Banner object (1)

Hack and Take the Cash !

790 bounties in database
  Back Link to program      
29/11/2016
Starbucks logo
Thanks
Gift
Hall of Fame
Reward

Reward

100 $ 

In Scope

Scope Type Scope Name
android_application com.starbucks.cn
android_application com.starbucks.mobilecard
android_application com.starbucks.singapore
android_application https://play.google.com/store/apps/details?id=com.starbucks.jp __
android_application https://play.google.com/store/apps/details?id=com.starbucks.cn __
android_application https://play.google.com/store/apps/details?id=com.starbucks.fr __
android_application https://play.google.com/store/apps/details?id=com.starbucks.de __
android_application https://play.google.com/store/apps/details?id=com.starbucks.br __
android_application https://play.google.com/store/apps/details?id=com.starbucks.mobilecard __
android_application https://play.google.com/store/apps/details?id=com.starbucks.singapore __
ios_application com.starbucks.jp
ios_application com.starbucks.fr
ios_application com.starbucks.de
ios_application com.starbucks.br
ios_application com.starbucks.sbuxsingapore
ios_application com.starbucks.jp
ios_application com.starbuckschina.mystarbucksmoments
ios_application com.starbucks.fr
ios_application com.starbucks.de
ios_application com.starbucks.br
ios_application com.starbucks.mystarbucks
ios_application com.starbucks.mystarbucks.kr
ios_application https://itunes.apple.com/sg/app/starbucks-singapore/id574621564 __
ios_application https://itunes.apple.com/jp/app/id1113037275 __
ios_application https://itunes.apple.com/us/app/starbucks-china/id499819758 __
ios_application https://itunes.apple.com/fr/app/starbucks-france/id943993603 __
ios_application https://itunes.apple.com/de/app/starbucks-deutschland/id948562829 __
ios_application https://itunes.apple.com/br/app/starbucks-brasil/id1041179480 __
ios_application https://itunes.apple.com/us/app/starbucks/id331177714 __
ios_application https://itunes.apple.com/us/app/%EC%8A%A4%ED%83%80%EB%B2%85%EC%8A%A4/id466682252 __
other Other non domain specific items
other Other assets
other Subdomain takeovers
other Router/switch network vulnerabilities
other Use of known default credentials
other Cleartext transmission of sensitive production data
other Significant information disclosures such as internal source code, PII, credentials (excluding those identified in other/prior public breaches).
other If you have found a vulnerability in a Starbucks site or app not contained within this list, you can still submit, and Starbucks will triage the report.
web_application www.starbucks.com
web_application gift.starbucks.co.jp
web_application www.starbucks.co.jp
web_application www.starbucks.com.cn
web_application www.starbucks.de
web_application www.starbucks.fr
web_application www.starbucks.co.uk
web_application www.starbucks.com.br
web_application www.starbucks.ca
web_application card.starbucks.com.sg
web_application www.istarbucks.co.kr
web_application ec.starbucks.com.cn
web_application preview.starbucks.com
web_application app.starbucks.com
web_application login.starbucks.co.jp/login
web_application cart.starbucks.co.jp
web_application www.starbucks.com.sg
web_application www.starbucksreserve.com
web_application www.teavana.com
web_application https://www.starbucks.com/ __
web_application https://gift.starbucks.co.jp/ __
web_application https://www.starbucks.co.jp __
web_application https://www.starbucks.com.cn/ __
web_application https://www.starbucks.de/ __
web_application https://www.starbucks.fr/ __
web_application www.starbucks.co.uk __
web_application https://www.starbucks.com.br/ __
web_application https://www.starbucks.ca/ __
web_application https://card.starbucks.com.sg __
web_application https://www.istarbucks.co.kr __
web_application https://ec.starbucks.com.cn __
web_application https://preview.starbucks.com __
web_application https://app.starbucks.com __
web_application https://login.starbucks.co.jp/login __
web_application https://cart.starbucks.co.jp/ __
web_application https://www.starbucks.com.sg/ __
web_application https://www.starbucksreserve.com/ __
web_application https://www.teavana.com/ __

Starbucks

Starbucks believes in a program that fosters collaboration amongst security professionals to help protect our systems and customers’ personal information from malicious activity due to vulnerabilities against our networks, web and mobile applications and set security policies across our organization. We treat the security and safety of our customers’ personal information with utmost importance.
For the protection of our customers, Starbucks does not disclose, discuss or confirm security matters until comprehensively investigating, diagnosing and fixing any known issues.

