Bountytalk - Forums Advertising & Bounty Hub
Other Bounties => Bug bounty programs => Topic started by: Angelina on May 11, 2023, 06:37:45 pm
-
submit bug report: http://www.starbucks.com
Policy
Starbucks believes in a program that fosters collaboration among security professionals to help protect our systems and customers’ personal information from malicious activity and to help set security policies across our organization. We value the security and safety of our customers’ personal information above all.
For the protection of our customers, Starbucks does not publicly disclose, discuss, or confirm security matters before comprehensively investigating, diagnosing, and fixing any known issues.
Table of Contents
Program
Legal
Program Eligibility
Program Rules
Report Submissions
What is required when submitting a report?
What happens after you submit a report?
How do I make my report great?
What causes a report to be closed as Informative, Duplicate, N/A, or Spam?
Helpful Hints
FAQ's
Program
Legal
Starbucks reserves the right to modify terms and conditions of this program and your participation in the program constitutes acceptance of all terms. Please check this site regularly as we routinely update our program terms and eligibility, which are effective upon posting. We reserve the right to cancel this program at any time. Must be 18 or older to be eligible for an award.
Program Eligibility
You must agree and adhere to the Program Rules and Legal terms as stated in this policy.
You must be the first to submit a sufficiently reproducible report for an issue in order to be eligible for a bounty.
You must be available to supply additional information, as needed by our team, to reproduce and triage the issue.
Zero-day vulnerabilities will not be considered for eligibility until more than 30 days have passed since patch availability.
Out-of-scope vulnerability reports may be addressed as a form of vulnerability disclosure but will generally not be considered reward eligible.
Starbucks partners (employees) and vendors are not eligible for participation in this program.
Program Rules
Do
Read and abide by the program policy.
Perform testing using only accounts that are your own personal/test accounts or an account that you have the explicit permission from the account holder to utilize.
Exercise caution when testing to avoid negative impact to customers and the services they depend on.
Stop when unsure. If you think you may cause, or have caused, damage with testing a vulnerability, report your initial finding(s) and request authorization to continue testing.
Do NOT
Do not Brute force credentials or guess credentials to gain access to systems.
Do not participate in denial of service attacks.
Do not upload shells or create a backdoor of any kind.
Do not engage in any form of social engineering of Starbucks employees, customers, or vendors.
Do not engage or target any Starbucks employee, customer or vendor during your testing.
Do not attempt to extract, download, or otherwise exfiltrate data which you believe may have PII other than your own.
Do not change passwords of any account that is not yours or that you do not have explicit permission to change. If ever prompted to change a password, stop and report the finding immediately.
Do not publicly disclose vulnerability reports that are not resolved and approved for disclosure by Starbucks.
Do not submit reports here as a means to engage us to buy your products or services. Please direct your sales inquiries through proper channels.
Report Submissions
What is required when submitting a report?
Provide the information asked for by the new report form, following the instructions there. Some important considerations include:
Title – this should be a quick and clear summary of your issue.
Asset – this should match exactly the asset you are reporting, or “Other”.
Severity – the CVSS calculator is used to evaluate severity and bounty, so to avoid disappointment, be honest and critical when scoring severity.
Weakness – select the most appropriate vulnerability type.
Description – provide all the requested fields.
The Starbucks team will then review your report. We will be working on the issue but may not have enough information to immediately move it from "New" to "Triage". As a global company, we often need to engage with teams across multiple time zones so we may need additional time to fully validate the report.
Starbucks will "Triage" valid & eligible reports that we intend to take action on. During this time, we will work with our internal teams to resolve the issue and follow up to close the report as "Resolved".
Rewards
Reward amounts are calculated based on the numerical CVSS score assigned to the report.
We strive to pay bounty on "Triage" and will do so when there is high confidence in the accuracy of the assigned scope and severity. Occasionally, we may need to delay payment until we fully investigate the details of a report.
All bounty amounts will be at the discretion of the Starbucks Bug Bounty team.
Reports that include a unique Nuclei Template to validate the finding will be rewarded a $250 bonus.
Starbucks will not bonus submissions that include an open-source community template demonstrating vulnerability findings. The template must be unique for the vulnerability being demonstrated.
Starbucks retains a perpetual right to utilize any templates submitted as part of a report and will not make any templates provided to Starbucks available to the public.
Reports submitted using methods that violate policy rules will not be eligible for reward.
To be eligible for a reward, the report must be for a reward eligible asset as defined in the scope section of our policy.
Reports where the researcher has confirmed and reported the same vulnerability on multiple assets, with the same root cause, may qualify for a 1.5 multiplier on their bounty award. Do not submit duplicate reports for the same issue across multiple sites as the duplicates will be closed and the issue will be treated as one report.
While we aim for consistency, previous reports and prior bounty amounts do not set a precedent and are not to be used for negotiating a higher reward. Changes to policy and the occasional human error should be considered.
Understand that there could be submissions for which we accept the risk, have other compensating controls, or will not address in the manner expected.