|Scope Type||Scope Name|
|ios_application||IOS Shopper App|
|ios_application||IOS Member App|
Shipt believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
** Shipt's security team will rate the vulnerability using a risk-based method based on the affected asset and exposure (ex. all 'information leaks' are not equal in severity). Reward examples above are only examples, and reward(s) could increase or decrease depending on severity.
Append the watermark
HackerOne to the end of your User-Agent request
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)HackerOne
When registering an account in production member applications add +h1 to the end of your email address e.g.
** Failure to comply with the above could result in any submission being out of scope and/or being banned from the program.
development/testing environments and stack traces and/or detailed error messages may or may not be enabled. This is by design and we are aware of this. Any reports submitted regarding these error messages that do not prove concept of exploitation and/or only offer 'theoretical' vulnerabilities will be closed as N/A.
Shipt is using Hackerone Triage for its Bug Bounty Program and our internal security engineering team will also actively review reports submitted. If you submit a vulnerability report, the Shipt security team and associated development organizations will use reasonable efforts to follow these response time frames:
We are currently focused on our primary and critical public facing sites and
applications. We expect to expand our scope to more assets in the future.
However, if you enumerate other Shipt assets and identify vulnerabilities
against those, your reports may still be eligible for a bounty, so please
responsibly disclose those to us as well.
If you identify a vulnerability within a 3rd party SaaS platform that Shipt uses and it is not explicitly in scope below, please report it to the 3rd party 's responsible disclosure program, bug bounty program, or security team instead of to us. If you report it to us, we will be happy to assist you in reporting it to the third party, however, these reports usually will not be eligible for bounty from Shipt (unless special conditions are met such as the root cause being a misconfiguration by Shipt and not under the control of the 3rd party).
marked as duplicate or N/A):
While researching, we'd like to ask you to refrain from:
You are responsible for complying with applicable laws in connection with your participation in this program and for any applicable taxes associated with any reward you receive.
We may modify the terms of this program or terminate this program at any time.
Thank you for helping keep Shipt and our users safe!