goto-financial-public-bounty-program

YesWeHackView on YesWeHack

RawAI Enhanced

14

In Scope

2

Out of Scope

In-Scope Assets (14)

Asset	Category	Bounty	Quick Links
*.findaya.co.id	WILDCARD	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
*.findaya.com	WILDCARD	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
*.gaming.gopayapi.com	WILDCARD	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
*.go-pay.co.id	WILDCARD	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
*.gofin.io	WILDCARD	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
*.gopayapi.com	WILDCARD	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
*.gtflabs.io	WILDCARD	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
api.midtrans.com	URL	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
app.midtrans.com	URL	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
gopaymerchant.midtrans.com	URL	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
https://apps.apple.com/id/app/gopay-transfer-pulsa-bills/id6446321594	IOS	Yes	-
https://play.google.com/store/apps/details?id=com.gojek.gopay&hl=id	ANDROID	Yes	Play Store APKPure APKMirror
mokapos.com	URL	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
www.midtrans.com	URL	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa

Out-of-Scope Assets (2)

Asset	Category	Bounty
- All other Goto Financial assets not listed above are to be considered as out of scope	OTHER	Yes
- Any staging environment will be out of scope (staging domain could be indicated by words like test/integration/staging, etc)	OTHER	Yes

Scope Changes (50)

Feb 25, 2026

Change	Asset	Category	Scope	Time
Added	www.midtrans.com	URL	In Scope	19:08
Added	app.midtrans.com	URL	In Scope	19:08
Added	https://apps.apple.com/id/app/gopay-transfer-pulsa-bills/id6446321594	IOS	In Scope	19:08
Added	https://play.google.com/store/apps/details?id=com.gojek.gopay&hl=id	ANDROID	In Scope	19:08
Added	gopaymerchant.midtrans.com	URL	In Scope	19:08
Added	*.gopayapi.com	WILDCARD	In Scope	19:08
Added	api.midtrans.com	URL	In Scope	19:08
Added	*.gofin.io	WILDCARD	In Scope	19:08
Added	*.findaya.com	WILDCARD	In Scope	19:08
Added	- all other goto financial assets not listed above are to be considered as out of scope	OTHER	Out of Scope	19:08
Added	*.gaming.gopayapi.com	WILDCARD	In Scope	19:08
Added	*.findaya.co.id	WILDCARD	In Scope	19:08
Added	*.gtflabs.io	WILDCARD	In Scope	19:08
Added	- any staging environment will be out of scope (staging domain could be indicated by words like test/integration/staging, etc)	OTHER	Out of Scope	19:08
Added	mokapos.com	URL	In Scope	19:08
Added	*.go-pay.co.id	WILDCARD	In Scope	19:08

Feb 22, 2026

Change	Asset	Category	Scope	Time
Added	api.midtrans.com	URL	In Scope	00:51
Added	app.midtrans.com	URL	In Scope	00:51
Added	*.findaya.com	WILDCARD	In Scope	00:51
Added	https://play.google.com/store/apps/details?id=com.gojek.gopay&hl=id	ANDROID	In Scope	00:51
Added	www.midtrans.com	URL	In Scope	00:51
Added	*.gaming.gopayapi.com	WILDCARD	In Scope	00:51
Added	*.gofin.io	WILDCARD	In Scope	00:51
Added	*.findaya.co.id	WILDCARD	In Scope	00:51
Added	- all other goto financial assets not listed above are to be considered as out of scope	OTHER	Out of Scope	00:51
Added	https://apps.apple.com/id/app/gopay-transfer-pulsa-bills/id6446321594	IOS	In Scope	00:51
Added	*.gopayapi.com	WILDCARD	In Scope	00:51
Added	gopaymerchant.midtrans.com	URL	In Scope	00:51
Added	*.gtflabs.io	WILDCARD	In Scope	00:51
Added	- any staging environment will be out of scope (staging domain could be indicated by words like test/integration/staging, etc)	OTHER	Out of Scope	00:51
Added	mokapos.com	URL	In Scope	00:51
Added	*.go-pay.co.id	WILDCARD	In Scope	00:51

Feb 21, 2026

Change	Asset	Category	Scope	Time
Removed	www.midtrans.com	URL	In Scope	21:40
Removed	*.gaming.gopayapi.com	WILDCARD	In Scope	21:40
Removed	https://apps.apple.com/id/app/gopay-transfer-pulsa-bills/id6446321594	IOS	In Scope	21:40
Removed	https://play.google.com/store/apps/details?id=com.gojek.gopay&hl=id	ANDROID	In Scope	21:40
Removed	*.gopayapi.com	WILDCARD	In Scope	21:40
Removed	gopaymerchant.midtrans.com	URL	In Scope	21:40
Removed	mokapos.com	URL	In Scope	21:40
Removed	*.go-pay.co.id	WILDCARD	In Scope	21:40
Removed	api.midtrans.com	URL	In Scope	21:40
Removed	app.midtrans.com	URL	In Scope	21:40
Removed	*.gofin.io	WILDCARD	In Scope	21:40
Removed	*.findaya.com	WILDCARD	In Scope	21:40
Removed	*.findaya.co.id	WILDCARD	In Scope	21:40
Removed	*.gtflabs.io	WILDCARD	In Scope	21:40
Removed	- any staging environment will be out of scope (staging domain could be indicated by words like test/integration/staging, etc)	OTHER	Out of Scope	21:40
Removed	- all other goto financial assets not listed above are to be considered as out of scope	OTHER	Out of Scope	21:40
Added	- any staging environment will be out of scope (staging domain could be indicated by words like test/integration/staging, etc)	OTHER	Out of Scope	00:33
Added	- all other goto financial assets not listed above are to be considered as out of scope	OTHER	Out of Scope	00:33