favordelivery.com
External Program
Submit bugs directly to this organization
External Program
Submit bugs directly to this organization
Responsible Disclosure Policy
Effective January 2018
Favor takes protection of our users’ data seriously – for details please see our [https://favordelivery.com/privacy](Privacy Policy) and [https://favordelivery.com/tos](Terms of Service).
To that end, Favor welcomes responsible disclosure of vulnerabilities by researchers. We do NOT have a bug bounty program, and do NOT pay for vulnerability information. To contact Favor, please reach out to us at mailto:[email protected]. Our PGP key can be found at https://favordelivery.com/pgp-key.txt
Favor will not take legal action against individuals who report vulnerabilities in accordance with the policy as outlined below.
Out-of-scope areas:
3rd party applications and services in use by Favor
Favor’s corporate networks
Out of scope vulnerabilities and reports include:
Social engineering
Denial of service
Brute forcing
Weak passwords
Lack of headers
SSL vulnerabilities
Reports from automated scanning tools
Destruction of data
Changing passwords and account information for accounts that do not belong to you
Abusing vulnerabilities to steal from Favor by receiving unearned Runner payment or free/ discounted deliveries
Theft of data
Publishing of private or company information
In order to ensure compliance with this policy, individuals should stop testing after discovering a vulnerability and not attempt to escalate. Feel free to include suspected lateral or escalation paths in your report. Additionally, in order to avoid stealing or damaging other’s data, researchers should focus testing on accounts and information that they have created and control.
Researchers are welcome to publicly disclose their findings 30 days after Favor informs the researcher that the vulnerability has been closed. Please contact the Favor security team at mailto:[email protected] with any questions.
Favor reserves the right to modify, suspend, or remove this policy at any time without notice. Favor will have no liability with regards to the actions of any researcher. Researchers are responsible for following all applicable laws.