Banner object (1)

Hack and Take the Cash !

836 bounties in database
  Back Link to program      
Postmates logo
Hall of Fame


50 $ 



At Postmates, the security of user information is a top priority. We welcome the contributions from external security researchers from across the globe to help identify weaknesses in our technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Please be respectful of our existing applications. Spamming forms through automated vulnerability scanners are explicitly out of scope and will not result in any bounty or award. Do not disrupt the operations of the platform by requesting deliveries that you do not intend to have completed.

Response Targets

Postmates will make a best effort to meet the following SLAs for hackers participating in our program:

  • Time to first response (from report submit) - 2 business days
  • Time to triage (from report submit) - 10 business days
  • Time to bounty (from triage) - 10 business days


While researching, we'd like to ask you to refrain from reporting tickets about:

  • Forms missing CSRF tokens which don’t affect the security of the application
  • Missing security headers which do not lead directly to a vulnerability
  • Content spoofing which does not have a clear impact
  • Login / logout CSRF
  • Rate limiting or throttling endpoints where the impact cannot be quantified
  • Attacks that only work against yourself (e.g. host header injection)
  • Issues related to software or protocols not under Postmates control
  • Exposure of a login panel or service without any demonstrable attack scenario or exploitable vulnerability
  • Denial of service
  • Missing best practices unless real-world impact is adequately demonstrated
  • Issues identified by automated tools or scans
  • Social engineering (including phishing) of Postmates staff or contractors
  • Physical attacks against Postmates property, data centers or our users (including attacks that require physical access to a user's device)
  • We do not strictly enforce SMS-based phone number verification currently, so please do not report the potential to bypass phone number verification as the report will be closed. However we are interested in any attack that would leverage the lack of strict phone number verification in order to defraud customers, merchants, or couriers.
  • API key / secret disclosure that is intentional / by design, and does not enable a vulnerability.
  • Static resources / public information "exposed" in storage buckets.
  • Reporting issues on behalf of Bug Bounty King ( __)

Eligibility and Responsible Disclosure

Your testing must not violate laws in the United States or within the jurisdiction from which your testing is being performed. You are responsible for complying with any applicable laws, and you should only use your own accounts or test accounts for reporting vulnerabilities.

We will only reward the first person to responsibly report a vulnerability to us. Any vulnerabilities that are publicly disclosed without providing a reasonable amount of time for Postmates to respond will not be rewarded. You must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a reward.

To promote the discovery and reporting of vulnerabilities and increase user safety, we ask that you:

  • Share the security issue with us in detail
  • Give us a reasonable amount of time to respond to the issue prior to public disclosure
  • Do not access or modify courier, merchant, or end-user data for accounts that do not belong to you
  • Do not create fake deliveries or cancel created deliveries
  • Do not spam our API Partner registration form
  • Act in good faith not to degrade the performance of our services or otherwise impede service operations

The Fine Print

You are responsible for paying any taxes associated with rewards. We may modify the terms of this program or terminate this program at any time. Whether to reward the disclosure of a vulnerability and the amount of the reward is entirely at the discretion of Postmates. Rewards cannot be provided for residents of countries under current U.S. sanctions (e.g. North Korea, Libya, Cuba, etc.)

Thank you for helping keep Postmates and our users safe!

In Scope

Scope Type Scope Name








web_application __

Out of Scope

Scope Type Scope Name




Firebounty have crawled on 2019-02-07 the programe Postmates on the platform Hackerone.

FireBounty © 2015-2019

Legal notices