XL Axiata Open Program Bug Bounty Untuk Pentester Indonesia - selamat datang kali ini saya akan memberikan informasi terbaru yaitu Perusahaan PT. XL Axiata Tbk telah membuka program bug bounty yang diselenggarakan langsung oleh perusahaan tersebut.



XL Axiata sendiri juga mempunyai aturan dalam program tersebut dan ada juga outscope &inscope serta rules yang harus kalian patuhi agar bisa mendapatkan reward dari temuan yang kalian cari.

Apa Aja Sih Aturan Bug Bounty XL Axiata ?

The targets included in this program are web applications and mobile applications with the URL that can be access at the link below:

  1. Web Application (https://www.xl.co.id/)
  2. myXL Android Application (https://play.google.com/store/apps/details?id=com.apps.MyXL;hl=id)
  3. MyAxisnet Android Application (https://play.google.com/store/apps/details?id=com.axis.net;hl=in;gl=US)

UPDATE: As of today 23/04/2021 10:30 AM Indonesian time, All submission that target Bizstore will be considered as out of scope.
UPDATE: As of today 28/04/2021 12:30 PM Indonesian time, All submission that target e-atp will be considered as out of scope.
UPDATE: As of today 19/05/2021 09:30 AM Indonesian time, All submission that target tvkamu will be considered as out of scope.

Known issues:
Please note that the XL Axiata Security Team also actively looks for vulnerabilities across all assets internally. Vulnerabilities listed below marked as known issues:
a. MSISDN enumeration that may leakage subscriber type, subscriber id, subscriber status, etc.
b. Lack of email address verification
c. Sensitive data or key in URLs, request header, request bodies when protected by TLS.
d. JWT token still active after user click logout button. Application limitation: JWT token will expire in 1 hour.

Test Number:
Please use Indonesian mobile number XL and AXIS. We use OTP to validate your number during login.
If your location outside of indonesia, researcher can obtain XL and Axis virtual number by register to third party services twilio.com or other similar services.

**WARNING:

  • Disclosing all kinds of vulnerabilities / submissions in this program to the public are prohibited, Researchers who do so will be banned and all awards will be annulled in this program **

* XL also want to know the vulnerability in other targets that are out of scope but can have a CRITICAL / HIGH impact on XL, either directly or indirectly (for example through 3rd party apps). For this reason, if researcher finds a new target outside the list listed above that has a CRITICAL / HIGH risk, please contact the RedStorm team via email to be considered for a reward*

nah untuk lebih detail kalian bisa langsung kunjungi situs resmi bug bounty dibawah ini : 

Link Program : https://www.redstorm.io/program/xl

mungkin segitu saja informasi yang bisa saya berikan semoga bermanfaat dan tunggu artikel berikutnya terima kasih.