Our submission page at https://bugbounty.ovo.id is live, please use the submission form to send your reports
OVO is committed to providing a secure and reliable platform for its users. We welcome skilled researchers to share with us any impactful issues and the techniques used to exploit them.
If you believe you’ve found a security bug in our services, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.
We are running our own internal bug bounty program over at https://bugbounty.ovo.id, for more information related to scope, rewards, and submissions – please visit the aforementioned URL.
Modality of payment
OVO will only issue monetary rewards for reports demonstrating a meaningful impact. This means, for example, that we will issue a relatively high reward for a vulnerability that has the potential to leak sensitive user data, but that we will issue little to no reward for a vulnerability that allows an attacker to deface a micro-site.
While any external researcher is free to contribute to the program, all eligible bounty payouts* will be transferred to valid OVO Wallets in the form of OVO Points. Therefore, it is required that you provide a valid, and registered OVO account number to be able to receive your reward.
*in accordance with our policy
Legal terms and conditions
OVO reserves the right to modify the terms and conditions of this program and your participation in the program constitutes acceptance of all terms. Please check this site regularly as we routinely update our program terms and eligibility, which are effective upon posting. We reserve the right to cancel this program at any time.
Code of conduct
Please let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly correct the issue if it is found to be valid.
Be mindful of your approaches when performing tool-assisted and manual assessments. Try not to leak, manipulate, or destroy any user data. Please only test against accounts you own yourself or with the explicit permission of the account holder.
In the event of a bulk enumeration of customer data, refrain from harvesting large amounts of information. We will accept a small sample of data as a valid proof of concept.
You may not disclose any information about the issue outside of the program unless you receive explicit written consent from our team. Any public disclosure in defiance of this agreement can result in legal actions taken against the researcher.
Thank you for helping keep OVO and our users safe!