TheFork Managed Bug Bounty Engagement
Bounty Range
$50 - $3,500
external program
TheFork Managed Bug Bounty Engagement
Bounty Range
$50 - $3,500
external program
Last Updated :23 Jan 2026 14:54:25 GMT+0[/engagements/thefork-mbb-og/changelog/533d83e2-a454-4738-bd22-059820971dc6](View changes)
TheFork, also known as La Fourchette, is a premier real-time restaurant reservation platform, providing users with access to over 60,000 dining establishments across various countries, including France, Spain, Switzerland, Belgium, Italy, Sweden, and many more. TheFork empowers users to discover and book restaurants at any time, ensuring seamless access to a diverse range of dining experiences, from casual meals to gourmet dining, all at the best available prices.
With an extensive and growing database of over 20 million verified user reviews, TheFork helps diners make well-informed decisions by offering insights into restaurant quality, service, ambiance, and pricing. Whether users are looking for a local favorite or an international hotspot, TheFork’s intuitive platform simplifies the process of finding and securing reservations, catering to both spontaneous and planned outings.
Beyond simply offering a reservation service, TheFork is designed to enhance the overall dining experience by providing users with exclusive offers, discounts, and promotions at selected restaurants, making dining out more accessible and affordable. Additionally, the platform includes a loyalty program that rewards frequent users with points (Yums) that can be redeemed for discounts on future reservations.
This program specifically focuses on testing TheFork’s B2C website and mobile app, ensuring that the platform remains secure, reliable, and user-friendly. Regular testing helps to maintain a high standard of performance and user experience while safeguarding the platform from potential vulnerabilities, ensuring that both diners and restaurant partners continue to benefit from a seamless and trusted service. Good luck, and happy hunting!
Violating program rules may result in your bounty being omitted.
USE ONLY TEST RESTAURANTS. It is imperative to understand that testing on live production restaurants or their systems is strictly prohibited without exception. Failure to adhere to this policy will not be tolerated and will result in program ban.
Identify your activity as belonging to Bugcrowd, whether you are performing manual testing or using automated tools:
Include the string "bugcrowd" in your User-Agent
Add "bugcrowd" to one of the fields of any form post not requiring account information
Do not contact other customers / users of the site. Do not attack or interact with any user account that you do not expressly own.
Limit excessive automated testing. Automated testing should not exceed 25 requests / second.
For the initial prioritization/rating of findings, this program will use the [https://bugcrowd.com/vulnerability-rating-taxonomy](Bugcrowd Vulnerability Rating Taxonomy) (please see below for any exceptions). However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
In scope
Payment reward chartP1$2500 – $3500 P2$1500 – $1750 P3$500 – $700 P4$150 – $300
USE ONLY TEST RESTAURANTS. It is imperative to understand that testing on live production restaurants or their systems is strictly prohibited without exception. Failure to adhere to this policy will not be tolerated and will result in program ban.
The API sitting behind the application is in scope, however, no documentation is available for it. Please test it from a black box perspective.
JWT TTL is 5mins. For example: if you logout, your session is invalidated after 5mins. If you reset password, all sessions are disconnected after 5 minutes.
Redirection to an Out-of-Scope domain (*.theforkmanager.com) may occur. Although this may happen while authenticating, the below-listed scope is specific to this program and should be followed when testing & submitting reports.
Show more
Name / Location | Tags | Known issues | https://manager.thefork.comhttps://manager.thefork.com |
Varnish
Website Testing
Javascript | https://secure.thefork.comhttps://secure.thefork.com |
Website Testing | https://payment.lafourchette.comhttps://payment.lafourchette.com |
Website Testing | https://api.thefork.iohttps://api.thefork.io |
NodeJS | [https://apps.apple.com/app/thefork-manager-neo/id1295795281](TheFork Manager iOS App)https://apps.apple.com/app/thefork-manager-neo/id1295795281 |
iOS | [https://play.google.com/store/apps/details?id=com.lafourchette.tfm3](TheFork Manager Android App)https://play.google.com/store/apps/details?id=com.lafourchette.tfm3 |
Android | https://widget.thefork.comhttps://widget.thefork.com |
TypeScript
Website Testing |
In scope
Payment reward chartP1$500 – $1000 P2$200 – $400 P3$100 – $200 P4$50 – $100
Name / Location | Tags | Known issues | [https://www.theforkmanager.com](TheFork Manager Blog)https://www.theforkmanager.com | |
In scope
Payment reward chartP1$2500 – $3500 P2$1500 – $1750 P3$500 – $700 P4$150 – $300
IMPORTANT: When booking reservations, please ONLY USE THE 3 TEST RESTAURANTS PROVIDED BELOW. It is imperative to understand that testing on live production restaurants or their systems is strictly prohibited without exception. Failure to adhere to this policy will not be tolerated and will result in program ban.
