Carro Security Bug Bounty Program (CSBBP)

Objective

The purpose of Carro Security Bug Bounty Program (CSBBP) is to recognize independent security researchers and experts who spend their valuable time and skills to report information security system weakness to Carro. This weakness can be any sort of security exploits, vulnerabilities and security misconfiguration within Carro Information system. Upon confirmation and verification of reported weakness, Carro shall compensate the individual with an appropriate reward based on the vulnerabilities reported.

Scope

Scope of this CSBBP is limited to following public facing websites & information.

https://carro.sg/
https://carro.id/
https://th.carro.co/
https://mytukar.com/
Any other sensitive & critical information related to Carro which available publicly.

Out of Scope

Any vulnerabilities which not related to Carro & MyTukar domains, or the application vulnerability derived from usage of 3rd party web interface or API.

Severity, Impact and Vulnerabilities

Severity	Impact	Vulnerabilities
Critical	Vulnerabilities that cause a privilege escalation from unprivileged to admin or allow for remote execution, financial theft, etc.	Remote Code Execution Vertical Authentication Bypass XML External Entities Injection with significant impact SQL Injection with significant impact Personal Identifiable Information (PII) Information
High	Vulnerabilities that affect the security of the platform including the processes it supports	Lateral authentication bypass Stored XSS with significant impact CSRF with significant impact Direct object reference with significant impact Internal SSRF Personal Identifiable Information (PII) Information
Medium	Vulnerabilities that affect multiple users and require little or no user interaction to trigger	Reflective XSS with impact Direct object reference URL redirect CSRF with impact
Low	Vulnerabilities that affect singular users and require interaction or significant prerequisites (MitM) to trigger	SSL misconfigurations with little impact SPF configuration problems XSS with limited impact CSRF with limited impact

How to report your findings

Independent researcher should write a detailed report including (but not limited to)
1. Summary of the findings
2. Detailed description
3. Steps to reproduce the issue
4. Supporting material e.g., screenshot, logs or videos
5. Impact of this findings
6. Mitigation steps
All details should be protected with password e.g. zip with password.
Send the details to [email protected]. Password shall be sent as a separately email.

Others

Carro Information Security department will review and validate the finding before getting back to the researcher. The process might take up to 30 days.
Please do not submit findings from General Web Application testing or DNS related, as these findings were already identified by our internal team.

Have some questions?

Chat with us directly!