Details

Please Note: Submissions involving orders to Wonder Spot locations will no longer be accepted as of 10/28/2024.

Disclosure Policy

As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
Follow HackerOne's disclosure guidelines.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

#Exclusions
The following issues are considered out of scope:

Leaked customer credential harvesting. While we will offer bounties for leaked employee or internal user credentials, we will not typically offer bounties for leaked customer credential harvesting.
Any physical attempts against Blue Apron property or data centers.
Clickjacking on pages with no sensitive actions.
Password, email and account policies, such as email id verification, reset link expiration, password complexity.
Social engineering (including phishing) of WonderGroup employees, contractors or customers.
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
Attacks requiring MITM or physical access to a user's device.
Missing best practices in SSL/TLS configuration, Content Security Policy, SPF/DKIM/DMARC .
Any activity that could lead to the disruption of our service (DoS).
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.

Thank you for helping keep WonderGroup and our users safe!

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

Social engineering (e.g. phishing, vishing, smishing) is prohibited.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

#Exclusions
The following issues are considered out of scope:

Leaked customer credential harvesting. While we will offer bounties for leaked employee or internal user credentials, we will not typically offer bounties for leaked customer credential harvesting.

Any physical attempts against Blue Apron property or data centers.

Clickjacking on pages with no sensitive actions.

Password, email and account policies, such as email id verification, reset link expiration, password complexity.

Social engineering (including phishing) of WonderGroup employees, contractors or customers.

Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.

Attacks requiring MITM or physical access to a user's device.

Missing best practices in SSL/TLS configuration, Content Security Policy, SPF/DKIM/DMARC .

Any activity that could lead to the disruption of our service (DoS).

Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.

Thank you for helping keep WonderGroup and our users safe!

Blue Apron (Wonder Group) VDP

Blue Apron (Wonder Group) VDP

Details

Please Note: Submissions involving orders to Wonder Spot locations will no longer be accepted as of 10/28/2024.

Disclosure Policy

Program Rules

Please Note: Submissions involving orders to Wonder Spot locations will no longer be accepted as of 10/28/2024.

Disclosure Policy

Program Rules