Your bag is empty.

Go shopping

Starbucks Bug Bounty Program

Starbucks believes in a program that fosters collaboration among security professionals to help protect our customers’ and partners’ personal information from malicious activity due to vulnerabilities against our networks, web and mobile applications and set security policies across our organization. We treat the security and safety of personal information with the utmost importance.

If you believe you have discovered an issue, please contact us at

Program Rules

  • Do not intentionally harm the experience or usefulness of the service to others, including degradation of services & denial of service attacks.
  • Do not attempt to view, modify, or damage data belonging to others
  • You will not disclose the reported vulnerability to others until we’ve had reasonable time to address it
  • You must be the first to report a valid bug in order to be eligible for bounty.
  • For the protection of our customers, Starbucks does not disclose, discuss or confirm security matters until comprehensively investigating, diagnosing and fixing any known issues.

Starbucks reserves the right to add and subtract from the list of Targets eligible for reward and Vulnerabilities not eligible for reward. If you believe there is a vulnerability in an application that is not included in our ‘Targets eligible for reward’ list and should be, please submit a request for our review to

Targets eligible for reward

Vulnerabilities not eligible for reward

  • Denial of Service attacks
  • Descriptive error messages or headers (e.g. Stack Traces, application or server errors, banner grabbing)
  • Disclosure of known public files or directories
  • Outdated software / library versions
  • OPTIONS / TRACE HTTP method enabled
  • CSRF on logout
  • CSRF on forms that are available to anonymous users
  • Cookies that lack HTTP Only or Secure settings for non-sensitive data
  • Self-XSS and issues exploitable only through Self-XSS
  • Reports resulting from automated scanning utilities without additional details or a POC demonstrating a specific exploit
  • Attacks requiring physical access to a user's device
  • Attacks dependent upon social engineering of Starbucks employees or vendors.
  • Username enumeration based on login or forgot password pages.
  • Enforcement policies for brute force or account lockout
  • SSL/TLS best practices
  • Clickjacking, without additional details demonstrating a specific exploit


All bounty amounts will be at the discretion of the Starbucks Bug Bounty team, which will be evaluated for severity, impact, and quality of the report to determine the bounty level. There could be submissions that we determine have an acceptable level of risk such that we do not make changes. Please provide as much detail as possible in your report, along with clear reproducible steps. Well-written reports will get first priority during triage and reward phases.


Starbucks reserves the right to modify terms and conditions of this program and your participation in the program constitutes acceptance of all terms. Please check this site regularly as we routinely update our program terms and eligibility, which are effective upon posting. We reserve the right to cancel this program at any time. Must be 18 or older to be eligible for an award.