At Postmates, the security of user information is a top priority. We welcome the contributions from external security researchers from across the globe to help identify weaknesses in our technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
Please be respectful of our existing applications. Spamming forms through automated vulnerability scanners are explicitly out of scope and will not result in any bounty or award. Do not disrupt the operations of the platform by requesting deliveries that you do not intend to have completed.
Postmates will make a best effort to meet the following SLAs for hackers participating in our program:
While researching, we'd like to ask you to refrain from reporting tickets about:
Your testing must not violate laws in the United States or within the jurisdiction from which your testing is being performed. You are responsible for complying with any applicable laws, and you should only use your own accounts or test accounts for reporting vulnerabilities.
We will only reward the first person to responsibly report a vulnerability to us. Any vulnerabilities that are publicly disclosed without providing a reasonable amount of time for Postmates to respond will not be rewarded. You must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a reward.
To promote the discovery and reporting of vulnerabilities and increase user safety, we ask that you:
You are responsible for paying any taxes associated with rewards. We may modify the terms of this program or terminate this program at any time. Whether to reward the disclosure of a vulnerability and the amount of the reward is entirely at the discretion of Postmates. Rewards cannot be provided for residents of countries under current U.S. sanctions (e.g. North Korea, Libya, Cuba, etc.)
Thank you for helping keep Postmates and our users safe!
Contact us if you want more information.