Serious about security
Our approach to security is designed to protect buyers and sellers. We monitor every transaction, continuously innovate in fraud prevention, and we protect businesses’ data like our business depends on it—because it does. We adhere to industry-leading standards to manage our network, secure our web and client applications, and set policies across our organization.
Caviar is an all-in-one food ordering platform that connects diners with the most crave-worthy restaurants, via convenient delivery, pickup, or catering. Caviar, part of Square’s suite of services for businesses, partners with thousands of restaurants in more than 20 cities across the US, to grow their sales and bring them new customers. Caviar also provides economic empowerment and flexible earning opportunities for couriers, offering the industry’s only occupational accident insurance policy that protects all couriers when they’re delivering on the Caviar platform at no cost to them.
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
To test the payment flow, you must hit submit. Please note, this will actually charge you so please remember to cancel all transactions. YOU HAVE ONE MINUTE TO CANCEL ANY TRANSACTION.
Reward RangeLast updated
|Technical severity||Reward range|
|p1 Critical||$2,000 - $5,000|
|p2 Severe||$1,000 - $2,000|
|p3 Moderate||$300 - $1,000|
|p4 Low||$100 - $300|
Testing is only authorized on the targets listed as In-Scope. Any domain/property of Caviar not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to email@example.com before submitting.
While we're interested in sussing out all vulnerabilities, we'd appreciate if researchers could focus effort on identifying ATOs and ways of ordering free food. ATOs should only be conducted and demonstrated against accounts used by the researcher. Don't target any other person or account that is not your own.
When registering, please use your @bugcrowdninja.com email address ('firstname.lastname@example.org). To learn more about your @bugcrowdninja email - see here: https://researcherdocs.bugcrowd.com/docs/your-bugcrowdninja-email-address
You're free to create your own accounts, place transactions, etc (again, if you're testing placing orders, be sure to cancel within one minute, or the order will actually go through). Currently this test is limited to only the end-user side of the application (e.g. a user who orders food, etc).
- Submissions from scanners
- Any vulnerabilities found in third-party software
- Any physical attempts against Caviar or Square property or data centers
- Any attempts to exploit workflows for Caviar restaurants or couriers.
- Logout CSRF
- Presence of autocomplete attribute on web forms
- Missing cookie flags on non-sensitive cookies
- No maximum password length
- An oracle that discloses whether a given username, email address, or phone number is associated with an actual account. (However, please do submit anything that allows you to recover usernames en masse.)
- Using spoofed emails for phishing
- Reports of the 2-factor token not expiring. We use TOTP codes for two factor.
Caviar recognizes the important contributions the security research community can make. We encourage coordinated reporting of security issues with our services. We take the security of our services very seriously and monitor their use for indications of a malicious attack. In order to allow us to identify legitimate security research as opposed to malicious attacks against our services, we promise not to bring legal action against researchers who:
- Share with us the full details of any problem found.
- Do not disclose the issue to others until we’ve had a reasonable time to address it.
- Do not intentionally harm the experience or usefulness of the service to others.
- Never attempt to view, modify, or damage data belonging to others.
- Do not attempt a denial-of-service attack.
- Do not perform any research or testing in violation of the law.
Attributes of a good report
- Detailed steps for reproducing the bug. If valuable, please include any screenshots, links you clicked on, pages visited, etc. We prefer detailed repro steps over video demos.
- Describe the versions of all relevant components of the attack (eg browser, OS, mobile app version).
- Describe a concrete attack scenario. How will the problem impact Caviar or Caviar's customers? Put the problem into context.
Multiple issues with one fix
We ask that researchers who identify the same or similar types of issues in multiple locations throughout an application combine those findings into a single submission whose description includes the locations where the issues were identified. This greatly assists us in our triage process and allows us to process your submissions faster. The combined submission will be evaluated holistically and will be rewarded corresponding to the collective findings. For example, if an application is discovered to have broken access control on a number of API endpoints, please submit a single submission that includes a list of those API endpoints. If separate submissions are made, they may be inadvertently closed as duplicates.