Banner object (1)

Hack and Take the Cash !

790 bounties in database
  Back Link to program      
Deliveroo logo
Hall of Fame


150 $ 

In Scope

Scope Type Scope Name
android_application com.deliveroo.driverapp
ios_application com.deliveroo.orderapp
ios_application com.deliveroo.orderapp
ios_application com.deliveroo.riderapp
web_application *
web_application *
web_application *
web_application *

Out of Scope

Scope Type Scope Name
web_application .deliveroo.*
web_application .deliveroo.*
web_application .deliveroo.*
web_application .deliveroo.*
web_application news.deliveroo.*
web_application terms.deliveroo.*
web_application foodscene.deliveroo.*
web_application blog.deliveroo.*
web_application packaging.deliveroo.*
web_application cdn
web_application careers.deliveroo.*



Severity | Reward
Critical | $3000-$5000
High | $1500-$3000
Medium | $500-$1500
Low | $300-$500

All confirmed vulnerabilities will be considered, assessed and awarded a bounty based on severity as determined by CVSS v3.0.


Deliveroo recognises security as a key enabler to our goal to become the definitive food company. We welcome the security researcher community to engage with Deliveroo to help us continuously improve the security of our products.

What are the basics?

  • Deliveroo offer a bounty for reporting qualifying security vulnerabilities.
  • Please review the following rules before you report a vulnerability, by participating in this program you agree to be bound by these rules.

Eligibility & Disclosure Policy

Before Deliveroo will consider making a bounty payment to a reporter, the Rules must have been followed, and the following criteria must be met; you will:

  • Follow HackerOne's disclosure guidelines.
  • Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • The reporter must be the first person to report this bug.
  • The reported bug must be a qualifying vulnerability that is not otherwise excluded via the list of “non-qualifying vulnerabilities”, both defined below.
  • The reporter must not be associated to Deliveroo e.g. an employee, vendor or contractor.


If you comply with the following rules, we will not initiate any legal action against you in response to your report (or action that you have taken in connection with your report):

  • The reporter must not impact any third-party customer accounts, instead use your [username]@wearehackerone email alias. See the following document for more details:
  • The reporter must not materially impact Deliveroo operations or in any way made use of any issues discovered for any reason beyond the identification of those issues.
  • The reporter must not attempt to view, modify, damage or interact in any way with any information belonging to others, and, to the extent that reporter does this inadvertently, the reporter must disclose this to Deliveroo in their report. In particular, the reporter must make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service. If the reporter encounters personal data or personal identifiable information (PII) they must contact us immediately, not proceed with access, and immediately purge any local information.

Scope Restrictions

Please check the "scope" table carefully, paying special attention to the wildcarded exclusions.

Non-Qualifying Vulnerabilities

  • Certain vulnerabilities are categorised as “non-qualifying”; these include:
  • Physical attacks upon Deliveroo properties or data centres
  • Spam, Phishing, Vishing, Smishing, Social Engineering
  • Any forms of Denial of Service Attack
  • Rate limiting issues that do not have a demonstrable impact
  • User enumeration
  • Missing best practices in SSL/TLS configuration
  • Missing best practices in header configuration
  • Missing best practices in DNS records such as SPF/DKIM
  • Clickjacking on pages with no sensitive actions
  • Issues without clear security impact (e.g.: Logged-Out CSRF)
  • Issues caused by compromise of, or outdated, client platform security
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Access to information which is intentionally “public”
  • Access to content via means of CDN / Content Delivery Networks / Network caches
  • Security issues in third-party applications which are not managed by Deliveroo, even if they integrate with or are used by in-scope Deliveroo apps, pages or resources (e.g.: vulnerabilities in Github)

Thank you for helping keep Deliveroo and our users safe!

FireBounty © 2015-2019

Legal notices