Banner object (1)

Hack and Take the Cash !

722 bounties in database
07/02/2019
Postmates logo

Reward

50 $ 

Postmates

Introduction

At Postmates, the security of user information is a top priority. We welcome the contributions from external security researchers from across the globe to help identify weaknesses in our technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Please be respectful of our existing applications. Spamming forms through automated vulnerability scanners are explicitly out of scope and will not result in any bounty or award. Do not disrupt the operations of the platform by requesting deliveries that you do not intend to have completed.

Response Targets

Postmates will make a best effort to meet the following SLAs for hackers participating in our program:

  • Time to first response (from report submit) - 2 business days
  • Time to triage (from report submit) - 10 business days
  • Time to bounty (from triage) - 10 business days

Exclusions

While researching, we'd like to ask you to refrain from reporting tickets about:

  • Forms missing CSRF tokens which don’t affect the security of the application
  • Missing security headers which do not lead directly to a vulnerability
  • Content spoofing which does not have a clear impact
  • Login / logout CSRF
  • Rate limiting or throttling endpoints where the impact cannot be quantified
  • Attacks that only work against yourself (e.g. host header injection)
  • Issues related to software or protocols not under Postmates control
  • Exposure of a login panel or service without any demonstrable attack scenario or exploitable vulnerability
  • Denial of service
  • Missing best practices unless real-world impact is adequately demonstrated
  • Issues identified by automated tools or scans
  • Social engineering (including phishing) of Postmates staff or contractors
  • Physical attacks against Postmates property, data centers or our users (including attacks that require physical access to a user's device)
  • Reporting issues on behalf of Bug Bounty King (https://twitter.com/CluelessSec __)

Eligibility and Responsible Disclosure

Your testing must not violate laws in the United States or within the jurisdiction from which your testing is being performed. You are responsible for complying with any applicable laws, and you should only use your own accounts or test accounts for reporting vulnerabilities.

We will only reward the first person to responsibly report a vulnerability to us. Any vulnerabilities that are publicly disclosed without providing a reasonable amount of time for Postmates to respond will not be rewarded. You must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a reward.

To promote the discovery and reporting of vulnerabilities and increase user safety, we ask that you:

  • Share the security issue with us in detail
  • Give us a reasonable amount of time to respond to the issue prior to public disclosure
  • Do not access or modify courier, merchant, or end-user data for accounts that do not belong to you
  • Do not create fake deliveries or cancel created deliveries
  • Do not spam our API Partner registration form
  • Act in good faith not to degrade the performance of our services or otherwise impede service operations

The Fine Print

You are responsible for paying any taxes associated with rewards. We may modify the terms of this program or terminate this program at any time. Whether to reward the disclosure of a vulnerability and the amount of the reward is entirely at the discretion of Postmates. Rewards cannot be provided for residents of countries under current U.S. sanctions (e.g. North Korea, Libya, Cuba, etc.)

Thank you for helping keep Postmates and our users safe!

Thanks
Gift
Hall of Fame
Reward


List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2019