Car sales landing page & lead integrity
IndomobilIndo is an Indonesian car-selling landing page showcasing vehicle inventory, dealership promos, and private-seller listings. It handles vehicle catalogs with pricing, customer inquiry forms, contact & lead collection, dealer dashboards, admin tooling, marketing automation, and partner integrations. Full scope is allowed with no restrictions — everything IndomobilIndo owns, operates, or can patch is in-scope. Critical bugs pay $5,000.
In scope: indomobilindo.com, APIs, subdomains, admin panels, dealer portals, inquiry/lead infrastructure, notification services, marketing callbacks, third-party integrations under IndomobilIndo control.
Legal floor: credit-card fraud, identity theft, harassment — always off-limits.
1️⃣ Kill chain from root cause → exploit steps → measurable harm (data breach, unauthorized transaction, admin takeover, site-defacement/context-manipulation that enables fraud) 2️⃣ Proof the attack succeeds (replayed API calls showing data exfiltration, privilege escalation, unauthorized lead access, or admin boundary cross). Narratives without replayable exploits stall below payout threshold.
Scope note: Full scope allowed — no restrictions. Every IndomobilIndo-owned or operated surface is in-scope without exclusions.
Why stress-test IndomobilIndo?
Flat $5K critical payouts
Validated critical exploits with reproducible payloads earn exactly $5,000 USD — no spreadsheet bingo.
Fraud & monetary-loss blast radius
Listing manipulation, fake inventory, inquiry hijack, unauthorized lead access — bugs cash out as direct financial harm to dealers and buyers until someone scripts the replay.
No fake micro-scope list
Patch surface spans public landing page to internal admin — escalate freely across dealer portals, lead databases, and inquiry pipelines.
Responsible disclosure halo
Demonstrated chains earn coordinated publication credit after fixes ship.
$5,000 per validated critical
There is exactly one bounty amount on this ledger: validated critical findings pay $5,000 USD each. Novel low-severity items may qualify for goodwill credit but not this stipend. Paid rows require attacker-readable kill chains and replayable exploitation artefacts (Burp exports, API replay scripts, DB dump excerpts, admin-panel boundary-cross proofs, lead-database access logs…).
Unauthorized access to customer/lead database or PII at scale; site-context-changing exploits (defacement, SEO injection, listing-hijack) that directly enable fraud/theft; unauthenticated or horizontal admin access; inquiry/lead pipeline integrity break; mass account takeover; SSRF into internal billing or CRM services.
- Full or partial unauth customer/lead database dump (names, phones, emails, inquiries, documents)
- Admin panel access without valid credentials or via horizontal escalation
- Site context manipulation (listing hijack, price/photo injection, phishing-page hosting) that leads to buyer/seller monetary loss
- Lead/inquiry state tampering (unauthorized access, rerouting, data theft)
Everything is in scope — no restrictions, no carve-outs
Full scope allowed — no restrictions. Anything IndomobilIndo hosts, administers, or routes traffic through is bounty ground. The table below is illustrative only; it does not limit or cap the surface in any way. "Not listed" ≠ "out-of-scope."
| Surface | Class | Critical payout |
|---|---|---|
indomobilindo.com, subdomains, web app |
Web | $5,000 / validated bug |
| Public APIs (listings, search, inquiries, leads) | Backend | $5,000 / validated bug |
| Dealer dashboard & internal tooling | Ops | $5,000 / validated bug |
| Admin panels & moderation interfaces | Admin | $5,000 / validated bug |
| Lead / inquiry / notification callbacks | Marketing | $5,000 / validated bug |
| Third-party connectors, CRM integrations | Client | $5,000 / validated bug |
Everything IndomobilIndo operates — no exclusions, no restrictions
Full scope allowed. There is no exclusions list, no restrictions, and no narrowed allow-list. Staging mirrors, partner APIs fronted by IndomobilIndo, vanity domains CNAME'd in, internal analytics, bot hooks for lead alerts — all eligible when critical impact reproduces. If IndomobilIndo can patch it, owns it, or operates it, it is in scope.
- Vanity domains CNAME'd into IndomobilIndo edge — show DNS/traffic proof in your write-up.
- Marketing automation, email/SMS notification gateways, deep-link handlers
- Third-party CRM or lead callback integrations verified with IndomobilIndo-issued secrets
- Partner dealer-widget SDKs or embeds IndomobilIndo ships
- Staging, dev, QA, and internal environments labeled or operated by IndomobilIndo
- Analytics, monitoring, CI/CD, and internal tooling under IndomobilIndo administration
Rules of engagement
- Prove exploitation success. Provide scripts, HARs, parallel request captures, or DB/admin screenshots showing real impact — not paper analysis alone.
- Number your hops. Session/API primitive → escalation → data breach, admin boundary cross, lead integrity break, or site-context fraud enabler.
- Minimize real-user blast radius. Prefer mirrors, test accounts, and reversible payloads when demonstrating theft-class bugs.
- Private coordination first. Use official intake on indomobilindo.com before public threads.
- Duplicate fairness. First qualifying PoC wins; followers close acknowledged-only.
How to submit a report
Use the security / vulnerability disclosure contact published on https://indomobilindo.com/ (security@indomobilindo.com is a common guess — verify on the live site before emailing). Template below.
# Title
[Critical][Exploit-Proven] <tight title>
# Executive summary — fraud/theft/DB/admin impact in one paragraph
# Severity self-classification → must map to IndomobilIndo critical definitions above
## Attack chain narrative (numbered, no gaps)
1. Preconditions (session, API key tier, account ID, dealer ID)
2. Entry primitive — HTTP line + auth headers
3. Pivot(s) → privilege / data / inquiry escalation
4. Final hop → DB dump / admin takeover / lead tamper / site-context fraud enablement
## Successful exploitation evidence
• Scripted replay showing data leak or admin access
• Parallel request traces (race/double-submit on leads)
• Admin-panel or DB log lines proving attacker-forged intent accepted
## Reproduction package
Commands + fixtures + commit/patch SHAs
## Disclosure ack
Private channel only until IndomobilIndo clears publicationHorizontal admin escalation (illustrative)
Attach replay logs from indomobilindo.com showing a normal dealer account reaching admin endpoints.
# BUGGY: role check omitted on /api/v1/admin/leads — any authed dealer can hit it
GET /api/v1/admin/leads?limit=1000 HTTP/1.1
Host: indomobilindo.com
Authorization: Bearer <DEALER_TOKEN>
Content-Type: application/json
# Response: full lead database with PII (name, phone, email, inquiry details)
# FIX: enforce admin middleware before serving /admin/* routesFrequently asked questions
Is anything actually "out of scope"?
No scope restrictions. No discretionary product carve-outs — only universal legal/ethical lines (crime, harming unrelated civilians, etc.). If IndomobilIndo patches it or answers for it, you can test it until triage disqualifies specifics.
Theory-only reports?
No payout. $5K demands reproducible success proof.
Staging fair game?
Yes when IndomobilIndo operates and labels it; mirror production auth & routing semantics.
Duplicates?
Fastest fully valid PoC wins treasury.
Lower severities?
Not under the $5K critical rubric — escalate impact or accept non-cash acknowledgement.
Critical chain + working exploit = $5,000
No narrow scope appendix — document the attack, prove it lands, file privately.