Instacart
External Program
Submit bugs directly to this organization
Instacart
In order to be considered for a reward, the following rules of engagement must be adhered to during testing. However, the golden rule you must follow is that you must not disrupt, compromise, destroy data, or interrupt or degrade our services. You must only interact with accounts you own or those for which you have the explicit permission of the account holder.
Additionally, while hunting for bugs, please refrain from the following activities:
If you have found an issue that could be escalated, do not attempt to pivot or escalate access - Instacart will perform analysis to determine the maximum possible impact a submission has, you do not need to do this for us.
If you have found an issue that requires interacting with customer representatives to demonstrate impact, please refrain from doing so. Submit the issue to us and we will determine the impact of the vulnerability.
Failure to adhere to these rules may cause your report to be closed as N/A and a temporary or permenant ban from Instacart's bug bounty program.
Out-of-Scope
Generally, a submission is eligible for a reward, regardless of vulnerability type, if it has clear security or privacy impact.
However, the following types are typically not eligible for a reward and we therefore recommend not hunting for:
Additionally, the following vulnerabilities won’t be eligible without further proof of security impact:
Known Issues
Going forward, this section will be used to list any long-standing issues that we’re already aware of.
Any system or service listed under *.instacart.com or *.instacart.tools is within scope for the program, except where noted.
For recent acquisitions that joined Instacart in the last two years, only critical vulnerabilities defined below are in scope and eligible for reward. In addition, the maximum payout for reports regarding recent acquisitions is 50% of our regular payout structure. For Foodstorm, only template.uat.foodstorm.com is included in the scope and the our regular payout will be applied for template.uat.foodstorm.com findings.
Some examples of critical vulnerabilities include:
Instacart reserves the right to determine the severity of a vulnerability and whether the report qualifies for a reward.
If you believe you have found an issue which affects Instacart but is not listed within scope, we ask that you still report it to us for consideration, but we do not recommend you look for these issues as they are likely to be ineligible.
Additionally, given that DNS records change frequently, and EC2 IP addresses may be recycled, you should attempt to verify that the service is still maintained by Instacart.
Core Assets
The following assets are considered “core assets” within the program:
Unfortunately, we will not be able to provide test credentials or provision any test accounts for researchers at the moment.
Out-of-Scope
Systems or services which are not owned or maintained by Instacart, such as third-party blogs or micro-sites, are not eligible, and we can’t give you permission to test against. These include (but not limited to):
However, If you stumble upon a critical or high impact vulnerability on these services, feel free to send it over and we will coordinate to get it fixed.
We appreciate and thank everyone who submits valid reports that help us improve the security of Instacart!
However, only those that meet the following eligibility requirements may receive a monetary reward:
Instacart reserves the right to decide the bounty amount and whether the vulnerability was previously reported. Instacart also reserves the right to change or discontinue its bug bounty program at any time without notice in its sole discretion.
The following table lists the typical maximum reward depending on submission severity:
| Severity | Maximum Bounty | Example Issues |
|---|---|---|
| Critical | $15,000 | Remote Code Execution |
| High | $5,000 | Significant Auth Bypass, Significant Information Disclosure, Privilege Escalation to an Admin user, SSRF etc. |
| Medium | $1,500 | Reflected XSS, CSRF, Access Control issues etc. |
| Low | $250 | Open Redirection, Information leakage etc. |
The final decision is at Instacart’s sole analysis of the impact posed by the submission.
When determining the reward amount, the following are example factors that are taken in to consideration, and can either raise or lower the amount:
Certain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program.
To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria (https://www.google.com/about/appsecurity/play-rewards/#rewards).
We want to get your submissions resolved and rewarded as soon as possible, but in order to achieve this goal, we need a few things from you first.
You should aim to include all of the relevant information that we need to a) reproduce the issue, and b) understand the impact, in your submission. This can include:
We understand that English may not be the first language of many researchers, so including screenshots or a short video demonstrating the issue can help expedite the triage process.
In order to demonstrate impact for various types of bugs, you can use one of the following techniques, which will avoid you causing a privacy violation by accessing sensitive data/services:
select version() or current_user and include the output. Do not attempt to load data from other rows or tablestouch /tmp/{your_username} and send us the file path. Do not attempt to modify or cat other files such as /etc/passwdalert(document.domain) to prove that the code is running under our origin and not a third-party or sandboxed domainIf at any stage you’re unable to demonstrate impact without potentially accessing production data, you should let us know so that we can do the investigation for you.
In order for us to attribute any test traffic or data back to you, we ask that when you create accounts your include your HackerOne username in the email address field.
Additionally, in order to test authentication/authorization issues, you should create multiple test accounts.
We recognize that using various automated tools is an important part of the recon and testing phases of bug bounty. As such, rather than prohibiting their use, we ask that you configure your tools to use reasonable limits. For example, up to 5 threads for directory brute-forcing is likely to not cause impact and is therefore reasonable, whereas 500+ threads is not.
Instacart is committed to being as transparent as possible throughout the whole submission life cycle. We want you to know what to expect when you send in a submission.
As each submission is different, there can be unexpected delays or additional investigation that is required, but these are the typical processes we go through:
When a submission has been validated as potentially valid by HackerOne Triage, a member of the Instacart Bug Bounty team will perform further validation to understand:
Based on the above, we’ll either ask for more information, close out the issue, or forward it internally for further verification and fix.
We aim to keep you updated throughout the fix process, but there can be additional unseen factors which extend the time taken to get a submission to a resolved state.
As researchers ourselves, we know how frustrating it can be waiting for a payout on a submission. Therefore our aim is to pay out submissions as soon as practically possible after triage. The way we do it is the following:
We also recognize that payout amounts can be different than what you’re expecting, therefore we will try to give a justification when issuing the payout - for example, if we found additional impact and are giving a larger reward, or if the submission had less impact that originally thought.
Without researchers our program wouldn’t exist, so we welcome any and all feedback as to how we can improve! If you have any thoughts, please feel free to reach out to our team at [email protected].