Powered by world-class talent, technology, data and strategic partnerships with leading corporations in Vietnam, we focus on developing solutions to optimize and bridge the value chain gaps across high growth economic sectors in Vietnam.

website facebook

Points - 10,000,000 VND
5 3

Program rules

I. Description

One Mount Group was established with the ambition of creating Vietnamʼs largest technological ecosystem providing solutions and services along the entire value chain in the financial services, distribution, real estate, and retail sectors.

Starting with VinShop, a dedicated retail app enabling independent shop owners to grow their business via tech enabled supply chain and inventory management. VinID, a super app and Vietnam's largest consumer loyalty program integrating many functions such as payment, housing management, goods purchase, and financial services; and OneHousing, a one-stop destination for all needs in housing, supporting buying, selling, investing and other real-estate-related services.

II. Scope

Production environment

III. Rewards

Qualifying vulnerabilities

Non-qualifying vulnerabilities

  • Vulnerabilities that involved other end-user, like phishing.
  • Vulnerabilities that require bypassing security mechanisms at the local device (Android/iOS) and application.
  • Vulnerabilities that require taking control of other users' devices (VinID app installed).
  • Vulnerabilities that are related to Firebase services.
  • Vulnerabilities that are NOT reported via Whitehub.

IV. Qualifying researchers

  • All researchers were approved by One Mount Group are allowed to perform testing in the VinID application.
  • Researchers that are not approved by One Mount Group are not eligible to perform any testing on the VinID application.
  • All researchers/parties that are not qualified to requirements at #1 and perform any test on VinID are considered to violate the Vietnam laws.

V. Rules of engagement

  1. The tests are only performed from the account registered with One Mount. DON'T try to test on any other account.
  2. We only reward bounty for researchers qualified for all requirements at #I.
  3. Only take the information of your control accounts (DON'T perform on another account), and only take necessary information to demonstrate the impact.
  4. Do NOT perform any test that involves the application's stability, such as changing the configuration files, denying services, destroying data, etc.
  5. Provide us as much as possible about the vulnerability you discovered. If you can, please provide us with clear steps to reproduce to easily verify whether your finding is valid or not.

The submission needs to include but not limited to:

  • Detailed information about the vulnerability.
  • Steps to reproduce (clear steps, if you can add curl command, raw request, that would be great)
  • PoC, exploitation script (nice to have).
  • Image/video demonstrates the vulnerability (if applicable). These contents MUST be uploaded and stored via WhiteHub. We DON'T accept resources stored in a 3rd parties like Youtube or Imgur
  • Impact of this vulnerability.
  • Remediation steps.

Reward range

Severity Reward range
CRITICAL 4 Points 10,000,000 VND
HIGH 3 Points 5,000,000 VND
MEDIUM 2 Points 1,000,000 VND
LOW 1 Point

Targets

In scope

Name Type
VinID Android App Android
VinID iOS App iOS
*.vinid.net - must be requested from VinID mobile apps (iOS/Android) API

Statistics

5 reports accepted
3 reports rewarded

Latest hall of famers

  • Private Researcher
  • Private Researcher
  • leiz95

Recently joined this program

  • ninjamell
  • vhaeyo
  • mcsoon
  • Private Researcher
  • bientran122
  • Private Researcher
  • Private Researcher
  • leiz95