[https://www.thefork.com/restaurant/the-spanish-white-hacker-r685267](Spanish Restaurant)
[https://www.thefork.com/restaurant/the-italian-white-hacker-r685265](Italian Restaurant)
[https://www.thefork.com/restaurant/the-french-white-hacker-r717195](French Restaurant)
[https://bugcrowd.com/engagements/thefork-mbb-og/attachments/71cbd5c7-c523-44ad-8166-3dbc15b976dd](List of 500 test restaurants)
These restaurants can't be found through search field, please go directly through the link.
Make a reservation with your @bugcrowd.com or @bugcrowdninja.com account as close to the time of your test as possible. Bookings can be made through the B2C website or mobile apps on one of the test restaurants.
Payment functionality in TFPay only opens for the specific booking once your dining time has started and stays open for a maximum of 3 hrs
To be able to perform test payments, you must have logged in to the mobile app with an @bugcrowd.com or @bugcrowdninja.com email account
Navigate to TheFork pay section through the menu in the app, add a [https://bugcrowd.com/engagements/thefork-b2c-wng/attachments/56edf652-dceb-4043-a6a3-57d498db71af](test credit card & gift cards) or select the the relevant booking, then add your test credit card & gift cards
Complete the payment. Note a maximum of 2 payments per reservation is allowed.
Navigate to TheFork Pay section to verify the status of the payment
Show more
Name / Location | Tags | Known issues | https://www.thefork.com | | https://m.thefork.comhttps://m.thefork.com |
TypeScript
Varnish
GraphQL
API Testing
Wordpress | [https://apps.apple.com/app/thefork-restaurants-bookings/id424850908](TheFork iOS App)https://apps.apple.com/app/thefork-restaurants-bookings/id424850908 |
Objective-C
SwiftUI
Swift
+2 | [https://play.google.com/store/apps/details?id=com.lafourchette.lafourchette](TheFork Android App)https://play.google.com/store/apps/details?id=com.lafourchette.lafourchette |
Java
Mobile Application Testing
Kotlin
+1 |
In scope
Payment reward chartP1$500 – $1000 P2$200 – $400 P3$100 – $200 P4$50 – $100
All of our tools are under *.tools.thefork.tech, some of them are reachable only internally.
Name / Location | Tags | Known issues | https://*.tools.thefork.techhttps://*.tools.thefork.tech |
Website Testing | https://www.restaurant-information.comhttps://www.restaurant-information.com |
Website Testing |
Out of scope
Name / Location | Tags | Known issues | *.myfourchette.com |
API Testing
HTTP | www.myfourchette.com |
Website Testing | website.theforkmanager.com | | *.lafourchette.rest | | login.theforkmanager.com | | developer.thefork.io | |
Out of scope
We allow booking only with an e-mail address + First name + Last name + Phone number
We don't check if e-mail address or Phone number are valid neither if the customer is the real owner of the e-mail address or Phone number.
Customer can see obfuscated tel number, first letter first_name, first letter last_name and number of yums.
It's possible to know if an e-mail address is registered or not in TheFork.
It's possible to book with an e-mail address I am not the owner.
Name / Location | Tags | Known issues | https://.eltenedor. |
Testing is only authorized on the targets listed as In-Scope. Any domain/property of TheFork not listed in the targets section is out of scope. This includes any/all subdomains not listed above. IF you happen to identify a security vulnerability on a target that is not in-scope, but that demonstrably belongs to TheFork, it may be reported to this program, and is appreciated - but will ultimately be marked as 'not applicable' and will not be eligible for monetary or points-based compensation.
