Through Your hunting
help Bali safer.|become better.|improve security.

Your help in strengthening the security of Bali
is critical for our existing system.
Report a case
Bali Public Bug Hunter
Aims to help the team find bug problems to close security gaps for the entire existing system. Some things that can be reported in accordance with applicable regulations are data breaches, access to data, outages and performance issues.
What's in coverage?
Reward & Bounty
Reward amounts may vary depending upon the severity of the vulnerability and its impact on the system, the quality of the report, and the type of affected system. We uses the international standard for risk calculations that is OWASP Risk Rating Methodology.
Overall Risk Severity
Likehood Factors
  • Skill Level
  • Motive
  • Opportunity
  • Size
  • Ease of Discovery
  • Ease of Exploit
  • Awareness
  • Intrusion Detection
Impact Factors
  • Loss of Confidentiality
  • Loss of Integrity
  • Loss of Availability
  • Loss of Accountability
  • Financial Damage
  • Reputation Damage
  • Non-compliance
  • Privacy Violation
Researchers Scope
In Scope Properties
In Scope Vulnerability
  • SQL Injection
  • Cross-site Scripting (XSS)
  • Significant Authentication Bypass
  • Access Control Issues (Insecure Direct Object Reference issues, etc)
  • Cross-site Request Forgery in Critical Action
  • Information disclosure of Sensitive Information
  • Server-Side Request Forgery (SSRF)
  • Server-side Remote Code Execution (RCE)
  • XML External Entity Attacks (XXE)
  • Exposed Administrative Panels that don't require login credentials
  • Directory Traversal Issues
  • Local File Disclosure (LFD)
  • Server Side Template Injection (SSTI)
You are
the eyes of Bali
Aims to help the team fix bug problems to close security gaps for the entire existing system Report a case
Rules & Eligibility
  • Be the first one to report a specific vulnerability. Duplicate report is not eligible for bounty reward.
  • Include details and verifiable proof of concept (e.g. screenshot, video, script). If our team cannot reproduce or verify an issue, a bounty cannot be awarded.
  • Reporter eligible for bounty after we decides to fix the bug.
  • Do not share the vulnerability information to any party without permission.
  • Reporter of vulnerability is required to use their own accounts when performing testing, DO NOT attempt to view or tamper any data belonging to others.
  • Reporter of vulnerability is prohibited to disturb, change, add, or delete any data or configuration inside the systems, targeting other users or compromising the reputation of Visit.
  • Reporter of vulnerability is prohibited to take advantage of any vulnerability as a pivot or chain to find another vulnerability inside Visit systems.
  • DO NOT perform DDoS or DoS attack to Visit systems.
  • Visit reserves the right to cancel or modify this program at any time without prior announcement.
  • By participating in this program, you have agreed to comply with all applicable local and international laws.
Form Report A Case

Click here to upload files.

You have uploaded 0 files

We'll do our best to get back to you within 1-7 working days.