APP_ID
    medium
  • grab.careers
    URL
    medium
  • gamma.grab.co
    URL
    critical
  • manage.grab.co
    URL
    critical
  • C100447517

    Grab Superapp for Huawei Devices(using HMS)
    https://appgallery.huawei.com/#/app/C100447517

    OTHER
    critical
  • 1257641454

    Grab Driver

    * Eligible for updated mobile Apps bounty rewards offering (up to $15,000 for a Critical vulnerability)

    APPLE_STORE_APP_ID
    critical
  • *.grab-sure.com

    WILDCARD
    critical
  • gifts.grab.com

    URL
    critical
  • *.myteksi.com
    WILDCARD
    critical
  • com.grabtaxi.passenger

    Grab (Android)

    * Eligible for updated mobile Apps bounty rewards offering (up to $15,000 for a Critical vulnerability)

    GOOGLE_PLAY_APP_ID
    critical
  • *.grabtaxi.com
    WILDCARD
    medium
  • com.grabtaxi.driver2

    Grab Driver

    * Eligible for updated mobile Apps bounty rewards offering (up to $15,000 for a Critical vulnerability)

    GOOGLE_PLAY_APP_ID
    critical
  • *.grab.co
    WILDCARD
    medium
  • *.grab.com
    WILDCARD
    critical
Target Scope Domains
  • api.grabpay.com
  • drive.grab.co
  • gamma.grab.co
  • gifts.grab.com
  • grab-sure.com
  • grab.careers
  • grab.co
  • grab.com
  • grabpay.com
  • grabtaxi.com
  • hungrygowhere.com
  • jira.grab.com
  • kartaview.org
  • manage.grab.co
  • mos.grabpay.com
  • myteksi.com
  • myteksi.net
  • ovo.id
  • ovofinansial.com
  • p.grabtaxi.com
  • paysuite.grab.com
  • taralite.com
  • wiki.grab.com
  • xtramile.grabpay.com
Tech Stack
Last Finished Scan:
Scan Name
Fleet
Finished
State
auto-dnsenum-threaded
allsubs
1 month, 4 weeks ago
Finished
auto-dnsenum-threaded
  • Fleet: allsubs
  • Duration: 57 Seconds
  • Finished: 1 month, 4 weeks ago