Violating program rules may result in your bounty being omitted.
USE ONLY TEST RESTAURANTS. It is imperative to understand that testing on live production restaurants or their systems is strictly prohibited without exception. Failure to adhere to this policy will not be tolerated and will result in program ban.
Identify your activity as belonging to Bugcrowd, whether you are performing manual testing or using automated tools:
Include the string "bugcrowd" in your User-Agent
Add "bugcrowd" to one of the fields of any form post not requiring account information
Do not contact other customers / users of the site. Do not attack or interact with any user account that you do not expressly own.
Limit excessive automated testing. Automated testing should not exceed 25 requests / second.
Please sign up for an account using your @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see https://docs.bugcrowd.com/researchers/participating-in-program/your-bugcrowdninja-email-address/.
Test Restaurants: 500 test restaurants are ready to be used for testing. You can find the complete list in the program resources section on Bugcrowd platform.
Payment functionality in TFPay only opens for the specific booking once your dining time has started and stays open for a maximum of 3hrs
To perform test payments, you must have logged in to the mobile app with an @bugcrowd.com or @bugcrowdninja.com email account
Navigate to TheFork pay section through the menu in the app, add test credit cards & gift cards or select the relevant booking
Complete the payment. Note a maximum of 2 payments per reservation is allowed
TheFork allows booking only with an e-mail address + First name + Last name + Phone number
Email addresses and phone numbers are not validated for ownership
It's possible to know if an e-mail address is registered or not in TheFork
It's possible to book with an e-mail address you don't own
Use credentials provided by TheFork inside the file
Please DON'T change the restaurant password
JWT TTL is 5 minutes. Session invalidation occurs 5 minutes after logout or password reset
API testing should be performed from a black box perspective (no documentation available)
Redirection to out-of-scope domains (*.theforkmanager.com) may occur during authentication, but testing should remain within listed scope
For some actions the platform requires an OTP sent to the restaurant email address. We are working on providing a static OTP that can be used to test those functionalities.
Submissions should include full HTTP request and response
Submissions should contain demonstrated practical impact and attack scenario
Final decisions on vulnerability priority and bounty amount are made by TheFork security team for each report individually
Developer Portal (developer.thefork.io): All security issues will be ranked as P4
Cross-Platform Issues: Vulnerabilities affecting both B2C and B2B systems may receive higher priority consideration
Legacy vs Primary Systems: Primary APIs receive standard rewards; legacy systems may have reduced rewards
Account & Authentication:
User account manipulation and privilege escalation
Authentication bypass and session management
Password reset functionality
Permissions and authorization flaws
Payment & Features:
Credit card processing and storage
Pay at the table (TFPay) functionality
Giftcard handling and validation
Yums loyalty system vulnerabilities
Common Web Vulnerabilities:
XSS, CSRF, IDOR, SQL/NoSQL Injection
JWT and GraphQL implementation flaws
PII (Personally Identifiable Information) exposure
Access to internal infrastructure & corporate tools
User account manipulation and privilege escalation
Authentication
PII (Personally Identifiable Information) exposure
JWT and GraphQL
Data leakage between B2C and B2B systems
Privilege escalation from B2C to B2B or vice versa
Shared authentication vulnerabilities
Cross-platform data exposure
Customer Data Model:
Email enumeration is expected (checking if email is registered)
Booking with unowned email addresses is by design
No email/phone validation during booking process
Viewing obfuscated customer data (first letter of names, partial phone numbers)
Session Management:
5-minute delay for session invalidation after logout/password reset is expected
Weak password policies are not considered vulnerabilities
Temporary Classifications:
IDORs: Currently ranked as P5 Informational (for B2C, B2B is ranked as usual)
BACs: Currently ranked as P5 Informational (fix in progress)
Session invalidation can take 5mins when user logout or reset his password
Weak Password Policy
All lafourchette.com domains are out of scope (api.lafourchette.com, Review-api.lafourchette.com, M-api.lafourchette.com, etc.)
