Programs Car Marketplace · Indonesia Mobil123 (mobil123.com)
Active Program $5,000 flat · validated critical Full scope · no exclusions · all surfaces

Mobil123 (mobil123.com) Bug Bounty: $5,000 Each Validated Critical — Full Scope, Kill Chain Required

Mobil123 at https://www.mobil123.com/ is a leading Indonesian online car-selling marketplace: dealer & private listings, buyer-seller chat, escrow-like payment flows, dealer dashboards, admin tooling, user KYC/identity data, price & inventory management, mobile apps, APIs, partner integrations, support systems — everything Mobil123 operates is in-scope with no exclusions list. $5,000 USD per validated critical with kill chain + replayable exploit. Focus areas: site context-changing exploits, unauthorized user database access, unauth admin access, and any path leading to fraud, theft, or monetary loss.

BountyHunter Editorial

Security Research Desk

Published
Reading time10 min
StatusLive · Accepting reports
Start Hunting View Scope
Critical payout $5,000 USD · each validated report
Avg. triage ~48h marketplace ops pattern
Capital at risk High payments · deposits · user data
Scope all Mobil123-operated stacks
Proof bar Chain + PoC kill chain · attack succeeds
01 — Overview

Car marketplace & transaction integrity

Mobil123 is a high-traffic Indonesian online car marketplace connecting private sellers, dealerships, and buyers. It handles vehicle listings with pricing, user profiles & KYC data, buyer-seller messaging, payment/escrow integrations, dealer dashboards, and administrative operations. Full scope is allowed with no restrictions — everything Mobil123 owns, operates, or can patch is in-scope. Critical bugs pay $5,000.

In scope: mobil123.com, APIs, subdomains, mobile apps, admin panels, dealer portals, chat infrastructure, payment callbacks, notification services.
Legal floor: credit-card fraud, identity theft, harassment — always off-limits.

Minimum evidence bar — non-negotiable:
1️⃣ Kill chain from root cause → exploit steps → measurable harm (data breach, unauthorized transaction, admin takeover, site-defacement/context-manipulation that enables fraud)  2️⃣ Proof the attack succeeds (replayed API calls showing data exfiltration, privilege escalation, unauthorized payment state changes, or admin boundary cross). Narratives without replayable exploits stall below payout threshold.

Scope note: Full scope allowed — no restrictions. Every Mobil123-owned or operated surface is in-scope without exclusions.
02 — Why this matters

Why stress-test Mobil123?

Flat $5K critical payouts

Validated critical exploits with reproducible payloads earn exactly $5,000 USD — no spreadsheet bingo.

Fraud & monetary-loss blast radius

Price manipulation, fake listings, escrow bypass, unauthorized refunds — bugs cash out as direct financial harm to buyers and sellers until someone scripts the replay.

No fake micro-scope list

Patch surface spans public site to internal admin — escalate freely across dealer portals, user databases, and payment pipelines.

Responsible disclosure halo

Demonstrated chains earn coordinated publication credit after fixes ship.

03 — Reward

$5,000 per validated critical

There is exactly one bounty amount on this ledger: validated critical findings pay $5,000 USD each. Novel low-severity items may qualify for goodwill credit but not this stipend. Paid rows require attacker-readable kill chains and replayable exploitation artefacts (Burp exports, API replay scripts, DB dump excerpts, admin-panel boundary-cross proofs, payment-flow tamper logs…).

Critical $5,000 USD ea.

Unauthorized access to user database or PII at scale; site-context-changing exploits (defacement, SEO injection, listing-hijack) that directly enable fraud/theft; unauthenticated or horizontal admin access; payment/escrow pipeline integrity break; mass account takeover; SSRF into internal billing or KYC services.

  • Full or partial unauth user database dump (names, phones, emails, KYC docs, chat logs)
  • Admin panel access without valid credentials or via horizontal escalation
  • Site context manipulation (listing hijack, price/photo injection, phishing-page hosting) that leads to buyer/seller monetary loss
  • Payment/escrow state tampering (unauthorized refunds, deposit rerouting, duplicate payouts)
Operational truth: If you can't yet prove the exploitation moves money, leaks real user data, or accesses admin controls inside Mobil123’s trust boundary, iterate on mirrors until logs objectively show success — triage shelves “maybe” theories.
04 — Scope inventory

Everything is in scope — no restrictions, no carve-outs

Full scope allowed — no restrictions. Anything Mobil123 hosts, administers, or routes traffic through is bounty ground. The table below is illustrative only; it does not limit or cap the surface in any way. “Not listed" ≠ “out-of-scope.”

