Barantum is Indonesia’s leading CRM, Omnichannel Chat, and Cloud Call Center platform, helping
businesses improve sales productivity and customer service performance. Since 2017, Barantum has
provided cloud-based solutions to manage customer data, conversations, and team activities in
one integrated system.
Barantum is committed to maintaining the security of our systems and customer data. We
collaborate with the global security community to identify and resolve vulnerabilities that
could potentially impact our platform. Your participation is vital in helping us enhance
security and reliability.
Program Rules
-
Submit vulnerability reports to
bughunter@barantum.com.
Reports must include:
- A detailed description of the vulnerability
- Clear and reproducible steps to replicate the issue
- An evaluation of the potential impact
- Written in English or Indonesian
-
Submit only one vulnerability per report unless multiple issues need to be chained to
demonstrate impact.
-
Reports must contain valid and previously unreported vulnerabilities.
- The first valid reporter is the only party eligible for a reward.
-
Personal information may be required for bounty payment processing.
-
Barantum employees and contractors are not eligible to participate.
Acknowledgements & Rewards
Rewards follow the CVSS 3.1 severity scoring guidelines:
| Severity |
Reward |
| Critical (9.0 – 10.0) |
Rp 5,000,000 |
| High (7.0 – 8.9) |
Rp 3,000,000 |
| Medium (4.0 – 6.9) |
Rp 1,000,000 |
| Low (0.1 – 3.9) |
Rp 500,000 |
Required information for reward processing:
- Indonesian Citizen: KTP, NPWP, email, and bank account number
- Foreign Nationals: Passport, email, and bank account number
Scope
The Barantum Bug Bounty Program covers the following assets:
Web Applications:
Mobile Applications:
Please ensure your findings fall within the scope to be eligible for rewards.
Exclusions
Out-of-Scope Assets
Any asset not listed in the scope section is considered out of scope.
Website/API Exclusions
- Third-party service vulnerabilities
- Clickjacking without sensitive actions
- CSRF without significant impact
- DoS and service disruption attacks
- Bruteforce attacks on non-authentication endpoints
- Issues on outdated browsers (older than 2 stable versions)
- Banner disclosure and verbose error messages
- Open redirects without security impact
- Self-XSS without impact to other users
- Publicly accessible files (robots.txt, etc.)
- Automated scanner results without valid proof of concept
- Missing best practices (CSP, cookie flags, HTTP headers)
- Infrastructure issues (TLS, open ports, SPF/DMARC)
Mobile App Exclusions
- Leaked URIs accessible by other apps
- Missing exploit mitigations (PIE, ARC)
- Lack of certificate pinning
- Sensitive data in requests protected by TLS
- File paths exposed in binaries
- Runtime attacks requiring rooted/jailbroken devices
- App crashes without sensitive data leakage
- Third-party API keys without impactful exposure
Data Protection
By participating in this program, you acknowledge and agree to the following data handling
obligations:
Definitions
- Agreed Purposes: data processing related to the Bug Bounty Program
- Confidential Information: non-public Barantum information
- Data: all information processed during the program
- Personal Data: information identifying an individual
- Protection Failure: any data breach or unauthorized access
Researcher Obligations
- Maintain confidentiality of all accessed data
- Do not use data for personal or external purposes
- Do not disclose any data without written permission
- Report any suspected breach within 24 hours
- Delete all data after investigation or upon request
- Do not falsify or misuse Barantum data
Legal
- Barantum will not take legal action against researchers who comply with this program’s
rules.
- All submitted findings, reports, and data belong to Barantum.
- Researchers are responsible for any losses caused by negligent actions.
Barantum Security Team
Last Updated: January 1, 2025