Program Rules

  • Do not intentionally harm the experience or usefulness of the service to others, including degradation of services & denial of service attacks.
  • Do not attempt to view, modify, or damage data belonging to others.
  • Do not disclose the reported vulnerability to others until we’ve had reasonable time to address it.

Bounty Eligibility

  • You must agree and adhere to the Program Rules and Legal terms as stated in this policy.
  • You must be the first to report the issue in order to be eligible for bounty.
  • You must be available to supply additional information, as needed by our team, to reproduce and triage the issue.
  • Starbucks Partners are not eligible for participation in this program.

Please consider the following when reporting issues:

Many of our sites share a common platform. Because of this, a vulnerability reported on one domain may exist on another domain if the sites are in the same platform. For example, an issue reported for starbucks.com may also be present in the exact same way on starbucks.ca and the issue can be resolved on both sites with the same fix. We ask that you take the time to replicate the issue in other sites, and if replicating, please include all occurrences in one report instead of submitting them as multiple reports. We treat the issue as one bug and will close out others as duplicates. Rest assured, we do take the existence of the vulnerability present on multiple sites into consideration during reward time.

Exclusions

  • Denial of Service attacks.
  • Descriptive error messages or headers (e.g. Stack Traces, application or server errors, banner grabbing) .
  • Disclosure of known public files or directories.
  • Use of outdated software / library versions.
  • Use of a known-vulnerable library without a description of an exploit specific to our implementation
  • OPTIONS / TRACE HTTP method enabled.
  • CSRF on logout.
  • CSRF on forms that are available to anonymous users.
  • Cookies that lack HTTP Only or Secure settings for non-sensitive data.
  • Self-XSS and issues exploitable only through Self-XSS.
  • Reports from automated tools or scans.
  • Attacks requiring physical access to a user's device or MITM attacks.
  • Attacks dependent upon social engineering of Starbucks employees or vendors.
  • Username enumeration based on login, forgot password, account creation and registration pages.
  • Enforcement policies for brute force or account lockout.
  • Reports about insecure SSL / TLS configuration.
  • Clickjacking and issues only exploitable through clickjacking.
  • Mail configuration issues including SPF, DKIM, DMARC settings.
  • Password or account recovery policies, such as reset link expiration or password complexity.
  • Presence of autocomplete functionality in form fields.
  • Publicly accessible login panels.
  • Lack of email address verification during account registration .
  • Rate-limiting issues.
  • Content spoofing / text injection.
  • Missing security headers .
  • Mixed content issues.
  • Issues related to active sessions after password changes.
  • Hyperlink injection in emails using forms available to any user.
  • Reports of credentials exposed by other data breaches / known credential lists.
  • Lack of crossdomain.xml, p3p.xml, robots.txt or any other policy files and/or wildcard. presence/misconfiguration in these.
  • Lack of obfuscation in mobile apps.
  • Absence of certificate pinning.
  • Lack of jailbreak detection in mobile apps.

Starbucks reserves the right to add to and subtract from the Exclusions list depending on the evaluated severity of reported vulnerabilities and risk acceptance.

Rewards

All bounty amounts will be at the discretion of the Starbucks Bug Bounty team and will be evaluated for severity, impact, and quality of the report. There could be submissions for which we accept the risk and will not fix.

What to include in your report

A well-written report will allow us to more quickly and accurately triage your submission.

  • A clear description of the issue, including the impact you believe it has on the user, Starbucks, others.
  • Specific reproduction steps including the environment used for testing (browsers, devices, tools, configuration) and any accounts used during testing.
  • Clear and valid security impact of the issue.
  • Your recommendations to resolve the issue.

Legal

Starbucks reserves the right to modify terms and conditions of this program and your participation in the program constitutes acceptance of all terms. Please check this site regularly as we routinely update our program terms and eligibility, which are effective upon posting. We reserve the right to cancel this program at any time. Must be 18 or older to be eligible for an award.

Thank you for helping keep Starbucks and our users safe!

FireBounty © 2015-2019

Legal notices