Surface Class Critical payout
mobil123.com, subdomains, web app Web $5,000 / validated bug
Public APIs (listings, search, user, chat, payments) Backend $5,000 / validated bug
Dealer dashboard & internal tooling Ops $5,000 / validated bug
Admin panels & moderation interfaces Admin $5,000 / validated bug
Payment / escrow / notification callbacks Finance $5,000 / validated bug
Mobile apps, SDKs, third-party connectors Client $5,000 / validated bug
05 — Scope policy

Everything Mobil123 operates — no exclusions, no restrictions

Full scope allowed. There is no exclusions list, no restrictions, and no narrowed allow-list. Sandbox mirrors, partner APIs fronted by Mobil123, vanity domains CNAME’d in, internal analytics, bot hooks for risk alerts — all eligible when critical impact reproduces. If Mobil123 can patch it, owns it, or operates it, it is in scope.

  • Vanity domains CNAME’d into Mobil123 edge — show DNS/traffic proof in your write-up.
  • Mobile app APIs, push-notification gateways, deep-link handlers
  • Third-party payment or KYC callbacks verified with Mobil123-issued secrets
  • Partner dealer-widget SDKs or embeds Mobil123 ships
  • Staging, dev, QA, and internal environments labeled or operated by Mobil123
  • Analytics, monitoring, CI/CD, and internal tooling under Mobil123 administration
Full scope allowed — no restrictions: Every Mobil123-owned or operated surface is in-scope without exclusions. Subdomains, staging, APIs, partner integrations, admin tooling, analytics, third-party services under Mobil123 control, and any other surface they administer — all eligible. If Mobil123 can patch it or owns it, you can test it for critical-impact chains.
06 — Rules

Rules of engagement

  1. Prove exploitation success. Provide scripts, HARs, parallel request captures, or DB/admin screenshots showing real impact — not paper analysis alone.
  2. Number your hops. Session/API primitive → escalation → data breach, admin boundary cross, payment integrity break, or site-context fraud enabler.
  3. Minimize real-user blast radius. Prefer mirrors, test accounts, and reversible payloads when demonstrating theft-class bugs.
  4. Private coordination first. Use official intake on mobil123.com before public threads.
  5. Duplicate fairness. First qualifying PoC wins; followers close acknowledged-only.
07 — Submit

How to submit a report

Use the security / vulnerability disclosure contact published on https://www.mobil123.com/ (security@mobil123.com is a common guess — verify on the live site before emailing). Template below.

Report Template 
# Title
[Critical][Exploit-Proven] <tight title>

# Executive summary — fraud/theft/DB/admin impact in one paragraph

# Severity self-classification → must map to Mobil123 critical definitions above

## Attack chain narrative (numbered, no gaps)
1. Preconditions (session, API key tier, account ID, dealer ID)
2. Entry primitive — HTTP line + auth headers
3. Pivot(s) → privilege / data / payment escalation
4. Final hop → DB dump / admin takeover / payment tamper / site-context fraud enablement

## Successful exploitation evidence
• Scripted replay showing data leak or admin access
• Parallel request traces (race/double-spend on payments)
• Admin-panel or DB log lines proving attacker-forged intent accepted

## Reproduction package
Commands + fixtures + commit/patch SHAs

## Disclosure ack
Private channel only until Mobil123 clears publication
Gating reminder: Missing chain steps or lacking replayable exploitation bumps the ticket to rework — no payout until solved.
08 — Example

Horizontal admin escalation (illustrative)

Attach replay logs from mobil123.com showing a normal dealer account reaching admin endpoints.

HTTP · illustrative misuse 
# BUGGY: role check omitted on /api/v1/admin/users — any authed dealer can hit it
GET /api/v1/admin/users?limit=1000 HTTP/1.1
Host: www.mobil123.com
Authorization: Bearer <DEALER_TOKEN>
Content-Type: application/json

# Response: full user database with PII (phone, email, KYC doc URLs)
# FIX: enforce admin middleware before serving /admin/* routes
09 — FAQ

Frequently asked questions

Is anything actually “out of scope”?

No scope restrictions. No discretionary product carve-outs — only universal legal/ethical lines (crime, harming unrelated civilians, etc.). If Mobil123 patches it or answers for it, you can test it until triage disqualifies specifics.

Theory-only reports?

No payout. $5K demands reproducible success proof.

Staging fair game?

Yes when Mobil123 operates and labels it; mirror production auth & routing semantics.

Duplicates?

Fastest fully valid PoC wins treasury.

Lower severities?

Not under the $5K critical rubric — escalate impact or accept non-cash acknowledgement.

Critical chain + working exploit = $5,000

No narrow scope appendix — document the attack, prove it lands, file privately.

Submit a Report Read the Scope