Starbucks Bug Bounty Program
Starbucks believes in a program that fosters collaboration amongst security professionals to help protect our customers’ personal information from malicious activity due to vulnerabilities against our networks, web and mobile applications and set security policies across our organization. We treat the security and safety of our customers’ personal information with the utmost importance.
For the protection of our customers, Starbucks does not disclose, discuss or confirm security matters until comprehensively investigating, diagnosing and fixing any known issues.
If you believe you have discovered an issue, please contact us at email@example.com.
- Do not intentionally harm the experience or usefulness of the service to others, including degradation of services & denial of service attacks.
- Do not attempt to view, modify, or damage data belonging to others.
- Do not disclose the reported vulnerability to others until we’ve had reasonable time to address it.
- You must agree and adhere to the Program Rules and Legal terms as stated in this policy.
- You must be the first to report the issue in order to be eligible for bounty.
- You must be available to supply additional information, as needed by our team, to reproduce and triage the issue.
- Starbucks Partners are not eligible for participation in this program.
Targets Eligible for Reward
- [Starbucks iOS & Android apps for US, CA, BR, FR, UK, DE]
Starbucks reserves the right to add and subtract from the list of Targets Eligible for Reward and Exclusions.
The following vulnerabilities are not eligible for bounty.
- Denial of Service attacks
- Descriptive error messages or headers (e.g. Stack Traces, banner grabbing)
- Disclosure of known public files or directories
- Outdated software / library versions
- OPTIONS / TRACE HTTP method enabled
- CSRF on logout
- CSRF on forms that are available to anonymous users
- Cookies that lack HTTP Only or Secure settings for non-sensitive data
- Self-XSS and issues exploitable only through Self-XSS
- Reports resulting from automated scanning utilities without additional details or a POC demonstrating a specific exploit
- Attacks requiring physical access to a user's device
- Attacks dependent upon social engineering of Starbucks employees or vendors.
- Username enumeration based on login or forgot password pages.
- Enforcement policies for brute force, rate limiting, or account lockout
- SSL/TLS best practices
- Clickjacking, without additional details demonstrating a specific exploit
- Mail configuration issues including SPF, DKIM, DMARC settings
- Use of a known-vulnerable library without a description of an exploit specific to our implementation
- Password and account recovery policies
- Presence of autocomplete functionality in form fields
- Publicly accessible login panels
- Lack of email address verification during account registration
All bounty amounts will be determined at the discretion of the Starbucks Bug Bounty team who will evaluate each report for severity, impact, and quality. There could be submissions that we determine have an acceptable level of risk such that we do not make changes.
What to include in your report
A well written report will allow us to more quickly and accurately triage your submission.
- A clear description of the issue, including the impact you believe it has to the user, Starbucks, others.
- Specific reproduction steps including the environment used for testing (browsers, devices, tools, configuration) and any accounts used during testing.
- Your recommendations to resolve the issue.
Starbucks reserves the right to modify terms and conditions of this program and your participation in the program constitutes acceptance of all terms. Please check this site regularly as we routinely update our program terms and eligibility, which are effective upon posting. We reserve the right to cancel this program at any time. Must be 18 or older to be eligible for an award.