The Flipdish bug bounty program awards the discovery and notification of vulnerabilities that meet the following criteria:
- allow unauthorised reading of personal information, as is defined by GDPR, on multiple accounts.
- allow unauthorised changing of data that is publicly accessible
- allow unauthorised changing of data that would affect the availability of our services.
To be eligible, the submitter must both demonstrate the vulnerability in action and explain how to reproduce the issue. It is not sufficient to simply state that a vulnerability exists without demonstrating it in action against the above criteria.
It is not sufficient to demonstrate it in action in a personal environment or solely using your own account information. You need to show access to a 3rd party's data, not to your own data.
To be eligible the following criteria must also qualify:
- The vulnerability must not be a known issue.
- The vulnerability must apply to Flipdish products and not third party systems under a subdomain of the main flipdish.com domain.
- The submitter must not have another open bounty request (please submit one at a time).
Vulnerability based on overloading our systems (eg. ddos attacks) are not eligible for the bug bounty program.
- Vulnerabilities that require access to customer devices that are outside of our control are not eligible. For example, accessing local data stored on a client Android device is not eligible.
- "Vulnerabilities regarding accessing customer data via a compromise of a device outside of our control is not eligible. Other vulnerabilities on customer devices, may be eligible. Examples would include something like being able to bypass authentication, or being able to place fraudulent orders."*
Examples of eligible vulnerabilities:
Demonstrating updating the menu data for 5 clients. Reason: shows unauthorised changing of data that would affect availability of our services.
Examples of ineligible vulnerabilities:
Reporting a clickjacking vulnerability that potentially could be used to manipulate internal account data. Reason: does not demonstrate unauthorised reading of personal data and does not demonstrate unauthorised changing of data that is either publicly accessible or that would affect availability of our services.
Reporting that a weak cypher is used to encrypt data. Reason: does not demonstrate unauthorised reading of personal data and does not demonstrate unauthorised changing of data that is either publicly accessible or that would affect availability of our services. To be eligible the submitter would need to demonstrate decryption and access of personal data on multiple accounts.
The reward for each eligible submission meeting the above criteria is €1000*. An invoice must be provided to receive payment.
Should you make a submission which does not meet the above criteria for the bug bounty program, but which causes a fix to be implemented for the submission, Flipdish, at it's sole discretion will consider a reward of €300* to be awarded once the fix is implemented.
* You may be subject to local taxes and bank charges.
How to submit
Please email [email protected] with your submission.