Carousell Group Bug Bounty Program
Welcome to Carousell Group's bugbounty program. Your contributions to our security are highly valued. If you discover a security issue, we encourage you to report it to us responsibly.
Bounty Rewards
The rewards for reporting security vulnerabilities vary depending on the severity of the vulnerability. We offer a range of rewards, from $50 to $300.
Severity Level* |
Bounty |
Informational |
None |
Low |
50 USD or Merchandise |
Medium |
100 USD |
High |
200 USD |
Critical |
300 USD |
*For details of the severity level, please see the section on “Vulnerability Types” below.
When a monetary bounty is applied, eligible reports will be assessed initially based on CVSS v4.0.
For all High and Critical vulnerabilities, besides CVSS v4.0, the internal assessment will also be applied to ensure alignment with our business priorities and development strategies.
Scope:
Brands that are in scope:
- Carousell
- Chotot
- Mudah
- Oneshift
- Revo
- OxLuxe
Note: All the domains and subdomains owned by the above group companies are in scope.
Timeline to response
Type of response |
Business Days |
Response back and forth |
5-21 days |
Time to Bounty |
40-45 days |
Time to Resolution |
Depends on the impact severity and complexity |
Disclosure Guidelines
By providing a submission under this Program or agreeing to the Program Terms, you agree and undertake, at all times, to maintain as confidential your report, and that you shall not distribute, disclose or use (other than for the strict purpose of this Bug Bounty Program) any information relating to your findings or the contents of your report, or allow such information and contents of your report to be distributed, disclosed to, or used by any third party in any way without Carousell group's prior written approval.
Failure to comply with the Program Terms, including these disclosure guidelines, will result in immediate disqualification from the Bug Bounty Program and ineligibility for receiving any bounty payments, without prejudice to any other remedies or rights that the Carousell group may have.
How to Report a Security Issue:
Please use the form below to submit your security findings. We appreciate your cooperation in making our systems more secure.
Vulnerability Types
Carousell group will only award monetary rewards for reports demonstrating meaningful impact based on the Bounty Reward Level set out above. The following table provides examples of vulnerabilities and their various severities. All decisions on the severity of a vulnerability are at Carousell group's discretion and shall be final.
Severity |
Examples |
Critical |
RCE on production server, bulk personally identifiable information (PII) exposure, source code access, mass account take over |
High |
Restricted or limited account take-over, privesc |
Medium |
Business logic error with monetary impact |
Low |
Exposed API keys with low privileges |
Informational |
Duplicate, out of scope report |
Report Eligibility
Carousell group reserves the right to decide if the minimum severity threshold is met and whether the vulnerability was previously reported.
To qualify for a reward under the Bug Bounty Program, your report should:
- Be the first to report a specific vulnerability. Reported issues that are already known to us will be closed as duplicates;
- Contain a clear description of vulnerability being reported and an explanation of the steps required to reproduce the vulnerability; and
- Include evidence of the vulnerability. This might include videos, screenshots, exploit code, traffic log, full web/API requests and responses, email address or user ID of any test accounts, and IP address used during testing.
Scope for Web applications
In-scope vulnerabilities
- Remote code execution (RCE) (Please refer to RCE guideline to secure your bounty)
- Injection attacks [SQL, XML, XXE, CRLF, SSI]
- Server-Side Request Forgery
- Insecure Deserialization
- Path Normalization
- Cross-site scripting (XSS)
- Directory traversal
- Significant security misconfiguration with a verifiable vulnerability
- Exposed usable credentials, API keys, etc.
- Improper/Broken Authentication
- Missing/Incorrect Authorization: Horizontal Privilege Escalation; Vertical Privilege Escalation; IDOR, Authorization Bypass
- If a reproducible proof of concept is not included, the report is closed as "informational."
- Mass harvesting/crawling public information in a short time (emails, phone numbers, ads details)
- Cross-site request forgery (CSRF) only for sensitive functions in a privileged context
Out-of-scope vulnerabilities
The following findings are specifically excluded from the Bug Bounty Program:
- Physical interaction against the Carousell group's property
- Social engineering attacks, including those targeting or impersonating internal employees or customers by any means (.e.g.,Customer support channels, social media)
- Limited username/email/phone number enumeration on customer-facing systems
- Scanner output or scanner-generated reports, including automated or active exploit tool
- Man-in-the-middle attacks, for example:
- Intercepting HTTPS/HTTP traffic (like eavesdropping in a coffee shop)
- Compromised end-devices (PCs, phones) that proxying all traffic to hackers without the victim's notice
- Any vulnerabilities without a specific, demonstrable impact:
- Missing Security HTTP Headers (without proof of exploitability)
- Use of known-vulnerable library (without proof of exploitability)
- Verbose error pages (without proof of exploitability)
- Any activity that could lead to the disruption of our service
- DoS/DDoS
- Brute Force attacks
- Spam attacks
- Any vulnerabilities that require significant/unlikely/theoretical user interaction (.e.g., disabling browser controls)
- "Self" XSS | HTTP Host Header XSS | Flash based XSS
- Open redirection, except:
- Clicking on Carousell's group-owned and got redirected immediately
- Redirection causes the loss of sensitive data (.e.g., Session tokens, PII)
- Issues with SSL certificates
- Incomplete/Missing SPF/DKIM
- Exposed creds that are no longer valid (Carousell's group will confirm)
- Software Version Disclosure
- Missing cookie flags
- Reflected file download
- Arbitrary text injections
- Clickjacking/UI Redressing
- Missing Security Best Practices
- Autocomplete attribute on web forms
- Login/logout CSRF
- Vulnerabilities in any Wordpress-based subdomains
Note: 0-day or any other known CVE vulnerabilities impacting our services can only be reported after 30 days. We have teams internally track the CVEs.
Remote code execution (RCE) guidelines
For all RCE reports, a failure to provide any of the information below may result in ineligibility for the bounty payment
- Source IP address
- Timestamp (with timezone)
- Full server request, responses (copyable)
- Filename of any uploaded file
- Callback IP and port, if applicable
- Any data that was accessed (deliberately or inadvertently)
You may not:
- Modify any files or data (including permissions)
- Delete anything
- Interrupt normal operation (.e.g. reboot/restart)
- Create persistent connection (.e.g. backdoor)
- View any files
All decisions are at the discretion of the Carousell group and our decision shall be final.