Policy 1
Rewards eligibility 2
Rewards 2
Rewards Payout 3
Exclusions 3
Programme terms 4
Policy
We strongly believe in protecting our passengers, drivers and partner’s safety, security, and risk exposure -
we deem this to be our top priority. We are also very keen in eliminating fraudulent activities and gaming
against our system. As a responsible company, we not only have a vested interest, but also a deep desire
to see the Internet remain safe as possible for us all.
We believe that no platform is perfect and anyone can be on the receiving end of the coordinated fraud
scheme.
In our opinion, the practice of 'responsible disclosure' is the best way to safeguard the Internet. It allows
individuals to notify companies like Grab of any fraudulent activities before going public with the
information. If you believe you've found a novel fraud pattern that Grab users are employing, we are
happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your
discovery.
Coordinated disclosure rules
Please let us know as soon as possible upon discovery of a potential fraud case, and we’ll make every
effort to quickly correct the issue. Provide us a reasonable amount of time to act upon the issue before
publishing it elsewhere.
Make a good faith effort not to leak, manipulate, or destroy any user data. Please only test against
accounts you own yourself or with explicit permission of the account holder. Please refrain from
automated/scripted account creation.
Your activities are limited exclusively to:
· (1) Testing to detect a vulnerability or identify an indicator related to a vulnerability; or
· (2) Sharing with, or receiving from, Grab information about a vulnerability or an indicator related
to a vulnerability.
● You do no harm and do not exploit any vulnerability beyond the minimal amount of testing required
to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
● You avoid intentionally accessing the content of any communications, data, or information transiting
or stored on Grab information system(s) – except to the extent that the information is directly
related to a vulnerability and the access is necessary to prove that the vulnerability exists.
● You do not exhilarate any data under any circumstances.
● You do not intentionally compromise the privacy or safety of Grab personnel or any third parties
related to Grab.
● You do not intentionally compromise the intellectual property or other commercial or financial
interests of any Grab personnel or entities, or any third parties.
● You do not publicly disclose any details of the vulnerability, indicator of vulnerability, or the content
of information rendered available by a vulnerability, except upon receiving explicit written
authorization from Grab.
● You do not conduct denial of service testing.
● You do not conduct social engineering, including spear phishing, of Grab personnel or contractors.
● You do not submit a high-volume of low-quality reports.
● If at any point you are uncertain whether to continue testing, please engage with our team.
Rewards eligibility
Grab reserves the right to decide if the minimum severity threshold is met and whether it was previously
reported. To qualify for a reward under this program, you should:
1. Be the first to report a specific fraud.
2. Send a clear textual description of the report along with steps to reproduce the fraud pattern.
Include attachments such as screenshots, videos or proof of concept code as necessary.
3. Disclose the fraud report directly and exclusively to us. Public disclosure or disclosure to other
third parties -- including vulnerability brokers -- before we addressed your report will forfeit the
reward.
Rewards
Our rewards are impact-based. This means, for example, that we will issue a relatively high reward for a
fraud that has the potential to cause high financial implication to Grab or it’s users. When we have our
reward meetings, we always ask one question: If a fraudster abuses this, how bad off are we? We assume
the worst and fix the fraud vulnerability accordingly.
If we receive several reports for the same issue, we offer the Rewards to the earliest report for which we
had enough actionable information to identify the issue. We don't want to encourage people spamming
us with vague issues in an attempt to be first.
If a single fix fixes multiple fraud situations, we treat this as a single fraud. For example, if you find 3 ways
to abuse a promotional campaign, and our fix is to stop the campaign, this will receive a single Reward,
determined, as always, by impact.
Rewards Payout
We will payout upto $1000 based on severity and novelty of the fraud pattern. Grab reserves the rights to
determine the payout value without explanation for the same. Our decision will be final and further
queries on a resolved fraud case will not be entertained.
In-Scope Fraud Classes
● Passenger promo abuse
● Driver incentive gaming
● Driver selective job acceptance without impacting Acceptance Rate/Cancellation Rate
● Ghost Rides
● Account takeovers
● Driver passenger collusion
● Out market grab apps
● Fare payment fraud
● Spoofing device level data like GPS, device IDs etc.
Out-of-Scope Fraud Classes
This section contains issues that are not accepted under this programme, because they are malicious
and/or because they have low impact and will be immediately marked as invalid.
The following findings are specifically excluded from the Reward:
● Passenger self referrals
Exclusions
● This is not a bug bounty programme. Any security vulnerabilities or bug reports will not be
entertained by this programme.
● We don’t need specific fraudster accounts but need your reports on new fraud patterns that
are being employed by fraudsters.
Programme terms
For all submissions, you shall include:
● Full description of the vulnerability being reported including the exploitability and impact.
● Document all steps required to reproduce the exploit of the vulnerability.
