Shipt Bug Bounty Program

====================

Shipt takes pride in providing customers a high quality shopping experience by working closely with highly trained Shipt Shoppers that strive for quality in delivering you excellence. At Shipt, we like to over-deliver delivery.

Here at Shipt, we believe that working with skilled security researchers is crucial in improving the security of Shipt for our users. If you believe you have found a security issue in our products or services, we welcome your cooperation and encourage you to notify us promptly.

Your participation in the Shipt Bug Bounty Program is voluntary. By participating, you agree to our Program Terms & Conditions. Security researchers are expected to conduct legal in-scope security research and submit a high quality report that is in accordance with the Bug Bounty Program Terms & Conditions. In these terms, references to “you” and/or “researcher” refers to a researcher within the HackerOne program. References to “we” and/or “us” refers to Shipt. References to “our” and/or “ours” refers to Shipt and its affiliate assets, and includes user accounts of employees and customers.

If (i) you do not meet eligibility requirements stated in this policy; (ii) you breach any of the Program Terms & Conditions with Shipt or its affiliates; or (iii) we determine that your ethics or participation in this program could adversely impact Shipt, its affiliates, members, and/or our employees, we, at our discretion, may ban you from the program and further disqualify you from receiving any form of benefit from the Shipt Bug Bounty Program

Thank you for helping keep Shipt and our users safe!

Bug Bounty Program Terms & Conditions

===============================

Researcher Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you. This limited authorization does not provide you with authorization to access company data or another person’s account. Shipt cannot authorize any activity on third-party products or guarantee they will not pursue legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under Shipts Bug Bounty Program Terms & Conditions, we will make it known that your actions were conducted in compliance with this policy.

Program Eligibility

To be eligible to participate in our Bug Bounty Program, you cannot be:

• A current/have been a Full Time Employee/Contractor of Shipt or any of its affiliates within the past 6 months

• A resident of, or submit a report from, a country against which the United States of America has issued export sanctions or other trade restrictions, or an individual on a denied parties or sanctions list. Please contact us if you have questions about your eligibility based on your resident status or location.

• In violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to our Bug Bounty Program.

In addition, you must be the first researcher to report a vulnerability.

Program Rules

Do:

• Abide by these Shipt Bug Bounty Program Terms & Conditions.

• Comply with all applicable laws.

• Be respectful when interacting with Shipt Staff/Team members and HackerOne Triage members.

• Only conduct testing with accounts you own.

  • Test accounts must comply with testing conditions (Researchers must use @wearehackerone accounts.)

• Immediately stop conducting research/testing when unsure. If you think you may have caused damage with testing a vulnerability, please report your initial findings and request authorization to continue testing.

Items in the following section are also Out of Scope of our Bug Bounty Program.

Do NOT:

• Access, process or destroy Shipt employee data, customer data or Shipt intellectual property.

• Mass create accounts to perform testing against our applications or services.

• Publicly disclose vulnerabilities.

• Make any attempts to extort us.

• Run automated destructive testing.

• Leave any of our systems in a more vulnerable state than you found them.

• Upload shells, scripts, or create a backdoor of any kind.

• Conduct Brute Force attacks or guess credentials against user accounts to gain access to our Systems.

• Interact with accounts you do not own.

• Make changes to/or save any Shipt data that is not yours or that you do not have explicit written permission to manipulate.

  • *If prompted to change a password of an account not registered by yourself or provided to you, stop

    conducting research and report the finding immediately. *

• Conduct activities to be considered a privacy violation or destruction of data, such as exfiltrating or destroying data for any account that is not yours or that you do not have explicit written permission to manipulate.

• Conduct tests that disrupt service to Shipt users or employees.

  • *Examples include, but are not limited to: Denial of service, Distributed Denial of Service, DNS

    Spoofing, Buffer Overflow, Ping of Death, Syn Flood, Teardrop.*

• Make attempts in any form of social engineering.

  • *Examples include, but are not limited to: Phishing (Angler, Spear), Whaling, Diversion Theft, Baiting,

    Honey Trap, Pretexting, SMS Phishing, Scareware, Watering Hole, etc.*

• Engage in any form of physical penetration testing against Shipt properties or offices.

Program Disclosure Policy and Confidentiality

==================================

This policy applies when you participate in the Bug Bounty Program, notably as a result of you finding and/or investigating a security bug in our in-scope applications or infrastructure. Any information you receive, collect or otherwise obtain about us, our services, our technology/code, our processes, our affiliates or any of our members, employees or agents in connection with our Bug Bounty Program may not be used, disclosed or distributed except as part of a Report. You also agree not to disclose that you are participating in our Bug Bounty Program.

By participating in our Bug Bounty Program, you represent and warrant that you have not used and will not use Confidential Shipt Information for any purpose other than in connection with the Bug Bounty Program and that you have not shared and will not share such Confidential Information with any third party.

Once a you make a Report, Shipt may require that you securely and irreversibly delete all data, messages, postings, or other content directly or indirectly related to such Report, including, for example, all data about Shipt, our services, our affiliates or any of our members, employees or agents. If requested, you agree to securely and irreversibly delete any data related to the Report immediately upon it no longer being reasonably necessary to retain for the purposes of conveying the impact or scope of the reported issue, after verifying with Shipt that it is no longer necessary, and/or if the Report is closed, regardless of outcome.

Any unauthorized public disclosure will result in a program ban and possible legal action. Please review HackerOnes disclosure guidelines.

