Deliveroo
| Severity | Reward |
|----------|--------|
| Critical | $3000-$5000 |
| High | $1500-$3000 |
| Medium | $500-$1500 |
| Low | $300-$500 |
All confirmed vulnerabilities will be considered, assessed and awarded a bounty based on severity as determined by CVSS v3.0.
Deliveroo recognises security as a key enabler to our goal to become the definitive food company. We welcome the security researcher community to engage with Deliveroo to help us continuously improve the security of our products.
What are the basics?
Deliveroo offer a bounty for reporting qualifying security vulnerabilities.
Please review the following rules before you report a vulnerability, by participating in this program you agree to be bound by these rules.
Before Deliveroo will consider making a bounty payment to a reporter, the Rules must have been followed, and the following criteria must be met; you will:
Follow HackerOne's disclosure guidelines.
Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
The reporter must be the first person to report this bug.
The reported bug must be a qualifying vulnerability that is not otherwise excluded via the list of “non-qualifying vulnerabilities”, both defined below.
The reporter must not be associated to Deliveroo e.g. an employee, vendor or contractor.
If you comply with the following rules, we will not initiate any legal action against you in response to your report (or action that you have taken in connection with your report):
The reporter must not impact any third-party customer accounts.
Use your [username]@wearehackerone email alias when testing or reporting bugs.
The reporter must not materially impact Deliveroo operations or in any way made use of any issues discovered for any reason beyond the identification of those issues.
The reporter must not attempt to view, modify, damage or interact in any way with any information belonging to others, and, to the extent that reporter does this inadvertently, the reporter must disclose this to Deliveroo in their report. In particular, the reporter must make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service. If the reporter encounters personal data or personal identifiable information (PII) they must contact us immediately, not proceed with access, and immediately purge any local information.
Do not intentionally harm the experience or usefulness of the service to others, including the degradation of services through brute-force or denial of service attacks.
Please check the "scope" table carefully, paying special attention to the wildcarded exclusions.
Certain vulnerabilities are categorised as “non-qualifying”; these include:
Physical attacks upon Deliveroo properties or data centres
Spam, Phishing, Vishing, Smishing, Social Engineering
Any forms of Denial of Service (DoS) Attack
Any Rate Limit issues
User enumeration
Missing best practices in SSL/TLS configuration
Missing best practices in header configuration
Missing best practices in DNS records such as SPF/DKIM
Clickjacking on pages with no sensitive actions
API Keys found within our iOS or Android Apps or any Google API Key
Issues without clear security impact (e.g.: Logged-Out CSRF)
Issues caused by compromise of, or outdated, client platform security
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Access to information which is intentionally “public”
Access to content via means of CDN / Content Delivery Networks / Network caches
Security issues in third-party applications which are not managed by Deliveroo, even if they integrate with or are used by in-scope Deliveroo apps, pages or resources (e.g.: vulnerabilities in Github)
Thank you for helping keep Deliveroo and our users safe!
| Scope Type | Scope Name |
|---|---|
| android_application | com.deliveroo.orderapp |
| android_application | com.deliveroo.driverapp |
| ios_application | com.deliveroo.orderapp |
| ios_application | com.deliveroo.riderapp |
| web_application | *.deliveroo-data.io |
| web_application | *.deliveroo-data-test.io |
| web_application | *.deliveroo-streams.net |
| web_application | *.deliveroo-data.net |
| web_application | .deliveroo. |
| Scope Type | Scope Name |
|---|---|
| web_application | fs1.deliveroo.co.uk |
| web_application | email-assets.deliveroo.co.uk |
| web_application | news.deliveroo.* |
| web_application | terms.deliveroo.* |
| web_application | foodscene.deliveroo.* |
| web_application | blog.deliveroo.* |
| web_application | packaging.deliveroo.* |
| web_application | careers.deliveroo.* |
| web_application | deliveroo-packaging.com |
| web_application | staging.deliveroo.* |
| web_application | demo.deliveroo.* |
| web_application | test.deliveroo.* |
| web_application | dev.deliveroo.* |
| web_application | cdn.deliveroo. |
| web_application | dtm.deliveroo.* |
| web_application | dtmc.deliveroo.* |
| web_application | go.deliveroo.com |
| web_application | riderapply.deliveroo.com |
| web_application | riders.deliveroo.* |
This program crawled on the 2018-04-17 is sorted as bounty.
FireBounty © 2015-2024
