About Bug Bounty Program
At EdenFarm we care about the safety and security of our user information and we keep on innovating to develop a secure and user-friendly app for our community. We welcome contribution from external security researchers to discover and report potential vulnerabilities in EdenFarm's platforms.
Please ensure to adhere to these following rules when participating in EdenFarm bug bounty program:
- Provide detailed reports with reproducible steps to be eligible for a reward, in English or Bahasa Indonesia to [email protected]
- One vulnerability per report submission except for chain vulnerabilities. Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- In the event when duplicates occur, we only reward the first reporter, provided that it can be fully reproduced. EdenFarm reserves the right to determine whether a report is a duplicate, and is not required to disclose the details of the bug bounty report.
- Do not use a discovered vulnerability to view, delete, alter, or publish user data.
- In order to qualify for receiving a bounty, you must consent to providing a full name that matches with your ID card and bank account, social media account (Instagram, Linkedin, Twitter), and mobile number for verification process.
- If you would like to be featured on our "Wall of Fame", please send us a consent email with the alias you would like to be identified as. We will not publish any identifiable information beside your alias and the severity of the disclosed vulnerability.
- For security bug reports, please create a report through this portal , including proof of concept that contains: step by step, screenshot and remediation. Don't forget to attach proof of concept video to reproduce the vulnerabilty.
To potentially qualify for a bounty, you first need to meet the following requirements:
- You are not allowed to submit the report by contacting EdenFarm employees directly or through other channels, only official EdenFarm bug bounty email address counts for the report.
- Adhere to our responsible disclosure policy on the program rules above.
- Report a security bug: identify a vulnerability in our services or infrastructure which creates a security or privacy risk. EdenFarm reserves the right to determine the risk of an issue or bug in the report, as not all software bugs are security issues and have security or privacy risk.
- Your report must describe a problem involving one of the products or services listed below (See "In Scope" and “Out of Scope”).
- We specifically exclude certain types of potential security issues; these are listed below (See "In Scope" and “Out of Scope”).
- If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations or other confidential information) while investigating an issue, you must disclose this in your report.
- Use test accounts when investigating issues. If you cannot reproduce an issue with a test account, you can use a real account (except for automated testing). Do not interact with other accounts without consent. In turn, we will follow these guidelines when evaluating reports under our bug bounty program.
- We determine bounty amounts based on a variety of factors, including but not limited to impact, ease of exploitation and quality of the report.
- EdenFarm reserve the right to publish reports and accompanying updates.
By participating in this bug bounty program, you are fully committed to:
- Give us reasonable time to investigate and mitigate an issue that you report before making any information about the report public or sharing such information with others.
- Not interact with an individual account (which includes modifying or accessing data from the account) if the account owner has not consented to such actions.
- Make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) unauthorised access to or destruction of data, and interruption or degradation of our services.
- Act in good-faith security research to prevent disruptions and produce minimum to no impact for EdenFarm and other EdenFarm users.
- Detach security issues that you discover for any reason, including demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.
- Comply to any other applicable laws or regulations, including (but not limited to) laws and regulations prohibiting the unauthorised access to data.
- For the purposes of this policy, you are not authorised to access user data or company data, including (but not limited to) personally identifiable information and data relating to an identified or identifiable natural person, except as part of vulnerability validation.
- Researcher can only disclose the vulnerability to the public at least 3 months after the vulnerability is fixed and upon approval from EdenFarm tech team. You are required to submit a disclosure request to [email protected] and obtain written consent from EdenFarm. EdenFarm reserves the right to decide whether submitted reports are allowed to be published to the public or not. EdenFarm will initiate legal action against researchers who publish reports without EdenFarm's written consent.
Bounty Reward & Response Target
The following scheme will be followed according to the severity:
- Low (Up to IDR300,000 EdenFarm Voucher & Wall of Fame)
- Medium (Up to IDR700,000 & Wall of Fame)
- High (Up to IDR1,000,000 & Wall of Fame)
- Critical (Up to IDR1,500,000, IDR300,000 EdenFarm voucher & Wall of Fame)
EdenFarm will make a best effort to meet the following response targets for researchers participating in our bug bounty program:
- Time to triage (from report submit) - 10 business days
- Time to bounty decision (from report submit) - 15 business days
- Time to issue resolved (from report submit) - 31 business days
Note : We will proceed with the reward in maximum 60 (sixty) business days after the Bug Bounty Report is deemed as valid and verification is completed.
