Banner object (1)

Hack and Take the Cash !

791 bounties in database
  Back Link to program      
07/02/2019
Postmates logo
Thanks
Gift
Hall of Fame
Reward

Reward

50 $ 

In Scope

Scope Type Scope Name
android_application com.postmates.android
ios_application This is the primary iOS app for our customers/buyers to purchase goods, view their account information, add/edit card details, etc.
other https://fleet.postmates.com/app __
web_application postmates.com
web_application buyer-prod.postmates.com
web_application fleet.postmates.com
web_application partner.postmates.com
web_application raster-static.postmates.com
web_application about.postmates.com
web_application support.postmates.com

Out of Scope

Scope Type Scope Name
web_application postmates.com/partner
web_application brand.postmates.com
web_application blog.postmates.com
web_application postmates.com/developer

Postmates

Introduction

At Postmates, the security of user information is a top priority. We welcome the contributions from external security researchers from across the globe to help identify weaknesses in our technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Please be respectful of our existing applications. Spamming forms through automated vulnerability scanners are explicitly out of scope and will not result in any bounty or award. Do not disrupt the operations of the platform by requesting deliveries that you do not intend to have completed.

Response Targets

Postmates will make a best effort to meet the following SLAs for hackers participating in our program:

  • Time to first response (from report submit) - 2 business days
  • Time to triage (from report submit) - 10 business days
  • Time to bounty (from triage) - 10 business days

Exclusions

While researching, we'd like to ask you to refrain from reporting tickets about:

  • Forms missing CSRF tokens which don’t affect the security of the application
  • Missing security headers which do not lead directly to a vulnerability
  • Content spoofing which does not have a clear impact
  • Login / logout CSRF
  • Rate limiting or throttling endpoints where the impact cannot be quantified
  • Attacks that only work against yourself (e.g. host header injection)
  • Issues related to software or protocols not under Postmates control
  • Exposure of a login panel or service without any demonstrable attack scenario or exploitable vulnerability
  • Denial of service
  • Missing best practices unless real-world impact is adequately demonstrated
  • Issues identified by automated tools or scans
  • Social engineering (including phishing) of Postmates staff or contractors
  • Physical attacks against Postmates property, data centers or our users (including attacks that require physical access to a user's device)
  • We do not strictly enforce SMS-based phone number verification currently, so please do not report the potential to bypass phone number verification as the report will be closed. However we are interested in any attack that would leverage the lack of strict phone number verification in order to defraud customers, merchants, or couriers.
  • API key / secret disclosure that is intentional / by design, and does not enable a vulnerability.
  • Static resources / public information "exposed" in storage buckets.
  • Reporting issues on behalf of Bug Bounty King (https://twitter.com/CluelessSec __)

Eligibility and Responsible Disclosure

Your testing must not violate laws in the United States or within the jurisdiction from which your testing is being performed. You are responsible for complying with any applicable laws, and you should only use your own accounts or test accounts for reporting vulnerabilities.

We will only reward the first person to responsibly report a vulnerability to us. Any vulnerabilities that are publicly disclosed without providing a reasonable amount of time for Postmates to respond will not be rewarded. You must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a reward.

To promote the discovery and reporting of vulnerabilities and increase user safety, we ask that you:

  • Share the security issue with us in detail
  • Give us a reasonable amount of time to respond to the issue prior to public disclosure
  • Do not access or modify courier, merchant, or end-user data for accounts that do not belong to you
  • Do not create fake deliveries or cancel created deliveries
  • Do not spam our API Partner registration form
  • Act in good faith not to degrade the performance of our services or otherwise impede service operations

The Fine Print

You are responsible for paying any taxes associated with rewards. We may modify the terms of this program or terminate this program at any time. Whether to reward the disclosure of a vulnerability and the amount of the reward is entirely at the discretion of Postmates. Rewards cannot be provided for residents of countries under current U.S. sanctions (e.g. North Korea, Libya, Cuba, etc.)

Thank you for helping keep Postmates and our users safe!

FireBounty © 2015-2019

Legal notices