HackerOne Blog

A Decade of Defense: Celebrating Grab's 10th Year Bug Bounty Program

Pei Shan Yap
Head of Cyber Assurance and Application Security
Prithvinder Singh
Sr. Manager, CyberSecurity
Zhen Hao Lee
Senior Cybersecurity Engineer
Shield on pink and blue background

We’re proud to share this story written by Pei Shan Yap, Prithvinder Singh, and Zhen Hao Lee of Grab, originally posted Dec. 1, 2025.

Ten years ago, we launched our bug bounty program in partnership with HackerOne. Beyond a security initiative, it represented an open invitation to collaborative development. As pioneers in Southeast Asia, our program began with 23 initial researchers and has since evolved into a global community of security researchers.

The strategic structure and scope of our Bug Bounty program, combined with our continuous innovation and experimentation, has successfully captured the attention of the global security research community. Over the past decade, we have partnered with more than 850 active security researchers from HackerOne's community of over 2 million cybersecurity professionals worldwide. These dedicated researchers work alongside us across borders and time zones, forming a collaborative defense network that helps protect over 187 million users throughout Southeast Asia. Their ongoing participation demonstrates both the maturity of our program and the trust we've built within the security research community.

This milestone reflects the strength of shared purpose and our sustained partnership with the HackerOne platform. It demonstrates the value of human connection and the collective understanding that security is stronger through collaboration. Here's to a decade of partnership and to many more years of building a safer future, one collaboration at a time!

Evolution and Growth: Adapting to a Dynamic Threat Landscape

Over the past ten years, our program has consistently adapted to the dynamic threat landscape and integrated invaluable feedback from our research community. We have grown from a private initiative to a program that consistently ranks among the Top 20 worldwide and is a proud member of the Top 3 in Asia on HackerOne.

Key milestones include:

  • Expanding Our Horizons: Our scope significantly broadened in 2023–2024, adding new assets including OVO Indonesia and AI systems.
  • Focused Mobile Security: Introduction of a dedicated bounty table for mobile-specific issues.
  • Incentivizing Excellence: Experimentation with diverse campaign types, rewards, and recognition.
  • Evolving Vulnerability Focus: Shift from foundational issues to more sophisticated and emerging categories.

The Global Stage: Connecting with the Best

Our program's success is deeply rooted in its vibrant global community, which we actively foster through continuous engagement. We meet researchers at major live hacking events including ThreatCon Live Hacking Event 2023 in Nepal and DEFCON 32's Live Recon Village 2024 in Las Vegas. These events help us connect with new talent and strengthen long-term researcher relationships.

High participation and quality submissions from global events have strengthened our standing in the worldwide cybersecurity community. These engagements confirm that security is a collaborative effort with no borders.

Exclusive Anniversary Celebrations: Global Club Campaigns

To celebrate our 10th anniversary, we partnered with HackerOne’s regional clubs in Germany, Morocco, and India to run invite-only campaigns. These served as cultural exchanges, giving us fresh perspectives and enabling us to understand varied threat landscapes and methodologies.

The broader anniversary campaign in August garnered 461 submissions. Researcher xchopath received the Best Hacker Bonus for outstanding contributions.

These campaigns also provided insights that informed our global expansion security strategy, helping us validate frameworks against different regulatory environments and testing methodologies.

Voices from Our Community

“This was my first private campaign event… the triage was very fast despite time differences… the scope and business portal with different user roles made it especially interesting.”

ArtSec, H1 German club campaign participant

“I started poking around the Grab program… the scope was huge with a lot of wildcards for reconnaissance.”

Sicksec, H1 Morocco club campaign participant

“I had no expectations… more than 20 bugs were reported… communication overall was very good, and immediate response outside working hours was cool.”

Lauritz, H1 Germany club campaign participant


The Road Ahead: Our Commitment to a Secure Future

With a strong global community and a decade of collaboration, every vulnerability report represents trust and dedication to our shared mission. Our internal cybersecurity teams play a central role as well, maintaining researcher trust and supporting effective triage.

The next decade will bring new challenges across artificial intelligence and emerging technology. We remain committed to advancing together as a community across cultures, time zones, and expertise.

Together, we'll continue securing Southeast Asia's digital future — one partnership, one discovery, and one shared achievement at a time.

See how HackerOne Bug Bounty can support your security goals

Crowdsourced Security
Bug Bounty