45466 policies in database
Link to program      
2018-04-17
2019-08-07
Deliveroo logo
Thank
Gift
HOF
Reward

Reward

150 $ 

Deliveroo

Rewards

| Severity | Reward |

|----------|--------|

| Critical | $3000-$5000 |

| High | $1500-$3000 |

| Medium | $500-$1500 |

| Low | $300-$500 |

All confirmed vulnerabilities will be considered, assessed and awarded a bounty based on severity as determined by CVSS v3.0.

Goals

Deliveroo recognises security as a key enabler to our goal to become the definitive food company. We welcome the security researcher community to engage with Deliveroo to help us continuously improve the security of our products.

What are the basics?

  • Deliveroo offer a bounty for reporting qualifying security vulnerabilities.

  • Please review the following rules before you report a vulnerability, by participating in this program you agree to be bound by these rules.

Eligibility & Disclosure Policy

Before Deliveroo will consider making a bounty payment to a reporter, the Rules must have been followed, and the following criteria must be met; you will:

  • Follow HackerOne's disclosure guidelines.

  • Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.

  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.

  • Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

  • The reporter must be the first person to report this bug.

  • The reported bug must be a qualifying vulnerability that is not otherwise excluded via the list of “non-qualifying vulnerabilities”, both defined below.

  • The reporter must not be associated to Deliveroo e.g. an employee, vendor or contractor.

Rules

If you comply with the following rules, we will not initiate any legal action against you in response to your report (or action that you have taken in connection with your report):

  • The reporter must not impact any third-party customer accounts.

  • Use your [username]@wearehackerone email alias when testing or reporting bugs.

  • The reporter must not materially impact Deliveroo operations or in any way made use of any issues discovered for any reason beyond the identification of those issues.

  • The reporter must not attempt to view, modify, damage or interact in any way with any information belonging to others, and, to the extent that reporter does this inadvertently, the reporter must disclose this to Deliveroo in their report. In particular, the reporter must make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service. If the reporter encounters personal data or personal identifiable information (PII) they must contact us immediately, not proceed with access, and immediately purge any local information.

  • Do not intentionally harm the experience or usefulness of the service to others, including the degradation of services through brute-force or denial of service attacks.

Scope Restrictions

Please check the "scope" table carefully, paying special attention to the wildcarded exclusions.

Non-Qualifying Vulnerabilities

  • Certain vulnerabilities are categorised as “non-qualifying”; these include:

  • Physical attacks upon Deliveroo properties or data centres

  • Spam, Phishing, Vishing, Smishing, Social Engineering

  • Any forms of Denial of Service (DoS) Attack

  • Any Rate Limit issues

  • User enumeration

  • Missing best practices in SSL/TLS configuration

  • Missing best practices in header configuration

  • Missing best practices in DNS records such as SPF/DKIM

  • Clickjacking on pages with no sensitive actions

  • API Keys found within our iOS or Android Apps or any Google API Key

  • Issues without clear security impact (e.g.: Logged-Out CSRF)

  • Issues caused by compromise of, or outdated, client platform security

  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

  • Access to information which is intentionally “public”

  • Access to content via means of CDN / Content Delivery Networks / Network caches

  • Security issues in third-party applications which are not managed by Deliveroo, even if they integrate with or are used by in-scope Deliveroo apps, pages or resources (e.g.: vulnerabilities in Github)

Thank you for helping keep Deliveroo and our users safe!

In Scope

Scope Type Scope Name
android_application

com.deliveroo.orderapp

android_application

com.deliveroo.driverapp

ios_application

com.deliveroo.orderapp

ios_application

com.deliveroo.riderapp

web_application

*.deliveroo-data.io

web_application

*.deliveroo-data-test.io

web_application

*.deliveroo-streams.net

web_application

*.deliveroo-data.net

web_application

.deliveroo.

Out of Scope

Scope Type Scope Name
web_application

fs1.deliveroo.co.uk

web_application

email-assets.deliveroo.co.uk

web_application

news.deliveroo.*

web_application

terms.deliveroo.*

web_application

foodscene.deliveroo.*

web_application

blog.deliveroo.*

web_application

packaging.deliveroo.*

web_application

careers.deliveroo.*

web_application

deliveroo-packaging.com

web_application

staging.deliveroo.*

web_application

demo.deliveroo.*

web_application

test.deliveroo.*

web_application

dev.deliveroo.*

web_application

cdn.deliveroo.

web_application

dtm.deliveroo.*

web_application

dtmc.deliveroo.*

web_application

go.deliveroo.com

web_application

riderapply.deliveroo.com

web_application

riders.deliveroo.*


This program crawled on the 2018-04-17 is sorted as bounty.

FireBounty © 2015-2024

Legal notices | Privacy policy