• Submit detailed reports to security.bug@kredivo.com with clear, reproducible steps. Incomplete reports may not qualify for a reward. Reports must include:
  • A detailed description of the vulnerability.
  • Clear, step-by-step instructions to reproduce the issue.
  • An evaluation of the potential impact of the vulnerability
  • The report has to be in English or Indonesian.
• Submit one vulnerability per report unless multiple vulnerabilities need to be chained to demonstrate impact.
• Reports must highlight a valid, previously unknown vulnerability.
  • Duplicate reports will be reviewed, and credit will be given to the original reporter.
• Personal data may be required to process bounty payments for valid submissions.
• Kredivo employees, contractors, and affiliates are ineligible to participate.

Responsible Disclosure

• Do not disclose vulnerabilities publicly until resolved and approved for disclosure.

Prohibited Actions

• Do not use or compromise accounts belonging to other users, even for testing purposes.
• Do not perform actions that could degrade, disrupt, or render services unavailable (e.g., denial of service attacks).
• Do not exploit vulnerabilities beyond demonstrating their impact.
• Do not access, modify, or delete other user data without explicit permission.
• Social engineering is strictly prohibited.
• Do not exploit vulnerabilities that require physical access to Kredivo’s or users’ devices or systems.
• Do not target third-party services or applications not owned or operated by Kredivo.
• Do not use discovered vulnerabilities for any financial or personal advantage.



Violating these rules may disqualify your report and exclude you from the program.




Reward Eligibility

• Rewards are based on the severity, impact, and quality of the report.
• Only the first report of a specific vulnerability is eligible for a reward. Duplicate submissions will not receive rewards.
• Reports on out-of-scope issues, low-risk findings, or non-exploitable vulnerabilities may not be eligible for a reward.

• Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard) 3.1. Please note these are general guidelines, and reward decisions are up to the discretion of Kredivo.

• The following personal information is required for Kredivo to process bounty payments for valid submissions:
  • Indonesian Citizens: Personal Data contained in the National ID (KTP), NPWP, email address, and bank account number.
  • Foreign Nationals: Passport, email address, and bank account number.

• Web Applications:
  • https://seller.kredivo.com
  • https://my.kredivo.com
  • https://merchant.kredivo.com
  • https://pay.kredivo.com
  • https://kredivo.id
  • https://kredivo.com
• Mobile Applications:
  • Kredivo Android app: https://play.google.com/store/apps/details?id=com.finaccel.android
  • Kredivo iOS app: https://apps.apple.com/id/developer/finaccel-pte-ltd/id1255413337
  • Kredimitra https://play.google.com/store/apps/details?id=id.kredivo.mitra

Please refer to the detailed scope to ensure your findings are within the eligible areas of our program.

Out-of-scope Assets:

Any assets not included in the above in-scope list are considered out-of-scope.

For Website/API

• Third-party service vulnerabilities or components integrated into our systems.
• Clickjacking on pages without sensitive actions.
• Cross-Site Request Forgery (CSRF) with no significant impact.
• Attacks requiring physical device access or related to physical security.
• Claims of outdated/vulnerable software or libraries without a working proof of concept
• Denial of Service (DoS) or disruptions to service.
• Rate limiting/brute force on non-authentication endpoints.
• Issues affecting outdated/unpatched browsers (older than two stable versions).
• Software version disclosure, banner identification, or descriptive error messages.
• Public zero-day vulnerabilities patched within the last three months.
• Tabnabbing or open redirects without demonstrated impact.
• Exposure of third-party API keys with no security impact (e.g., Google Maps).
• Public login panels or editable Git Wikis without proof of exploitation.
• Disclosure of known public files or directories (e.g., robots.txt).
• Self-injection (e.g., self-XSS) without broader user impact.
• User enumeration through error messages or account verification.
• Leaked credentials or data from external sources (e.g., public repositories, paste sites, third-party breaches) that are not directly tied to a security vulnerability in our systems. If you discover such credentials, we recommend reporting them through our bug-bounty disclosure process, but they do not qualify for a bounty.
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Issues related to XMLRPC
• Unconfirmed reports from automated vulnerability scanners
• Missing best practices, such as:
• • Missing Content Security Policy
  • Missing HttpOnly or Secure flags on cookies
  • Missing or misconfigured security-related HTTP headers that don't directly lead to a vulnerability
• Infrastructure issues, including:
  • Weak TLS/SSL versions or ciphers.
  • Mail server misconfigurations (e.g., spoofing, SPF, DMARC).
  • Server misconfigurations (e.g., open ports, TLS settings).