Legal

====

Your participation in the Program constitutes acceptance of the Bug Bounty Program Terms and Conditions. Shipt reserves the right to modify the terms and conditions of the Bug Bounty Program without notice at its sole discretion.

By making a Report, you represent and warrant that the Report is original to you and you have the right to submit the Report.

By making a Report, you give us the right to use your Report for any purpose.

You are responsible for complying with applicable laws in connection with your participation in this program and for any applicable taxes associated with any reward you receive.

Bounty rewards are granted solely at the exclusive discretion of Shipt.

Testing Conditions

==============

If you are eligible to participate in this Bug Bounty Program, you will need to connect to a VPN node within the United States in order to fully test our application(s). However, unrestricted and/or unmetered connections to Shipt resources from outside of the United States or from a VPN is not guaranteed.

When testing against Shipt’s environments please do the following:

• Append the watermark HackerOne to the end of your User-Agent request headers. Example: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)HackerOne

• When registering an account in our production mobile and web applications, please use your @wearehackerone username.

Failure to comply with the testing conditions could result in any Report being out of scope and/or your traffic being blocked.

We provide an in-scope staging environment: staging-*.shipt.com. This is a development/staging environment, stack traces and/or detailed error messages may or may not be enabled by design, and we are aware. Any reports submitted regarding these error messages that do not provide proof of concept of exploitation and/or only offer 'theoretical' vulnerabilities will be closed as N/A.

Reporting

========

Report Quality

The quality of report writing in a Report enables our team to work efficiently to understand the issue better and engage with the appropriate teams to resolve. Please provide sufficient reports to allow us to validate and verify issues.

A high quality report shall include:

• A detailed summary of the vulnerability and exploits

• Reproducible proof-of-concept (POC) steps for our team to replicate the vulnerability

• The determined impact it could have on the organization

• Additional details such as test accounts used, screenshots attached to steps, screen capture videos of concepts/steps taken to get to a specific end state.

Please Note:

• Check the scope section and program rules before you begin writing your report to ensure the issue you

are reporting is in scope for the program.

• If links to endpoints are provided in a report, please explain why navigation to that link is required for

reproduction.

• Provide screenshots and details to ensure reproducible concepts.

• Shipt will not consider external unverifiable links

• Shipt will not create 3rd party accounts or disclose PII to reproduce vulnerabilities

• A vulnerability must be verifiable and reproducible for it to be considered in-scope.

• All reports must demonstrate security impact to be considered for bounty reward.

In Scope

While we expect to expand our scope in the future, we are currently focused on our primary and critical public facing sites and applications. However, if you enumerate other Shipt assets and identify vulnerabilities against those, your reports may still be eligible for a bounty, so please responsibly disclose those to us as well.

If you identify a vulnerability within a third party that Shipt uses and it is not explicitly in scope, please report it to the third party’s responsible disclosure program, bug bounty program, or security team. If you report it to us, we will be happy to assist you in reporting it to the third party, however, these reports usually will not be eligible for bounty from Shipt (unless special conditions are met such as the root cause being a misconfiguration by Shipt and not under the control of the 3rd party).

Out of Scope

In addition to our “Do Not” rules section, items below are out of scope.

• API key disclosure or leak without POC of exploitability.

• Internal IP Address disclosures without any proof of exploitation.

• Stack traces or error messages in staging environments without proof of exploitation.

• Any activity that could lead to the denial of service (DoS).

• Clickjacking on pages with no sensitive actions.

• Content spoofing and text injection issues without showing an attack vector (DO NOT actively engage in

social engineering or phishing attempts to our employees or support staff via chat, email, or phone for

POCs).

• Invalid or missing SPF (Sender Policy Framework), DMARC, or DKIM records/configurations.

• Attacks requiring MiTM or physical access to a users device

• Missing best practices in SSL/TLS configuration.

• Password and account recovery policies, such as reset link expiration or password complexity.

• Rate limit attacks or spamming.

• Unauthenticated or logout CSRF.

• User enumeration.

• "Information Disclosure" involving a userID or email address in a query parameter on a POST request

• Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.

• Previously known vulnerable libraries or software versions without a working Proof of Concept.

• Any CORS-related vulnerabilities without working POC showing sensitive actions or data being affected.

• Self XSS or XSS that affects only out-of-date browsers or devices that require the user to configure

them in an insecure state (allowing installation of applications from untrusted sources).

• Attacks predicated on a user's non-Shipt account being compromised (e.g. Attackers compromise the

users Google/Gmail first before the vulnerability can be exploited).

Bounty Rewards

============

The bounty table in this Bounty Rewards section is relative to the in-scope asset and risk level. While we do leverage the HackerOne triage team to assess reports, all Reports are individually evaluated and risk-rated by the Shipt Security Team. Bounties/awards will be paid depending on the final risk-rating by the internal Shipt Security Team; not the initial risk rating at triage

The Shipt Security Team will rate the vulnerability using a risk-based method based on the affected asset and exposure (ex. all 'information leaks' are not equal in severity). Reward examples are only examples, and reward(s) could increase or decrease depending on severity.

Additional Information

=================

Response Targets

| Type of Response | Estimated Response Time in Business Days |

| ----------- | ----------- |

| First Response | 2 Days |

| Time to Triage | 4 Days |

| Time to Resolution | Timeline depends on severity of vulnerability |

Shipt is using HackerOne Triage for this Bug Bounty Program. Our internal Security Team will also actively review Reports. If you submit a report, the Shipt security team and associated development organizations will use reasonable efforts to respond in a timely manner.