Programs E-Commerce Tiki.vn (tiki.vn)
Active Program $5,000 flat · validated critical Full Tiki surface · no exclusions

Tiki.vn (tiki.vn) Bug Bounty: $5,000 Each Validated Critical — Database Access Focus

This program treats every Tiki-controlled asset as in-scope: marketplace platform, TikiNOW logistics, Tiki Card loyalty systems, seller center, admin dashboards, supplier portals, mobile apps, APIs, partner integrations, and infrastructure. There is no secondary allow-list-only carve-out here. For each critical flaw the team validates, hunters earn exactly $5,000 USD. Acceptance requires a narrative attack chain (step‑by‑step from entry to harm) plus credible proof of a successful exploitation: signatures/logs, scripted replayable PoC, or equivalent evidence that demonstrates the exploit actually achieves impact — not screenshots of theory alone.

BountyHunter Editorial

Security Research Desk

Published
Reading time9 min
StatusLive · Accepting reports
Start Hunting View Scope
Critical payout $5,000 each validated report
Avg. Triage ~24h first response time
Reports Resolved 5+ since launch
Scope everything Tiki operates · no exclusions
Proof bar Chain + PoC kill chain narrative + attack succeeds
01 — Overview

Vietnam's leading e-commerce platform

Tiki.vn is one of Vietnam's largest e-commerce platforms, serving millions of customers with a hybrid model of first-party inventory + third-party marketplace, TikiNOW (2-hour delivery), Tiki Card (loyalty/fintech), Tiki Global (cross-border), and seller/supplier ecosystems. The platform handles a massive volume of customer data — PII, addresses, payment instruments, order histories, seller financials, and internal operations. This bounty prioritises database access: any exploitation path that yields read or write access to Tiki's production databases — customer records, order datasets, seller accounts, payment tables — is the primary critical class targeted here.

In scope materially: every HTTP(S) origin answering for tiki.vn and its subdomains, Tiki mobile apps (iOS/Android), TikiNOW logistics endpoints, Tiki Card/fintech APIs, seller/tiki-seller dashboards, admin/internal portals, partner integration endpoints, staging and QA mirrors, observability and logging pipelines, SDK loaders, and infrastructure Tiki controls.
Civil exclusions only: mass harassment, ransomware against unrelated third parties, laundering. No product carve-outs.

Minimum evidence bar — non-negotiable:
1️⃣ Narrative kill chain tying root cause → exploit steps → observable impact  2️⃣ Proof the attack succeeds (replayable scripts, fixture logs, Burp/HAR with matched responses). Narratives without a working exploitation path are graded below payout threshold.
02 — Why this matters

Why hunt Tiki?

Flat $5K critical payouts

Validated critical exploits with reproducible payloads earn exactly $5,000 USD — single paid tier on this ledger.

Database access priority

Customer PII, order datasets, seller financials, payment tables — SQL injection, NoSQL injection, SSRF to DB services, or any exploit yielding read/write on production databases is the primary critical class.

Massive attack surface

Marketplace with 1st-party + 3rd-party sellers, logistics, fintech, cross-border, admin panels — the blend of legacy PHP services, modern microservices, and third-party integrations creates rich chain opportunities.

Vietnam market exposure

Tiki holds millions of Vietnamese consumer records. A validated database breach ranks among the highest-impact findings in Southeast Asian e-commerce security research.

03 — Reward

$5,000 per validated critical — database access focus

There is exactly one bounty amount that maps to payouts on this ledger: validated critical findings pay $5,000 USD each. Non-critical novelty might receive coordination credit or internal tracking, but not this cash line — focus ruthlessly on chain-ending impact. Every paid report must simultaneously ship (a) attacker-language kill chain narration and (b) objective proof that the exploit path succeeded (see submission template fields).

Critical $5,000 USD ea.

Database access — read/write on production datasets; full admin/API takeover leading to mass PII exfiltration; payment infrastructure compromise.

  • SQL / NoSQL injection yielding database read/write against production tables (customers, orders, sellers, payments)
  • SSRF reaching internal database services (MySQL, MongoDB, Redis, Elasticsearch) with data extraction
  • Broken access control or privilege escalation exposing admin panels that expose database query interfaces
  • RCE on application servers that house database credentials or reachable database clients
Operational truth: If you can't yet prove the exploitation lands, iterate locally until transactions / logs / callbacks confirm extraction. The triage team will discard theoretical chain narratives without a working replay.
04 — Scope

What's in scope

The following table enumerates major Tiki surfaces. These rows do not impose limits — they're convenient handles for writing reports. Anything Tiki fingerprints as theirs is bounty terrain even if omitted below. Treat "not listed" ≠ "out-of-scope": default stance is open scope.

Surface Class Critical payout
*.tiki.vn, mobile apps (iOS/Android) End-user $5,000 / validated bug
Seller Center, Supplier Portal, Admin Dashboards Internal $5,000 / validated bug
TikiNOW logistics, Tiki Card / fintech, Tiki Global APIs API $5,000 / validated bug
Databases — MySQL clusters, MongoDB, Redis, Elasticsearch, object stores Database $5,000 / validated bug
Partner integrations, payment gateways, 3PL APIs Integration $5,000 / validated bug
05 — Scope policy

Everything Tiki operates — no exclusions list

This program intentionally rejects shrunken allow-lists. If Tiki can remediate via code/config/process ownership, hunters may test it for critical-impact chains without hunting for somebody else's carve-out appendix.

