At Postmates, the security of user information is a top priority. We welcome
the contributions from external security researchers from across the globe to
help identify weaknesses in our technology. If you believe you've found a
security issue in our product or service, we encourage you to notify us. We
welcome working with you to resolve the issue promptly.
Please be respectful of our existing applications. Spamming forms through
automated vulnerability scanners are explicitly out of scope and will not
result in any bounty or award. Do not disrupt the operations of the platform
by requesting deliveries that you do not intend to have completed.
Postmates will make a best effort to meet the following SLAs for hackers
participating in our program:
- Time to first response (from report submit) - 2 business days
- Time to triage (from report submit) - 10 business days
- Time to bounty (from triage) - 10 business days
While researching, we'd like to ask you to refrain from reporting tickets
- Forms missing CSRF tokens which don’t affect the security of the application
- Missing security headers which do not lead directly to a vulnerability
- Content spoofing which does not have a clear impact
- Login / logout CSRF
- Rate limiting or throttling endpoints where the impact cannot be quantified
- Attacks that only work against yourself (e.g. host header injection)
- Issues related to software or protocols not under Postmates control
- Exposure of a login panel or service without any demonstrable attack scenario or exploitable vulnerability
- Denial of service
- Missing best practices unless real-world impact is adequately demonstrated
- Issues identified by automated tools or scans
- Social engineering (including phishing) of Postmates staff or contractors
- Physical attacks against Postmates property, data centers or our users (including attacks that require physical access to a user's device)
- We do not strictly enforce SMS-based phone number verification currently, so please do not report the potential to bypass phone number verification as the report will be closed. However we are interested in any attack that would leverage the lack of strict phone number verification in order to defraud customers, merchants, or couriers.
- API key / secret disclosure that is intentional / by design, and does not enable a vulnerability.
- Reporting issues on behalf of Bug Bounty King (https://twitter.com/CluelessSec __)
Eligibility and Responsible Disclosure
Your testing must not violate laws in the United States or within the
jurisdiction from which your testing is being performed. You are responsible
for complying with any applicable laws, and you should only use your own
accounts or test accounts for reporting vulnerabilities.
We will only reward the first person to responsibly report a vulnerability to
us. Any vulnerabilities that are publicly disclosed without providing a
reasonable amount of time for Postmates to respond will not be rewarded. You
must report a qualifying vulnerability through the HackerOne reporting tool to
be eligible for a reward.
To promote the discovery and reporting of vulnerabilities and increase user
safety, we ask that you:
- Share the security issue with us in detail
- Give us a reasonable amount of time to respond to the issue prior to public disclosure
- Do not access or modify courier, merchant, or end-user data for accounts that do not belong to you
- Do not create fake deliveries or cancel created deliveries
- Do not spam our API Partner registration form
- Act in good faith not to degrade the performance of our services or otherwise impede service operations
The Fine Print
You are responsible for paying any taxes associated with rewards. We may
modify the terms of this program or terminate this program at any time.
Whether to reward the disclosure of a vulnerability and the amount of the
reward is entirely at the discretion of Postmates. Rewards cannot be provided
for residents of countries under current U.S. sanctions (e.g. North Korea,
Libya, Cuba, etc.)
Thank you for helping keep Postmates and our users safe!
Hall of Fame