You hereby grant to Grab and its affiliates a perpetual, irrevocable, worldwide, royalty-free, transferable,
sub-licensable (through multiple tiers) and exclusive license to use, reproduce, adapt, modify, publish,
distribute, publicly perform, reverse engineer, copy, create derivative works from, make, use, sell, offer for
sale and import your Submissions, and any materials submitted by you in connection with your
Submissions, for any purpose. You should not send us any Submission that you do not wish to license to
us.
You hereby represent and warrant that all Submissions are original to you and you own right, title, and
interest therein and thereto. Also, you hereby waive all other claims of any nature arising out from any
disclosure of Submission to Grab. In no event shall Grab be precluded from discussing, reviewing,
developing for itself, having developed, or developing for third parties, materials which are competitive
with those set forth in your Submissions irrespective of their similarity to the information in the
Submission.
Reward Payments
You may be eligible to receive a monetary reward, if: (i) you are the first person to submit a site or product
vulnerability; (ii) the minimum severity threshold is met, with the vulnerability is verifiable, replicable, and
determined to be a valid security issue by Grab’s fraud prevention team; and (iii) you have complied with
all Programme Terms.
In the event Grab elects to pay you a Reward, Grab may make a partial payment when the vulnerability is
first verified by Grab and then an additional payment once the vulnerability has been fixed. The format
and timing of all Reward payments shall be determined in Grab’s sole discretion.
All Reward payments will be made in United States dollars (USD). You will be responsible for any tax
implications related to Reward payments you receive, as determined by the laws of your jurisdiction of
residence or citizenship.
Grab will determine all Reward payout based on the risk and impact of the vulnerability. The maximum
Reward for a validated Submission is USD$1000.
Grab retains the right to determine if the fraud submitted to the Grab Fair Play Rewards Programme is
eligible. All determinations as to the amount of a Reward made by the Grab are final and binding.
Additional Terms
Payout ranges are based on the classification and sensitivity of the data impacted, ease of exploit and
overall risk to Grab customers, Grab brand and determined to be a valid fraudulent activity by fraud
prevention team. Common sensitive data elements include customer social security number, credit card
number, card verification code, bank account number, login credentials and passwords. Grab may pay
beyond the range at times when fraud vulnerability are found to have significant risk.
Termination
Confidentiality
Any information you receive or collect about Grab or any Grab user through the Grab Fair Play Rewards
Programme (“Confidential Information”) must be kept confidential and only used in connection with the
Grab Fair Play Rewards Programme. You may not use, disclose or distribute any such Confidential
Information, including, but not limited to, any information regarding your Submission and information you
obtain when researching the Grab sites, without Grab’s prior written consent.
Indemnification
You hereby agree to defend, indemnify and hold Grab, its subsidiaries, affiliates and the officers, directors,
agents, joint ventures, employees and suppliers of Grab, its subsidiaries, or our affiliates, harmless from
any claim or demand (including attorneys’ fees) made or incurred by any third party due to or arising out
of your Submissions, your breach of these Programme Terms and/or your improper use of the Grab Fair
Play Rewards Programme.
The Grab Fair Play Rewards Programme, including its policies, is subject to change or cancellation by
Grab at any time, without notice. As such, Grab may amend these Programme Terms and/or its policies at
any time by posting a revised version on our website or on this page. By continuing to participate in the
Grab Fair Play Rewards Programme after Grab posts any such changes, you accept the Programme
Terms, as modified
General
This Agreement shall be governed by Malaysian law, without regard to the choice or conflicts of law
provisions of any jurisdiction, and any disputes, actions, claims or causes of action arising out of or in
connection with the Terms of Use or the Service shall be referred to the Asian International Arbitration
Centre (“AIAC”), in accordance with the Rules of the AIAC as modified or amended from time to time (the
“Rules”) by a sole arbitrator appointed by the mutual agreement of the parties (the “Arbitrator”). If parties
are unable to agree on an arbitrator, the Arbitrator shall be appointed by the President of the AIAC in
accordance with the Rules.
The seat and venue of the arbitration shall be Kuala Lumpur, in the English language and the fees of the
Arbitrator shall be borne equally by the parties, provided that the Arbitrator may require that such fees be
borne in such other manner as the Arbitrator determines is required in order for this arbitration clause to
be enforceable under applicable law.
No joint venture, partnership, employment, or agency relationship exists between you, the Company or any
third party provider as a result of this Terms and Condition.
If any provision of this Terms and Condition held to be invalid or unenforceable, such provision shall be
struck and the remaining provisions shall be enforced to the fullest extent under law. This shall, without
limitation, also apply to the applicable law and jurisdiction as stipulated above.
The failure of Grab to enforce any right or provision in this Terms and Condition shall not constitute a
waiver of such right or provision unless acknowledged and agreed to by Grab in writing. The Terms of Use
comprises the entire agreement between you and Grab and supersedes all prior or contemporaneous
negotiations or discussions, whether written or oral (if any) between the parties regarding the subject
matter contained herein.
Grab is a licensee of GrabTaxi Holdings Pte Ltd (Company No. 201316157E and having its registered
address at 6 Shenton Way, #38-01 OUE Downtown, Singapore 068809) for the Grab App.