For Android/iOS Apps

• Leaked URIs: Malicious apps accessing URIs with permissions.
• Missing exploit mitigations (e.g., PIE, ARC, Stack Canaries).
• Absence of certificate pinning.
• Sensitive data in URLs or request bodies when secured by TLS.
• File system paths exposed through application binaries.
• Sensitive or unencrypted data stored insecurely, including external storage or private app directories
• Lack of code obfuscation or binary protection in the Android app.
• No root or jailbreak detection in place
• Crashes caused by malformed intents unless sensitive data leakage is involved.
• Crashes triggered by malformed URL schemes
• Sensitive data stored in the app's private directory.
• Runtime hacking exploits requiring rooted devices or tools like Frida/Appmon.
• Exposure of third-party API keys with no significant impact (e.g., Google Maps).
• User enumeration through error messages or account verification

Unless stipulated otherwise in this document, your participation in our Bug Bounty Program confirms that you acknowledge and agree to the following terms relating to protection of Data:

• Definition: For the purpose of this Bug Bounty Program, the following terms shall have the following meaning:
• • “Agreed Purposes” are the purposes of Processing Data between the Parties, particularly for the implementation and/or fulfillment of the Bug Bounty Program and other scopes mentioned in this document.
  • “Confidential Information” is all data and information that is marked, signed, stamped, or in other ways signed in writing or verbally stated by the Disclosing Party as a “confidential” or of a reasonable nature or required by the Disclosing Party or required by the applicable laws and regulations to be maintained and protected as confidential, including but not limited to; this Agreement, any agreements/arrangements between the Parties whose confidentiality is protected under this Agreement, business information, company data, technical or economic information, business plans, financial data, marketing plans, business processes, designs and technical information related to products, services, technology, networks, or infrastructure, whether in written, pictorial, machine readable or other invisible form, partners’, vendors’ or customers’ data that is not Personal Data but non-public on its nature, or other information that is confidential or non-public.
  • “Data” is all data and information, including Personal Data and Confidential Information, provided by the Disclosing Party to the Receiving Party in relation to the implementation and/or fulfillment of the Agreed Purposes and all data and information Processed by the Receiving Party in connection with the implementation of the Agreed Purposes.
  • “Data Protection Laws” are the laws and regulations that apply in the jurisdiction of the Republic of Indonesia along with all the regulations derived from and implementation thereof and amendments thereof from time to time which regulate the protection of Data, including but not limited to; Law Number 27 of 2022 on Personal Data Protection, and Law Number 11 of 2008 as lastly amended by Law Number 1 of 2024 on Information and Electronic Transactions along with all derivative regulations and/or their implementation.
  • “Disclosing Party” is the Party that discloses and/or submits Data to the Receiving Party for the fulfillment or implementation of the Agreed Purposes.
  • “Personal Data” is data about an identified or identifiable person (“Data Subject(s)”) individually or in combination with other information either directly or indirectly through electronic systems or non-electronic.
  • “Processing”, “Process(es)”, “Processing” or “Processed”, depending on the context and the series of words used in a sentence, shall have the same meaning ascribed to in the Data Protection Laws, includes the collection and acquisition, processing and analyzing, storing, rectifying and updating, disclosure, deletion, and/or destruction of Data for the implementation of the Agreed Purposes.
  • “Protection Failure” is a failure to protect Data in terms of its confidentiality, integrity, and availability, including security breaches, whether intentional or unintentional, which leads to destruction, loss, alteration, disclosure or unauthorized access to the Data.
  • “Receiving Party” is the Party that receives Data either from the Disclosing Party or from the fulfillment or implementation of the Agreed Purposes.

