InDrive Bug Bounty Program Statistics | BugBountyHunter.com

You are viewing our old website

We are busy working on a brand new website and platform. All of the content on this website is considered out-dated, however challenges and our members section are working as before. Stay tuned for updates!

InDrive Program Statistics

18 total issues disclosed

$9,650 total paid publicly

Most disclosed (5 disclosures) — Cross-site Scripting (XSS) - Reflected

Disclosed Reports

Report Title	Vulnerability Type	Disclosed By	Severity	Disclosed on
Change phone number OTP flaw leads to any phone number takeover	Business Logic Errors	polem4rch	Critical	2024-10-09
Unlimited fake rate to the passenger in city to city, Affected endpoint `/api/v1/reviews/ride/<ID>/driver`	Business Logic Errors	bugsv2	Medium	2024-07-02
Reflected XSS of media.indrive.com	Cross-site Scripting (XSS) - Reflected	zxwo	Medium	2024-07-02
#1 XSS on watchdocs.indriverapp.com	Cross-site Scripting (XSS) - Reflected	maxdha	Low	2024-04-11
#2 XSS on watchdocs.indriverapp.com	Cross-site Scripting (XSS) - Reflected	maxdha	Medium	2024-04-11
#3 XSS on watchdocs.indriverapp.com	Cross-site Scripting (XSS) - Reflected	maxdha	Low	2024-04-11
# Drivers can access the customers phone number, current location without getting their offer accepted!	Information Disclosure	bugsv2	Medium	2024-02-19
Disclosure of users' ip address whenever they view my fright offer on image preview (Without interaction)	Information Disclosure	bugsv2	Medium	2024-02-19
Host Header Injection - internal.qa.delivery.indrive.com	None supplied	sid_x95	Low	2024-02-12
XSS on terra-6.indriverapp.com	Cross-site Scripting (XSS) - Reflected	maxdha	Medium	2024-01-29
SSRF in https://couriers.indrive.com/api/file-storage	Server-Side Request Forgery (SSRF)	cypher-28	High	2024-01-16
Blind SQL injection on id.indrive.com	Blind SQL Injection	kristoferent	Critical	2023-11-24
Bypassing Garbage Collection with Uppercase Endpoint	None supplied	h1xploit	No rating	2023-10-04
the domain is truck-admin.eu-east-1.indriverapp.com and Enter the management system of the blasting mobile phone verification code	Business Logic Errors	trustworthy	High	2023-09-11
Stored XSS on promo.indrive.com	Cross-site Scripting (XSS) - Stored	kristoferent	Medium	2023-08-28
inDriver Job - Admin Approval Bypass	Incorrect Authorization	mikejohnson_1	Medium	2023-07-05
Full access to InDrive jira panel via exposed API token	Information Disclosure	bogdantc	Critical	2023-06-28
Rider can forcefully get passenger's order accepted resulting in multiple impacts including PII reveal and more mentioned in the report.	Improper Access Control - Generic	spongebhav	High	2023-06-28