Hack and Take the Cash !

744 bounties in database

Reward

150 $

Deliveroo




Goals



Hi! If you’re here then you already know that security is a critical quality for a company to imbue into all of its products, and we expect that you’re an experienced bug-hunter who’s found something interesting, so let’s skip the earnest security-marketing spiel and get to the nitty-gritty details:

* Deliveroo offer a bounty for reporting certain qualifying security vulnerabilities.
* Please review the following rules before you report a vulnerability.
* By participating in this program, you agree to be bound by these rules.

Eligibility & Disclosure Policy



Before Deliveroo will consider making a bounty payment to a reporter, the Rules must have been followed, and the following criteria must be met; you will:

* Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
* Follow HackerOne's disclosure guidelines.
* Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

Also:

* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
* The reporter must be the first person to report this bug
* The reported bug must lie within the “bug bounty scope”, defined below
* The reported bug must be a “qualifying vulnerability” that is not otherwise excluded via the list of “non-qualifying vulnerabilities”, both defined below
* The reporter must not be an employee of Deliveroo

Rules



If you comply with the following rules, we will not initiate any legal action against you in response to your report (or action that you have taken in connection with your report):

* Social engineering (e.g. phishing, vishing, smishing) is prohibited.
* The reporter must not impact any third-party customer accounts, instead using (for instance, but not limited to) “test accounts” created specifically for the purpose of research
* The reporter must not have materially impacted Deliveroo operations or in any way made use of any issues discovered for any reason beyond the identification of those issues
* The reporter must not publicly disclose the vulnerability prior to our resolution
* The reporter must not reside in a country where Deliveroo or HackerOne are legally prohibited from rewarding them
* The reporter must not breach applicable laws in their country and/or in the United Kingdom, and is liable for payments of applicable taxes, etc, on any bounty we pay
* The reporter must not attempt to view, modify, damage or interact in any way with any information belonging to others, and, to the extent that reporter does this inadvertently, the reporter must disclose this to Deliveroo in their report. In particular, the reporter must make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service. If the reporter encounters personal data or PII they must contact us immediately, not proceed with access, and immediately purge any local information.

Scope Restrictions



Please check the "scope" table carefully, paying special attention to the wildcarded exclusions.

Qualifying Vulnerabilities



A qualifying vulnerability is one that is reproducible and substantially impacts the security of Deliveroo customers and/or Deliveroo business operations. Common vulnerability categories which might meet this bar, include RCE, SQLi, XSS, authentication bypass, CSRF.

All vulnerability reports will be reviewed on a case-by-case basis and assessed by Deliveroo for whether they are “qualifying vulnerabilities”.

Non-Qualifying Vulnerabilities



Certain vulnerabilities are categorised as “non-qualifying”; these include:

* Physical attacks upon Deliveroo properties or data centres
* Spam, Phishing, Social Engineering, or any forms of Denial of Service Attack
* Rate limiting issues that do not have a demonstrable impact
* Missing best practices in SSL/TLS configuration
* Missing best practices in DNS records such as SPF/DKIM
* Clickjacking on pages with no sensitive actions
* Issues without clear security impact (e.g.: Logged-Out CSRF)
* Issues caused by compromise of, or outdated, client platform security
* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
* Access to information which is intentionally “public”
* Access to content via means of CDN / Content Delivery Networks / Network caches
* Security issues in third-party applications which are not managed by Deliveroo, even if they integrate with or are used by in-scope Deliveroo apps, pages or resources (e.g.: vulnerabilities in Github)
* Password reset tokens being included in referer headers (we believe this is not exploitable without control of some third party sites)

Bounty Payments


Deliveroo will determine at its discretion whether a reward should be paid
Reward values are at the discretion of Deliveroo based on the severity, impact and quality of the report and may change from time to time or on a case-by-case basis

Rewards



Our rewards are based on the impact of a vulnerability. Please note these are general guidelines and examples, and that reward decisions are up to the discretion of Deliveroo. For example, reflected XSS that has minimal impact (only works in some browsers, can’t be used to steal session information) may be considered “Low” instead of “Medium” severity.

Critical severity bugs - minimum $2500:

Examples of issues that Deliveroo would consider critical impact include:

* Arbitrary access to any user’s sensitive data/functionality, e.g.
* Full account takeover of any user
* Ability to access all data from any user (e.g. name, address, phone number, billing information, etc.)
* Full read or write access to the primary database of our app
* Access to read or modify environmental variables in production

Types of vulnerabilities that may result in these impacts include:

* Remote Code Execution
* Vertical Authentication bypass
* SQL Injection
* IDOR

High severity bugs - minimum $1000:

Examples of issues that Deliveroo would consider high impact include:

* Arbitrary access to a single user’s sensitive data/functionality, e.g.
* Full account takeover of any user
* Ability to access all data from any user (e.g. name, address, phone number, billing information, etc.)

Types of vulnerabilities that may result in these impacts include:

* Lateral authentication bypass
* Reflected XSS resulting in session hijacking
* Local file inclusion

Medium severity bugs - minimum $500:

Examples of issues that Deliveroo would consider medium impact include:

* Ability to modify another user’s settings without their permission
* E.g. being able to change someone’s delivery address to steal their food
* Being able to purchase food at a lower price than intended
* Being able to underflow the minimum order value

Types of vulnerabilities that may result in these impacts include:

* Insecure Direct Object References

Low severity bugs - minimum $150:

Examples of issues that Deliveroo would consider low impact include:

* Leaks of less sensitive information that has a demonstrable impact
* Anything which exposes sensitive information about internal infrastructure that has a demonstrable impact (e.g. server version banner does not count)

Types of vulnerabilities that may result in these impacts include:

* Information leaks
* Directory listings

Thank you for helping keep Deliveroo and our users safe!

 

Thanks
Gift
Hall of Fame
Reward


List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2016