Shipt believes that working with skilled security researchers across the globe
is crucial in identifying weaknesses in any technology. If you believe you've
found a security issue in our product or service, we encourage you to notify
us. We welcome working with you to resolve the issue promptly.
** Shipt's security team will rate the vulnerability using a risk-based method
based on the affected asset and exposure (ex. all 'information leaks' are not
equal in severity). Reward examples above are only examples, and reward(s)
could increase or decrease depending on severity.
Credentials and Testing Guidelines
When testing against Shipt's environments please do the following:
Append the watermark
HackerOne to the end of your User-Agent request
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)HackerOne
When registering an account in production member applications add +h1 to the
end of your email address e.g.
** Failure to comply with the above could result in any submission being out
of scope and/or being banned from the program.
We provide staging-*.shipt.com environments in scope. These are
development/testing environments and stack traces and/or detailed error
messages may or may not be enabled. This is by design and we are aware of
this. Any reports submitted regarding these error messages that do not prove
concept of exploitation and/or only offer 'theoretical' vulnerabilities will
be closed as N/A.
Shipt is using Hackerone Triage for its Bug Bounty Program and our internal
security engineering team will also actively review reports submitte. If you
submit a vulnerability report, the Shipt security team and associated
development organizations will use reasonable efforts to follow these response
- Time to first response (from report submit) - 5 business days
- Time to triage (from report submit) - 10 business days
- Time to bounty (from triage) - 10 business days
We are currently focused on our primary and critical public facing sites and
applications. We expect to expand our scope to more assets in the future.
However, if you enumerate other Shipt assets and identify vulnerabilities
against those, your reports may still be eligible for a bounty, so please
responsibly disclose those to us as well.
- www.shipt.com __(3rd party hosted site)
- Shipt iOS / Android app
- admin.shipt.com (** we do not provision test accounts for our admin site or shopper applications, but will encourage and accept reports regarding valid, unauthenticated vulnerabilities)
Out of scope
- API key disclosure or leak without POC of exploitability.
- Internal IP Address disclosures without any proof of exploitation.
- Stack traces or error messages in staging environments without proof of exploitation.
- Any activity that could lead to the disruption of our service (DoS).
- Clickjacking on pages with no sensitive actions. (We are currently aware of existing issues in shop.shipt.com)
- Content spoofing and text injection issues without showing an attack vector (please do not actively engage in social engineering or phishing attempts to our employees or support staff via chat, email, or phone for POCs).
- Invalid or missing SPF (Sender Policy Framework) records.
- Attacks requiring MiTM or physical access to a user's device
- Missing best practices in SSL/TLS configuration.
- Password and account recovery policies, such as reset link expiration or password complexity.
- Rate limit attacks or spamming.
- Unauthenticated or logout CSRF.
- User enumeration.
- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.
- Previously known vulnerable libraries or software versions without a working Proof of Concept.
- Any CORS-related vulnerabilities without working POC showing sensitive actions or data being affected.
- Self XSS or XSS that affects only out-of-date browsers or devices that require the user to configure them in an insecure state (allowing installation of applications from untrusted sources).
Eligibility and Disclosure
- You must be the first reporter of a vulnerability.
- If you identify an issue that involves compromised credentials, please validate the credentials for your POC only once by logging in to 1 of the affected platforms (if there are potentially more). DO NOT attempt to test for credential re-use against other platforms unless Shipt Security requests that you do so (we may ask you to assist and may add reward bonuses for your help).
- You may not publicly disclose the vulnerability prior to our resolution or without mutual agreement.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
- We can be legally prohibited from rewarding you (for example, you can’t be a resident of or located within Cuba, Sudan, North Korea, Iran or Syria, a national of other certain countries, or on a denied parties or sanctions list).
While researching, we'd like to ask you to refrain from:
- Denial of service
- Any physical attempts against Shipt property
- Social engineering (e.g. phishing, vishing, smishing)
- We are interested in application vulnerability reports. Social engineering is strictly prohibited (e.g. to get a password changed). If you attempt any social engineering attacks or contact our support team in any way, this can result in you being banned from our program.
- Any attempts against other companies that we are affiliated with in any way unless explicitly defined in the target scope.
You are responsible for complying with applicable laws in connection with your
participation in this program and for any applicable taxes associated with any
reward you receive.
We may modify the terms of this program or terminate this program at any time.
Thank you for helping keep Shipt and our users safe!
Hall of Fame