Bug Bounty Program
for the community, which is a crucial contributor of the security
How to report a vulnerability
- Please notify us as soon as you discover a potential security vulnerability in any of our products. Encrypt all of your attachments by our PGP key, and make sure you include:
- Where the vulnerability was found, and what it enables you to do.
- Offer a detailed description of the steps needed to reproduce the vulnerability (POCs, screenshots, and videos are helpful).
- Please include one vulnerability per report (unless in an attack chain).
- You must be the first researcher to submit a report concerning a specific vulnerability.
- All of the information must be kept confidential and not share with third parties.
- You must have identified the vulnerability personally or while working as a part of a team.
- You must not be employed by AsiaHabit, its subsidiaries, or related entities currently or within the last 12 months.
- You must comply with this policy when discovering vulnerabilities and when submitting a vulnerability report.
- Do not destroy or modify data that is not yours. Only use or access accounts and information that belong to you.
- Do not degrade the performance of the products and services.
- Do not perform social engineering, physical, or denial of service attacks.
What you can expect from us
- After receiving your report, we will validate it within one business day and send you a confirmation. Depending on the exposure, we may award you as a thank you.
- We determine bug bounty amounts based on various factors, including impact, ease of exploitation, and the quality of your report.
- If we pay a bug bounty, the maximum reward is 50.000 THB. Still, lower amounts are more typical, and some reports may not qualify despite being valid reports.
- We aim to pay similar amounts for similar issues, but bug bounty amounts and qualifying issues may change over time. Past rewards do not necessarily guarantee similar results in the future.
- You must provide your name and bank account number to receive a bank transfer.
Examples of Non-Qualifying Vulnerabilities
- any activity that could lead to the disruption of our service (DoS)
- mixed-content scripts and insecure cookies outside of our platform
- spam or social engineering attacks against AsiaHabit Support
- vulnerabilities that require a potential victim to install non-standard software or otherwise take active steps to make themselves susceptible
- unverified reports from vulnerability scanners
- reports exploiting the behavior of, or vulnerabilities in, outdated browsers
- security issues in third-party apps or websites that integrate with AsiaHabit but do not compromise AsiaHabit systems or data further
- vulnerabilities that rely on planting back doors or similar mechanisms on employee devices
- attacks requiring MITM or physical access to a user's device
- previously known vulnerable libraries without a working Proof of Concept
- clickjacking on pages with no sensitive actions
- cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- comma Separated Values (CSV) injection without demonstrating a vulnerability
- missing best practices in SSL/TLS configuration
- content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- missing best practices in Content Security Policy
- missing HttpOnly or Secure flags on cookies
- missing email best practices (invalid, incomplete, or missing SPF/DKIM/DMARC records, etc)
- vulnerabilities only affecting users of outdated or unpatched browsers
- software version disclosure / banner identification issues / descriptive error messages or headers (e.g., stack traces, application or server errors)
- open redirect - unless an additional security impact can be demonstrated