Reports in indrive program: S.No Title Bounty 1 Blind SQL injection on id.indrive.com $4134.0 2 Change phone number OTP flaw leads to any phone number takeover $2000.0 3 inDriver Job - Admin Approval Bypass $1000.0 4 Stored XSS on promo.indrive.com $284.0 5 Rider can forcefully get passenger's order accepted resulting in multiple impacts including PII reveal and more mentioned in the report. $0.0 6 Full access to InDrive jira panel via exposed API token $0.0 7 the domain is truck-admin.eu-east-1.indriverapp.com and Enter the management system of the blasting mobile phone verification code $0.0 8 Bypassing Garbage Collection with Uppercase Endpoint $0.0 9 SSRF in https://couriers.indrive.com/api/file-storage $0.0 10 XSS on terra-6.indriverapp.com $0.0 11 Host Header Injection - internal.qa.delivery.indrive.com $0.0 12 Disclosure of users' ip address whenever they view my fright offer on image preview (Without interaction) $0.0 13 # Drivers can access the customers phone number, current location without getting their offer accepted! $0.0 14 #3 XSS on watchdocs.indriverapp.com $0.0 15 #2 XSS on watchdocs.indriverapp.com $0.0 16 #1 XSS on watchdocs.indriverapp.com $0.0 17 Reflected XSS of media.indrive.com $0.0 18 Unlimited fake rate to the passenger in city to city, Affected endpoint /api/v1/reviews/ride/<ID>/driver $0.0