Bounty Terms
By disclosing flaws in our services, security researchers help us keep Bina Nusantara's system and data secure, and we thank them for their assistance. Bina Nusantara reserves the right to decide whether to offer rewards for such reports based on risk, impact, and other considerations. You must initially satisfy the following criteria to be eligible for a bounty:
- You are required to read, understand, and agree with the Rules and Guidelines include "In Scope" and "Out of Scope" on Bina Nusantara Bug Bounty portal (https://bugbounty.apps.binus.edu) before submitting any reports.
- You are not allowed to submit the report by contacting Bina Nusantara employees directly or through other channels.
- Report a vulnerability in our services or infrastructure that creates a security or privacy risk. (Note that Bina Nusantara reserves the right to determine the risk of an issue or bug in the report, as not all software bugs are security issues and have security or privacy risks.)
- Any vulnerability found must be reported no later than 24 hours after discovery.
- If a vulnerability provides unintended access to data, cease testing and submit a report immediately (e.g., if you encounter any user data during testing, such as personal information, credit card data, or proprietary information). You are not authorized to access any confidential Bina Nusantara information or to further share any confidential Bina Nusantara information.
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- If we receive duplicate reports of a specific vulnerability, only the first report is eligible for a reward.
- Keep any proposed vulnerabilities strictly confidential.
- Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Bina Nusantara.
- If you publish reports without Bina Nusantara consent (for any reason: education, popularity, etc.), we will not hesitate to initiate a lawsuit or take legal action against you.
- Do not violate any national, state, or local laws or regulations, including any data privacy or security laws or regulations.
- Do not initiate any unauthorized financial transactions.
- Do not upload proof of concept artifacts to untrusted third-party hosting or cloud providers.
- Do not test the physical security of Bina Nusantara offices or facilities.
- Do not conduct social engineering attacks (e.g., phishing, vishing, smishing) against Bina Nusantara employees, partners, or customers.
- Do not perform any testing that could harm our services, such as denial of service (DoS) attacks or destructive injection attacks.
- Do not spam or brute-force any registration or contact functionality.
- Make a good faith effort to avoid the destruction of data and interruption or degradation of our service and notify Bina Nusantara immediately if you believe you inadvertently caused any of these issues.
- Only interact with accounts you own or with the explicit permission of the account holder. Use test accounts where possible.
- Bina Nusantara employs a risk-based method of analysis together with the CVSS calculator to assess the severity of the problem.
- The report guidelines listed below must be followed.
note: For BINUS student please use your binusian email account to submit bug bounty, to get an additional SAT point.
The rewards will be classified as follows:
- BINUS University Student: You will receive a SAT, an appreciation certificate, and a bounty reward.
- Indonesian Citizen (Non-BINUS Student): You will receive an appreciation certificate and a bounty reward.
- Non-Indonesian Citizen: You will receive an appreciation certificate.
The reward given will be determined based on security risk considerations according to the following scheme:
- Critical - IDR 100,000,00
- High - IDR 100,000,00
- Medium - IDR 50,000,00
- Low - Certificate
In Scope
- *.binus.ac.id
- *.binus.edu
Out Of Scope
- Attacks that require physical access to a certain resource
- Attacks that require human interactions (social engineering)
- Attacks that will take down the infrastructure (DoS or DDoS)
Responsible Disclosure Policy
We thank you for your effort, but you don't have any permission to share or publish anything related to the vulnerabilities you discovered. All you can publish is the certificate of appreciation that you received.
Report Guidelines
- You must use the report template that has been provided by Bina Nusantara in the "Submit" section.
- For the security bug report, please submit your findings via email, including the attack scenario, the security impact of the bug, and the proof of concept that contains step-by-step instructions, screenshots, and the remediation. Don't forget to attach a proof-of-concept video (by link) to reproduce the vulnerability.
- Researchers must alert Bina Nusantara on their report if there were any privacy breaches or disruptions, such as illegal access to other users' data, service setups, or other sensitive information, that unintentionally occurred while uncovering vulnerabilities.
FAQ
Q: What if I found a vulnerability, but I don't know how to exploit it?
A: We expect that vulnerability reports sent to us have a valid attack scenario to qualify for a reward, and we consider it as a critical step when doing vulnerability research. Reward amounts are decided based on the maximum impact of the vulnerability, and the panel is willing to reconsider a reward amount, based on new information (such as a chain of bugs, or a revised attack scenario).
Q: Who determines whether my report is eligible for a reward?
A: The reward panel consists of the members of the Bina Nusantara Cyber Security Team.