Bug Bounty Program

for the community, which is a crucial contributor of the security

How to report a vulnerability

• Please notify us as soon as you discover a potential security vulnerability in any of our products. Encrypt all of your attachments by our PGP key, and make sure you include:
• Where the vulnerability was found, and what it enables you to do.
• Offer a detailed description of the steps needed to reproduce the vulnerability (POCs, screenshots, and videos are helpful).
• Please include one vulnerability per report (unless in an attack chain).
• You must be the first researcher to submit a report concerning a specific vulnerability.

Program Rules

• All of the information must be kept confidential and not share with third parties.
• You must have identified the vulnerability personally or while working as a part of a team.
• You must not be employed by AsiaHabit, its subsidiaries, or related entities currently or within the last 12 months.
• You must comply with this policy when discovering vulnerabilities and when submitting a vulnerability report.
• Do not destroy or modify data that is not yours. Only use or access accounts and information that belong to you.
• Do not degrade the performance of the products and services.
• Do not perform social engineering, physical, or denial of service attacks.

What you can expect from us

• After receiving your report, we will validate it within one business day and send you a confirmation. Depending on the exposure, we may award you as a thank you.
• We determine bug bounty amounts based on various factors, including impact, ease of exploitation, and the quality of your report.
• If we pay a bug bounty, the maximum reward is 50.000 THB. Still, lower amounts are more typical, and some reports may not qualify despite being valid reports.
• We aim to pay similar amounts for similar issues, but bug bounty amounts and qualifying issues may change over time. Past rewards do not necessarily guarantee similar results in the future.
• You must provide your name and bank account number to receive a bank transfer.

Examples of Non-Qualifying Vulnerabilities

• any activity that could lead to the disruption of our service (DoS)
• mixed-content scripts and insecure cookies outside of our platform
• spam or social engineering attacks against AsiaHabit Support
• vulnerabilities that require a potential victim to install non-standard software or otherwise take active steps to make themselves susceptible
• unverified reports from vulnerability scanners
• reports exploiting the behavior of, or vulnerabilities in, outdated browsers
• security issues in third-party apps or websites that integrate with AsiaHabit but do not compromise AsiaHabit systems or data further
• vulnerabilities that rely on planting back doors or similar mechanisms on employee devices
• attacks requiring MITM or physical access to a user's device
• previously known vulnerable libraries without a working Proof of Concept
• clickjacking on pages with no sensitive actions
• cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• comma Separated Values (CSV) injection without demonstrating a vulnerability
• missing best practices in SSL/TLS configuration
• content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• missing best practices in Content Security Policy
• missing HttpOnly or Secure flags on cookies
• missing email best practices (invalid, incomplete, or missing SPF/DKIM/DMARC records, etc)
• vulnerabilities only affecting users of outdated or unpatched browsers
• software version disclosure / banner identification issues / descriptive error messages or headers (e.g., stack traces, application or server errors)
• tabnabbing
• open redirect - unless an additional security impact can be demonstrated