Hello, security researchers!

We have launched a new promotion, in the next few weeks all prices from our pay table will be increased by 1.25. Details can be found here! Good luck hunting.

Best wishes,
InDrive Security Team.

Hello, security researchers!

I hope this message catches you in good health. In the attachment you will find a CSV file containing a list of endpoints to scan. The file contains the following columns:
Method: the HTTP method used for the request (e.g. GET, POST).
Hostname: The domain name of the server to which the requests are being made.
URL: The full URL of the endpoint.

NOTE: If you get a 410 Gone response status when accessing an endpoint, then you are trying to access the wrong region. For example, no-cf.<region>.aws.indriverapp.com returns 410, try changing regions.

List of regions: africa.afso1, cis.euce1, eu.euce1, euce1, fr1.baremetal, global, latam-br.saea1, latam-co. saea1, latam-mx.saea1, latam-mx.usea1, latam-pe.saea1, latam.saea1, mena-eg.meso1, mena.meso1, sa-in.apso1, sa.apso1, sea.apse3, usa.usea2

We hope you can use this information to analyze the security of these endpoints in more detail. Good luck hunting.

Best wishes,
InDrive Security Team.

Hello security researchers,

We are attaching a list of subdomains for in-depth vulnerability analysis. We hope this information will be useful for you.

Good luck hunting.

Best wishes,
InDrive Security Team.

Hello security researchers,

New subdomain package.

Good luck hunting.

Best wishes,
InDrive Security Team.

The Journey of Launching a Bug Bounty Program

In the article “Strengthening Cybersecurity: Breaking Down inDrive’s Bug Bounty Program”, I dive into how we launched and developed our bug bounty program, collaborated with white hat hackers to identify vulnerabilities, optimized security processes, and fostered a culture focused on data protection.

Read the Article:

- On HackerNoon
- On Medium

This publication is the result of the collective efforts of our entire information security team. Please share the links, leave your comments, and help us spread the word about our achievements.

Together, let’s make inDrive a safer place!

Best wishes,
InDrive Security Team.

Hello, security researchers!

We have launched a new promotion, in the next few weeks all prices from our pay table will be increased by 1.5. Details can be found here! Good luck hunting.

Best wishes,
InDrive Security Team.

Hello, security researchers,

We are pleased to present the following domains for your exploration:

- alternativa.film
- bridekidnapping.alternativa.film
- festival.alternativa.film
- indrive.alternativa.film
- auroratechaward.com

We invite you to test your skills in discovering vulnerabilities on these subdomains. We eagerly await your insightful reports.

Good luck hunting.

Best wishes,
InDrive Security Team.

Hello, security researchers!

We have launched a new campaign, in the next few weeks all prices from our pay table will be increased by 1.5. Details can be found here! Good luck hunting.

Best wishes,
InDrive Security Team.

Hello, security researchers!

Have you spotted this new feature yet? If not — now’s the perfect time to dive in!
InDrive recently launched Passkey authentication in the app, and to celebrate, we're starting a 2-week special HackerOne campaign with increased bounty rewards (2x) for vulnerabilities related to the Passkey integration. 🔐
Campaign period 🗓️:
May 26 – June 9, 2025
To participate in campaign, please make sure that:
• You’re using app version 5.110 or higher. 📱
• You select the asset https://cas-cf.euce1.indriverapp.com/api/passkey when submitting your report (of course, with Passkey issue 😉).

We’re especially interested in issues on how Passkeys are integrated with the app, such as:
• Authentication/Authorization bypasses
• Improper validation
• Session management issues
• Logical or implementation flaws

P.S., We’ve conducted our own internal security audit of the Passkey feature — so don’t be surprised if some findings are marked as duplicates.

Good luck, bug hunters! 🕵️‍♂️

Hello, security researchers!

Think you checked everything in Passkeys and found each vulnerability?
Don't take your Hackerman's glove off just yet, because we've got something else in our cargo!

Hello, masters of security!

We would like to make your bug hunting experience more focused by announcing the next HackerOne campaign: Vulnerability of June - IDOR (CWE-639)
From June 10 – July 10, all valid Insecure Direct Object Reference (IDOR) reports will receive a 1.5x bounty reward 💰
We’re calling on you to help us spot any IDORs we didn’t catch.

To get increased reward:
- Submit the report with the valid IDOR vulnerabilty
- Specify Insecure Direct Object Reference (IDOR) in the Weakness field

Stay tuned!

Hello, security researchers!

We are happy to announce the launch of the next bug bounty campaign!
This time, we’re focusing on two critical vulnerability types:
- Remote Code Execution (RCE) – [CWE-94 / CWE-77]
- Server-Side Request Forgery (SSRF) – [CWE-918]
All valid RCE and SSRF reports will receive a 2x bounty reward during the campaign🤑

🗓️ Campaign period: July 14 - August 14

To become like Richie Rich:
- Submit the report with the valid RCE, SSRF vulnerabilty
- Specify relevant CWE-94 / CWE-77 for RCE, CWE-918 for SSRF in the Weakness field

Good luck in the hunt!

Hello, security researchers!

We’re excited to share our new reward and scope policy! 🎉🎊

To motivate you find cool bugs in our main application, we decided to divide our scope to Core and Non-Core services. ⚙️

Excellent news: Rewards for Core services are now doubled across all severities 💰🤑

To make it clear:
- Core services are directly connected to our main app infrastructure (backend, frontend resources). E.g., no-gw-cf.<region>.aws.indriverapp.com, couriers.indrive.com
- Non-core services are resources related to inDrive’s contributions in areas such as social projects, sports, education, and other initiatives. These will remain under the previous rewards table (for details, see the table from Reward payment section).

How to identify the type of service (see the screenshot below):
1. Go to the Scope Policy page
2. To view core services use the filter with the tag Technology: Core.
3. To view non-core services use the filter with the tag Technology: Non-core.

If you’re unsure which type of service your finding belongs to, don’t worry, please submit your report anyway. Our team will review it during triage and clarify.

Happy bug hunting! 🕵️‍♂️

Hello!

Please find attached an updated table of HTTP endpoints with parameters for core services.
The values for the <region> variable in the host values are listed in the regions column.
If you receive a 410 Gone server response, please use another value of a region.

Hope this makes your bug hunting process more enjoyable and efficient.

Best wishes,
inDrive Security Team