Banner object (1)

Hack and Take the Cash !

794 bounties in database
  Back Link to program      
Shipt logo
Hall of Fame


100 $ 


Shipt believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

** Shipt's security team will rate the vulnerability using a risk-based method based on the affected asset and exposure (ex. all 'information leaks' are not equal in severity). Reward examples above are only examples, and reward(s) could increase or decrease depending on severity.

Credentials and Testing Guidelines

When testing against Shipt's environments please do the following:

Append the watermark HackerOne to the end of your User-Agent request headers. Example:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)HackerOne
When registering an account in production member applications add +h1 to the end of your email address e.g.
** Failure to comply with the above could result in any submission being out of scope and/or being banned from the program.

We provide staging-* environments in scope. These are

development/testing environments and stack traces and/or detailed error messages may or may not be enabled. This is by design and we are aware of this. Any reports submitted regarding these error messages that do not prove concept of exploitation and/or only offer 'theoretical' vulnerabilities will be closed as N/A.


Shipt is using Hackerone Triage for its Bug Bounty Program and our internal security engineering team will also actively review reports submitted. If you submit a vulnerability report, the Shipt security team and associated development organizations will use reasonable efforts to follow these response time frames:

  • Time to first response (from report submit) - 5 business days
  • Time to triage (from report submit) - 10 business days
  • Time to bounty (from triage) - 10 business days


We are currently focused on our primary and critical public facing sites and applications. We expect to expand our scope to more assets in the future. However, if you enumerate other Shipt assets and identify vulnerabilities against those, your reports may still be eligible for a bounty, so please responsibly disclose those to us as well.
If you identify a vulnerability within a 3rd party SaaS platform that Shipt uses and it is not explicitly in scope below, please report it to the 3rd party 's responsible disclosure program, bug bounty program, or security team instead of to us. If you report it to us, we will be happy to assist you in reporting it to the third party, however, these reports usually will not be eligible for bounty from Shipt (unless special conditions are met such as the root cause being a misconfiguration by Shipt and not under the control of the 3rd party).

  • __(3rd party hosted site)
  • Shipt iOS / Android app
  • (** we do not provision test accounts for our admin site or shopper applications, but will encourage and accept reports regarding valid, unauthenticated vulnerabilities)

Out of scope

  • API key disclosure or leak without POC of exploitability.
  • Internal IP Address disclosures without any proof of exploitation.
  • Stack traces or error messages in staging environments without proof of exploitation.
  • Any activity that could lead to the disruption of our service (DoS).
  • Clickjacking on pages with no sensitive actions. (We are currently aware of existing issues in
  • Content spoofing and text injection issues without showing an attack vector (please do not actively engage in social engineering or phishing attempts to our employees or support staff via chat, email, or phone for POCs).
  • Invalid or missing SPF (Sender Policy Framework), DMARC, or DKIM records/configurations.
  • Attacks requiring MiTM or physical access to a user's device
  • Missing best practices in SSL/TLS configuration.
  • Password and account recovery policies, such as reset link expiration or password complexity.
  • Rate limit attacks or spamming.
  • Unauthenticated or logout CSRF.
  • User enumeration.
  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.
  • Previously known vulnerable libraries or software versions without a working Proof of Concept.
  • Any CORS-related vulnerabilities without working POC showing sensitive actions or data being affected.
  • Self XSS or XSS that affects only out-of-date browsers or devices that require the user to configure them in an insecure state (allowing installation of applications from untrusted sources).
  • Attacks predicated on a user's non-Shipt account being compromised (e.g. Attacker must compromise the user's Google/Gmail first before the vulnerability can be exploited).

Known issues that are currently being addressed or out of scope (will be

marked as duplicate or N/A):

  • Clickjacking on and login page(s).
  • QA Test Credentials in various users' GitHub repositories.
  • References to old, abandoned, social media accounts in our blog or non-core assets.

Eligibility and Disclosure

  • You must be the first reporter of a vulnerability.
  • If you identify an issue that involves compromised credentials, please validate the credentials for your POC only once by logging in to 1 of the affected platforms (if there are potentially more). DO NOT attempt to test for credential re-use against other platforms unless Shipt Security requests that you do so (we may ask you to assist and may add reward bonuses for your help).
  • You may not publicly disclose the vulnerability prior to our resolution or without mutual agreement.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
  • We can be legally prohibited from rewarding you (for example, you can’t be a resident of or located within Cuba, Sudan, North Korea, Iran or Syria, a national of other certain countries, or on a denied parties or sanctions list).


While researching, we'd like to ask you to refrain from:

  • Denial of service
  • Any physical attempts against Shipt property
  • Social engineering (e.g. phishing, vishing, smishing)
  • We are interested in application vulnerability reports. Social engineering is strictly prohibited (e.g. to get a password changed). If you attempt any social engineering attacks or contact our support team in any way, this can result in you being banned from our program.
  • Any attempts against other companies that we are affiliated with in any way unless explicitly defined in the target scope.

You are responsible for complying with applicable laws in connection with your participation in this program and for any applicable taxes associated with any reward you receive.

We may modify the terms of this program or terminate this program at any time.

Thank you for helping keep Shipt and our users safe!

In Scope

Scope Type Scope Name

















This program leverage 14 scopes, in 2 scopes categories.

FireBounty © 2015-2020

Legal notices