PT. Eden Pangan Indonesia (EdenFarm) reserves the right to modify terms and conditions of this program and your participation in the program constitutes acceptance of all terms. Please check this site regularly as we routinely update our program terms and eligibility, which are effective upon posting. We reserve the right to cancel this program at any time.
We guarantee to you that we will not sanction or carry out any legal process as long as you comply with the EdenFarm Bug Bounty Program.
We will give sanctions and/or legal action that we may have based on the legal provisions that apply to you who do not follow the provisions of the regulations based on applicable law, including (but not limited to) the Laws and Regulations in regards to information and electronic transactions.
Bug Bounty rewards are based on the impact of vulnerabilities. Please note these are general guidelines, and final reward decisions are up to the discretion of PT. Eden Pangan Indonesia (EdenFarm) and subject to our eligibility requirements outlined in the policy page. Please refer to the Bounty Reward and Response Target section below to understand the reports timeline and how bounties are awarded.
In Scope Domain
- Android Mobile Application
- iOS Mobile Application
In Scope Vulnerability
- SQL Injection
- Cross-site Scripting (XSS)
- Significant Authentication Bypass
- Cross-site Request Forgery in Critical Action
- Information disclosure of Sensitive Information
- Server-Side Request Forgery (SSRF)
- Server-side Remote Code Execution (RCE)
- XML External Entity Attacks (XXE)
- Exposed Administrative Panels that don't require login credentials
- Directory Traversal Issues
- Local File Disclosure (LFD)
- Server Side Template Injection (SSTI)
Out of Scope
Out of Scope Domain
- 3rd Party Apps (Microsite, Wordpress, CMS, Blog and etc. )
- 3rd Party Plugins
Out of Scope Vulnerability
- Self-XSS (we require evidence on how the XSS can be used to attack another EdenFarm user).
- We will accept reports of XSS on Out of Scope Properties but will not reward for them.
- XSS issues that affect only outdated browsers.
- Reports that state that software is out of date/vulnerable without a proof of concept.
- Password, email and account policies, such as email id verification, reset link expiration, password complexity.
- Missing security headers which do not lead directly to a vulnerability.
- Missing best practices (we require evidence of a security vulnerability).
- Host header injections unless you can show how they can lead to stealing user data.
- Reports of spam (i.e., any report involving ability to send emails & SMS without rate limits).
- Stack traces that disclose information.
- CSV injection.
- Highly speculative reports about theoretical damage. Be concrete.
- Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.
- Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner).
- Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.
- Social Engineering (Phishing, Fraud, etc.).
- Denial of Service Attacks.
- Reflected File Download (RFD).
- window.opener (tabnabbing), related issues.
- Physical or social engineering attempts (this includes phishing attacks against EdenFarm employees).
- Content injection issues.
- Most Brute Forcing issues.
- Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.).
- Missing autocomplete attributes.
- Phishing risk via unicode/punycode or RTLO issues.
- Being able to upload files with wrong extension in chooser.
- Missing cookie flags on non-security-sensitive cookies.
- Issues that require physical access to a victim’s computer.
- Missing security headers that do not present an immediate security vulnerability.
- Missing HTTP security headers, specifically, Example : Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP, Content-Security-Policy-Report-Only
- Fraud issues (please see the below section elaborating on this).
- SSL/TLS scan reports (this means output from sites such as SSL Labs).
- Banner grabbing issues (figuring out what web server we use, etc.).
- Open ports without an accompanying proof-of-concept demonstrating vulnerability.
- Recently disclosed 0day vulnerabilities. We need time to patch our systems, please give us 1 month before reporting these types of issues.
- open redirect (except you can get users token/sensitive info).
- clickjacking, we will accept clickjacking if it's severe enough (sensitive page).