Upserve is committed to protecting the privacy and security of our users. We recognize the valuable role security researchers play in making our services more secure and are committed to working with you to verify and resolve legitimate security vulnerabilities. We ask that you carefully review this policy and scope to ensure the best experience for all involved.
details on the test site URL specific for security research
Upserve supports public disclosure of most vulnerabilities following resolution. We ask that you not share vulnerability details with anyone other than Upserve or HackerOne prior to approved public disclosure through the HackerOne platform.
Our rewards are based on the demonstrable impact of a vulnerability. We use CVSS v3 to guide our decisions on vulnerability impact. Things that influence the impact of an issue are the scale of exposure, mitigating factors, and multiplying factors. All valid reports are eligible to receive a HackerOne reputation reward. For assets eligible for a paid bounty, Upserve may provide rewards based on the impact of a vulnerability. Please note these are general guidelines and examples, and that reward decisions are up to the discretion of Upserve.
Critical vulnerabilities have a CVSS v3.0 score of 9.0 or higher and they can be readily compromised with publicly available malware, exploits, or techniques.
Examples of issues that Upserve might consider of critical impact include:
High severity vulnerabilities have a CVSS v3.0 score of 7.0 to 8.9.
Examples of issues that Upserve might consider high impact include:
Medium severity vulnerabilities have a CVSS v3.0 score of 4.0 to 6.9.
Examples of issues that Upserve might consider medium impact include:
Low severity vulnerabilities have a CVSS v3.0 score of 0.1 to 3.9.
Examples of issues that Upserve might consider low impact include:
Read carefully for instructions and tips on testing:
Upserve Loyalty (https://app.upserve.com/b/swipely-bistro __) is a React application with a Ruby on Rails backend. REST API calls are made to app.upserve.com/c/ and cards.swipely.com. The application allows a consumer to register an account and enroll one or more credit cards into a restaurant's loyalty program. Purchases made by the consumer at the restaurant are tracked in the loyalty program and a reward is given when the consumer's account reaches a specified level. It is not currently possible for researchers to generate sales that apply to the loyalty program. We are interested in vulnerabilities that would allow a consumer to fraudulently add points to their own account or steal points from other accounts. Use the provided test restaurant Swipely Bistro only. Testing on any other restaurant is prohibited without approval from Upserve.
Upserve Online Ordering (OLO) (https://app.upserve.com/s/upserve-lounge-test-providence-2 __) is a React application with a Ruby on Rails backend. REST API calls are made to orders.upserve.com and payments.upserve.com. Orders can be submitted to the test restaurant linked in this plan using any valid credit card number. Credit cards will not be charged or authorized with this restaurant. Testing on any other restaurant is prohibited without approval from Upserve.
You may create an account or you can place orders without an account
teamhelp.upserve.com is a Wordpress application for internal use by team members. Users are required to sign-in with their Upserve Google account to access the information. There is non-public information on this site. Our primary concern here would be access to non-public information or defacement. Reward amounts for this property will typically be lower than our customer-facing applications.
Upserve HQ (https://app.upserve.com/partners/ __) is a Ruby on Rails application used by restaurants to view operational, sales, marketing, and finance information.
Upserve POS HQ (https://hq.breadcrumb.com/ __) is a Ruby on Rails application used by restaurants to manage their point of sale tablets and view sales reports.
Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).
Upserve Live Mobile App - This app is for restaurants to view operational and sales information.
Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).
Upserve POS iPad App - This app is our point of sale app for restaurants.
Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).
The following issues are considered out of scope:
The following issues are already known to our team - please do not submit new reports related to them, as they will be considered duplicates.
We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Terms & Conditions __, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.
If legal action is initiated by a third party against you and you have complied with Upserve's bug bounty policy, Upserve will take steps to make it known that your actions were conducted in compliance with this policy.
Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.
We will not share your report with a third-party without your permission and/or gaining their commitment they will not pursue legal action against you. Please note again that we can’t authorize out-of-scope testing in the name of third parties and such testing is beyond the scope of the program.
Please submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.
Thank you for helping keep Upserve and our users safe! If you have a question that is not answered on this page, please contact bugbounty@upserve.com
In order to encourage the adoption of bug bounty programs and promote uniform security best practices across the industry, Upserve reserves no rights in this bug bounty policy and so you are free to copy and modify it for your own purposes.
Scope Type | Scope Name |
---|---|
ios_application | com.breadcrumb.live |
ios_application | com.groupon.breadcrumbpro.production |
web_application | hq.breadcrumb.com |
web_application | mossy.breadcrumb.com |
web_application | ecs-lb.breadcrumb.com |
web_application | api.breadcrumb.com |
web_application | swipely-merchant-assets.s3.amazonaws.com |
web_application | d2evh2mef3r450.cloudfront.net |
web_application | payments.upserve.com |
web_application | cards.swipely.com |
web_application | inventory.upserve.com |
web_application | app.upserve.com |
web_application | orders.upserve.com |
web_application | pos.swipely.com |
web_application | reports.breadcrumb.com |
web_application | payments.breadcrumb.com |
web_application | teamhelp.upserve.com |
web_application | com.upserve.live |
web_application | *.upserve.com |
web_application | hq-api.upserve.com |
web_application | https://645892349820.vulnerbug.com |
web_application |
|
web_application |
|
web_application |
|
web_application |
|
web_application |
|
web_application |
|
web_application |
|
web_application |
|
web_application |
|
web_application |
|
web_application |
|
web_application |
|
web_application |
|
web_application |
|
web_application |
|
web_application |
|
web_application |
|
web_application |
|
web_application |
|
web_application |
|
Scope Type | Scope Name |
---|---|
hardware | Any Upserve hardware |
other | Any 3rd party services linked to or used by Upserve |
web_application | ecslb.upserve.com |
web_application | engagement.swipely.com |
web_application | www.upserve.com |
web_application | resources.swipely.com |
web_application | go.swipely.com |
web_application | myaccount.upserve.com |
web_application | auditmyprocessor.com |
web_application | upserve.auth0.com |
web_application | go.breadcrumb.com |
web_application | store.upserve.com |
web_application | join.upserve.com |
web_application | status.breadcrumb.com |
web_application | help.upserve.com |
web_application | swipelycommunity.force.com |
web_application | careers.upserve.com |
web_application | feeds.upserve.com |
web_application | go.upserve.com |
web_application | support.upserve.com |
web_application | resources.upserve.com |
web_application | get.upserve.com |
web_application | click.upserve.com |
web_application | |
web_application | |
web_application | |
web_application | |
web_application | |
web_application | |
web_application | |
web_application | |
web_application |
This program leverage 73 scopes, in 2 scopes categories.
FireBounty © 2015-2019