• Rights and Obligations: 
  • By participating in our Bug Bounty Program, you understand, comprehend and agree that Kredivo may Process your Personal Data for the Agreed Purposes in accordance with the procedures set out in the Data Protection Laws and our Privacy Statement.
  • In the event that you are exposed or able to access any Data from Kredivo’s environment during the implementation and/or fulfillment of the Agreed Purposes, you have the obligations related to Data protection as follows:
    • You shall always maintain the confidentiality, security and integrity of such Data in accordance with the applicable Data Protection Laws;
    • You are required to Process Data only for the implementation of the Agreed Purposes in accordance with the instructions of Kredivo. For the avoidance of doubt, you are prohibited from Processing Data for personal interests or interests outside the Agreed Purposes;
    • You are prohibited from disclosing, sending, and disseminating Data to any party without prior written approval from Kredivo. If you receive an order from the competent authority to disclose Data, then you must notify us immediately or no later than 1x24 hours from receipt of the order to Kredivo, and you must coordinate with Kredivo and follow any instructions given by Kredivo regarding such disclosure;
    • You are required to cooperate with us to provide the necessary information and assistance from time to time to Kredivo to enable us to comply with its obligations under the applicable Data Protection Laws;
    • You will not, intentionally or unintentionally, take any action that may cause Kredivo to violate its obligations under the applicable Data Protection Laws;
    • In relation to your obligation to strictly maintain the confidentiality, security and integrity of the Data, you will apply at least the same degree of care, but not less than a reasonable degree of care, as it does with respect to its own Data, and you are obliged to ensure that all steps related to the prevention and mitigation of the risks of Protection Failure or any risks to the Data that could be detrimental to Kredivo or any party have been implemented as long as the Data is under the control of the Seller;
    • You shall notify Kredivo with sufficient information when suspecting or knowing of a Protection Failure and/or violation of obligations in this document or applicable Data Protection laws, within 1x24 (twenty four) hours after you find suspicion or become aware of the occurrence of a Protection Failure or such violations;
    • You are obliged to immediately take all necessary steps to correct, stop or reduce the consequences of the Protection Failure and/or violation of obligations in this document and/or applicable Data Protection Laws within the timeframe regulated by the Data Protection Laws.
    • You must take all appropriate and reasonable steps to limit and cease the impacts of Protection Failure, as well as carry out instructions from and coordinate with Kredivo in addressing that Protection Failure and its impacts;
    • In the event of (a) Protection Failure; (b) violation of this document; (c) violation of the applicable Data Protection Laws; (d) you have fulfilled your duty to achieve the Agreed Purposes; and/or (e) Kredivo issues instructions to you, then you shall immediately and promptly stop access the Data, delete and destroy such Data under your possession or control, causing the Data to be destroyed and can no longer be accessed by you;
    • You are required to comply with Kredivo’s requests for audits or checks at the first opportunity since Kredivo submitted the request to you;
    • You are prohibited from creating false Personal Data or falsifying any Personal Data and/or Confidential Information from Kredivo’s environment with the intention of benefiting itself or others which may result in losses for Kredivo and/or Data Subjects concerned; and
    • You are prohibited from misusing and/or making unilateral claims related to the use of Data that Kredivo discloses and is under your possession or control in accordance with the terms and conditions in this document and applicable Data Protection Laws.

Participation in our Bug Bounty Program implies that you agree to the following terms:

• Legal Protections: We will not take legal action against researchers who comply with the rules of this program. However, actions outside the scope or that violate these rules will void this protection.
• Ownership: Unless otherwise specified in this document, all Data, including all findings and reports, is the exclusive property of Kredivo. Nothing in this Agreement shall be construed as transferring any rights contained in Data to you, including but not limited to; ' rights or licenses to use, sell, exploit, imitate or further develop such Data. For the avoidance of doubt, every Personal Data that is Processed for the fulfillment of the Agreed Purposes is wholly owned by the Data Subject and attached to the Data Subject. Nothing in this document will be construed to declare and/or transfer the ownership of the Personal Data to you.
• Indemnification and Limitation of Liability: In the event of a Protection Failure and/or violation of this document and/or applicable Data Protection Laws caused by fault, negligence, failure or violation from you, intentionally or unintentionally, you will be fully responsible, including indemnifying, materially and immaterially, to Kredivo and every affected party, including the Data Subjects, for all consequences arising from such fault, negligence failure or violation. You hereby acknowledge and undertake to release and discharge us from any demands, lawsuits, claims and/or indemnifications submitted by any party caused by fault, negligence, failure or violation performed or caused by you, intentionally or unintentionally, in maintaining the confidentiality, security and integrity of Data in carrying out the Agreed Purposes.

For any questions regarding the Bug Bounty Program or if you need assistance, please reach out to us at security.bug@kredivo.com.