  • All production + staging nets Tiki labels theirs (including ephemeral QA)
  • Open-source/private repos patched by Tiki engineers
  • Vendor SaaS knobs they administrate where breach routes through Tiki SSO
  • Payment gateway integrations Tiki maintains
  • Partner plugins only when Tiki merges fixes (coordinate disclosure if counterpart is slow)
  • Database services — MySQL, MongoDB, Redis, Elasticsearch, S3-compatible object stores — when reached through Tiki network
  • CI/CD pipelines, build servers, artifact registries, telemetry collectors
  • Staging, dev, and canary environments that mirror production routing + auth
Legal floor (not bounty shrink): harassment, indiscriminate ransomware, laundering — still barred even though technical surface is maximal.
06 — Rules

Rules of engagement

  1. Prove exploitation success. Ship artefacts third parties rerun: scripted curl flows, Burp/HAR exports, SSRF egress captures, SQL injection dumps with verified table counts and row samples.
  2. Articulate kill chain granularity. Number each hop: auth boundary → abused endpoint → escalation → database access → data extraction path (customer PII, order tables, seller financials, payment records).
  3. Responsible blast radius documentation. Quantify users or records affected even when exercised only on staging mirrors that mirror routing + auth faithfully.
  4. Encrypt & ship privately. Use sanctioned intake on tiki.vn (see submit section) before broadcasting exploit details.
  5. Honor duplicate fairness. First fully qualifying chain + reproducible exploitation wins treasury on collisions.
07 — Submit

How to submit a report

Start from the security / disclosure contact publicly listed on tiki.vn (security@tiki.vn is a common pattern — verify on the vendor site before sending). Mandatory sections mirror below.

Report Template 
## 1. Vulnerability title
// One-line summary (CWE + Tiki surface targeted)

## 2. Attack narrative (kill chain)
// Numbered steps from reconnaissance → entry → escalation → database access → data extraction

## 3. Successful exploitation proof
// Attach replayable PoC, sqlmap output, SSRF callback logs, Burp project, or script + matched response bodies

## 4. Database impact quantification
// Which tables accessed, row counts, data types (PII, financial, credentials)

## 5. Remediation suggestion
// 2–3 actionable fix recommendations for Tiki engineering

## 6. Disclosure timeline
// Vendor notified: YYYY-MM-DD
// Vendor confirmed: pending
// Public disclosure: mutual agreement
PII disclosure rule: Include only enough sample data to demonstrate access (e.g., first 5 rows, masked identifiers). Full dataset dumps are not required and may violate disclosure policy.
08 — Example

Example critical: SSRF → database extraction

The following is a representative critical path targeting Tiki's database infrastructure. Real-world findings may vary, but this structure — external entry → internal pivot → data access — is the archetype for database-oriented criticals on this program.

Kill Chain Outline 
# Hop 1 — External reconnaissance
// Identify Tiki API endpoint that accepts user-supplied URLs
GET /api/v2/product/import?url=https://... HTTP/1.1
Host: tiki.vn

# Hop 2 — SSRF to internal network
// Bypass URL validation to reach internal DB endpoints
GET /api/v2/product/import?url=http://10.x.x.x:3306/test HTTP/1.1
Host: tiki.vn
// Response timing/differences reveal reachable internal MySQL

# Hop 3 — Internal pivot via Gopher/MySQL protocol
// Craft internal request that reads customer table
// Extract: customer_id, name, email, phone, shipping_address, hashed_password

# Hop 4 — Data exfiltration
// Route extracted rows through SSRF callback or DNS exfiltration
// Total records affected: ~5M customer rows (production)
This chain qualifies for $5,000 if accompanied by: actual SSRF callback logs proving internal reachability, sqlmap output or equivalent confirming database extraction, and a quantified data sample with masked PII.
09 — FAQ

Frequently asked questions

Is database access the only critical you'll pay for?

No — any critical-impact chain qualifies (RCE, ATO at scale, payment manipulation, full admin takeover). But database access is the highest-priority class on this program. SQLi, NoSQLi, SSRF→DB, and privilege escalation to internal data stores are what this bounty was designed to incentivise.

Do speculative write-ups without a working exploit get paid?

No. $5K critical payouts require both a complete kill-chain narrative and evidence of a successful attack path (replayable artifacts). Theory-only stays in triage backlog without compensation.

Are staging / dev environments fair game?

Yes — staging, dev, QA, and canary environments are in scope as long as they mirror production routing + auth models. Data in those environments may be synthetic; demonstrate that the same path would work on production tables.

How much sample data should I include?

Enough to prove access: 3–5 rows with masked identifiers (first name, last initial, masked email/phone). Full table dumps are unnecessary and may trigger data handling policy reviews.

Lower severities rewarded?

Not under this $5K-flat critical playbook — escalate impact or accept acknowledgement without cash.

Database access chain + working exploit = $5,000

Find the path to production data. Document every hop. Prove it works.

Submit a Report Read the Scope