Instacart looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.

Response Targets

Instacart will make a best effort to meet the following response targets for hackers participating in our program:

• Time to first response (from report submit) - 1 business days
• Time to triage (from report submit) - 2 business days

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

• Follow HackerOne's disclosure guidelines __.

Program Rules

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service and only interact with accounts you own or with the explicit permission of the account holder.

Please refrain from the following:

• trying DOS attacks
• automated scanning
• using vulnerability testing tools that automatically generate significant traffic
• accessing private information (so use test accounts)
• performing actions that may negatively affect Instacart users (social engineering, phishing, spam, denial of service)
• submitting reports from automated tools without verifying them
• performing brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality

Out of Scope Vulnerabilities

• Attacks requiring physical access to a user's device
• Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)
• Login/logout CSRF
• Password and account recovery policies, such as reset link expiration or password complexity
• Missing security headers which do not lead directly to a vulnerability
• Clickjacking without an impact
• Content spoofing / reflection/ injection (on 404 page, search result page etc) unless executes code
• Known-vulnerable library (without evidence of exploitability)
• Certain reports of spam
• Certain SPF and DKIM issues
• Low impact host header issues
• Hard to exploit SSL/TLS protocol vulnerabilities
• Best practice concerns will be reviewed, but in general we require evidence of a vulnerability
• Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
• Brute force of promo code
• Reflected file download
• Social engineering Instacart employees or contractors
• CSV formula injection
• Email enumeration
• Cookie and logout policies
• Any activity that could lead to the disruption of our service (DoS)

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Instacart and our users safe!