Other TheFork brand domains are out of scope (www.lafourchette.com, www.eltenedor.es, www.thefork.* variants not explicitly listed)
DoS / DDoS attacks of any kind
Social engineering attacks of any kind
Exploits around mass content submission, account creation or spamming
Content fraud - example: inflating or deflating a restaurant's rating, or raising a review's helpful vote count
Lack of rate-limit
Exploits that require warranty voiding actions (e.g., rooting victim device)
Exploits against the site from webviews within mobile applications NOT published by TheFork
Mobile application vulnerabilities that require having a malicious application installed will have drastically reduced priority class because of prerequisite
HTTP Header security related findings such as missing headers
Information-stealer logs / exposed credentials that has no access to the internal resources. Please note that, info-stealer logs may be accepted if the detected credential can be used for accessing internal resources.
Domains that do not send email are not eligible for rewards relating to email misconfiguration (e.g. DMARC misconfiguration)
SSL related issues are out-of-scope
All vulnerabilities related to 3rd parties outside of TheFork. Example - Stripe, Amilon
All findings regarding hijacking of 3rd party or any domain / social media in which TheFork is not the direct responsible (Social Broken Link)
Contacting or requesting customer support services (e.g. phone support, support chat, email support). If you have questions while testing, refer to the [https://support.theforkmanager.com/s/?language=en_US](TheFork FAQ Page) or contact [https://bugcrowd-support.freshdesk.com/support/tickets/new](Bugcrowd Support).
IDORs are temporary going to be considered as P5 Informational. We are aware of an issue linked to such vulnerability, the fix is in progress.
BACs are temporary going to be considered as P5 Informational. We are aware of an issue linked to such vulnerability, the fix is in progress.
All findings regarding hijacking of 3rd party or any domain / social media in which TheFork is not the direct responsible (Social Broken Link) will be ranked as INFORMATIONAL.
When conducting vulnerability research according to this policy, we consider this research to be:
Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via [https://bugcrowd-support.freshdesk.com/support/tickets/new](Bugcrowd Support) before going any further.
3 files attached in this brief. Sorted by the upload date.
https://bugcrowd.com/engagements/thefork-mbb-og/attachments/f089b69d-9d26-46e2-9dcf-8224ea5fcc23116 KB DocumentUploaded on 25 Nov 2025
https://bugcrowd.com/engagements/thefork-mbb-og/attachments/71cbd5c7-c523-44ad-8166-3dbc15b976dd97.9 KB DocumentUploaded on 25 Nov 2025
https://bugcrowd.com/engagements/thefork-mbb-og/attachments/da2bf607-4338-4b67-bbdb-7343aaec0723311 KB DocumentUploaded on 25 Nov 2025
[/engagements/thefork-mbb-og/announcements](View all announcements)
Mati_bugcrowd announced The engagement TheFork Managed Bug Bounty Engagement has transitioned to public
If you have any questions, please contact [mailto:[email protected]](Bugcrowd support).
More
[/engagements/thefork-mbb-og/crowdstream](View all CrowdStream activity)
Submission accepted
By ziadhossam7fa5f423-993e-4c40-9e64-051b1f345e5d
Engagement [/engagements/thefork-mbb-og](TheFork Managed Bug Bounty Engagement)
Priority P4Accepted on 20 Mar 2026
Submission accepted on target: www.restaurant-information.com
Engagement [/engagements/thefork-mbb-og](TheFork Managed Bug Bounty Engagement)
Priority P2Accepted on 13 Mar 2026
Submission accepted on target: manager.thefork.com
https://bugcrowd.com/h/Dieuveil[/engagements/thefork-mbb-og/hall_of_fames](Hall of Fame)
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please visit [https://bugcrowd-support.freshdesk.com/support/tickets/new](Bugcrowd Support) and create a support ticket. We will address your issue as soon as possible.
This engagement follows Bugcrowd’s [https://www.bugcrowd.com/resource/standard-disclosure-terms/](standard disclosure terms.)
Vulnerabilities found in this engagement requires explicit permission by selecting the disclosure request option on your submission. For more information please review the [https://docs.bugcrowd.com/researchers/disclosure/disclosure/#f-coordinated-disclosure](Public Disclosure Policy).