Ibotta

  • $50 – $5,000 per vulnerability
  • Safe harbor
  • Managed by Bugcrowd

Program stats

57 vulnerabilities rewarded

Validation within about 22 hours
75% of submissions are accepted or rejected within about 22 hours

$950 average payout (last 3 months)

Latest hall of famers

Recently joined this program

817 total

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

All domains/properties owned by Ibotta are in scope!

  • Ibotta continuously pushes out new code.
  • Please take care when testing on production not to compromise the functioning of any Ibotta assets or users on the platform.

Recent Scope Additions

We highly recommend you take a look at this additional attack surface – which hopefully means more vulnerabilities!

Name URL Description
Chrome Extension Beta Access Here Here is a User Guide The Ibotta team is looking for testing that ensures the pop-up interaction with their other product areas (such as the next item or loyalty card linking) is secure and would like to know about any sensitive data exposure.
Web v2 Access Here This is a refreshed web application for the Ibotta Team. Please note that there are some scope exclusions for this target: Access Token Exposure, the ability to scrape the site, and data flow to 3rd parties is intended and reports will be considered informational unless they are chained to create a larger vulnerability.

Rewards

$ iOS, Android, API Web
P1 $5,000 $1,500
P2 $2,250 $900
P3 $750 $300
P4 $250 $100

Targets

In scope

Target name Type Tags
Web v2 Website Testing
  • Website Testing
Chrome Extension Other
  • Browser Extension
http://ibotta.com Website Testing
  • AWS
  • Wordpress
  • Website Testing
  • Bootstrap
  • jQuery
  • MySQL
  • nginx
  • PHP
http://market.android.com/details?id=com.ibotta.android Android
  • Mobile Application Testing
  • Android
  • Java
  • Kotlin
https://backend.ibotta.com/ Website Testing
  • Website Testing
http://itunes.apple.com/us/app/ibotta/id559887125 iOS
  • Mobile Application Testing
  • iOS
  • Objective-C
  • Swift
  • SwiftUI
https://content-server.ibotta.com/graphql API Testing
  • API Testing
  • HTTP
https://api.ibotta.com API Testing
  • API Testing
  • HTTP
https://api.ibops.net API Testing
  • API Testing
  • HTTP
https://api.int.ibops.net API Testing
  • API Testing
  • HTTP
https://api.int.ibops.net/customer-loyalty-service API Testing
  • API Testing
  • HTTP
https://api.ibops.net/ad-management API Testing
  • API Testing
  • HTTP
Ibotta App Data & Memory Other

Out of scope


Access

Researchers can self register for an account using your @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see here.

Researchers will need to have a rewards account on any of these grocery chains. These will not be provisioned by Bugcrowd or Ibotta.

Geo Restrictions Ibotta is currently for US use only. International researchers are welcome to test against Ibotta assets but must do so through a US IP address (through a self provisioned proxy/vpn).


Helpful Information

Account Flow

The below documentation contains information regarding how to initiate and use the flow of the application, and API endpoint data and examples. We also have included a video on how to initiate and use the flow.

Chrome Extension

  • Here is a User Guide The Ibotta team is looking for testing that ensures the pop-up interaction with their other product areas (such as the next item or loyalty card linking) is secure and would like to know about any sensitive data exposure.

Cash out

A key use case for the Ibotta application is cashing out. For testing cash out in this program please be aware of the following:

  • Paypal, Venmo, and giftcard cashout methods are live. Because of this, accounts will not be funded again.
  • Cashout thresholds are reduced for the bugcrowd provisioned accounts to facilitate testing.
  • SMS authentication is enabled for all accounts. Because of fraud scoring, VoIP numbers (Google Voice, etc) may be blocked.
  • Critical requests are rate-limited and geoip filtered. Requests from outside the US are not likely to be allowed.

Technology

  • The mobile apps are both native
  • Servers are Ruby/Rails on Ubuntu

  • Hosted on AWS, API endpoints behind Elastic LoadBalancer

  • Infrastructure includes Memcache, Redis and MySQL

Focus Areas

  1. Any ability for an attacker to sniff Grocery retailers credentials entered into Ibotta.
  2. All phone logs, especially exceptions, need to be verified to not include credentials.
  3. Check for plaintext customer sensitive information sent to 3rd party from our endpoints.
  4. Input validation for database access for protection against injection.
  5. Test the restriction of HTTP methods to those we are in control of, or any attack vector against our endpoints.
  6. 2FA bypass and/or compromising account integrity.
  7. Cashout threshold and value manipulation.

We ask that you only test on Ibotta owned assets and are respectful of our customers.

All testing must abide by AWS's rules on penetration testing.

Out-of-Scope

  • Testing of third-party services used by Ibotta, except where explicitly permitted as 'In Scope'
  • No attacks/tests of any kind should be performed on the Grocery websites/properties
  • Creating counterfeit receipts and barcodes
  • Double submission of receipts
  • Other customer-support situations
  • Denial of Service via high rate requests or other nonstandard requests
  • Lack of source code obfuscation (ios-class-guard, ProGuard) for mobile apps
  • Regarding Webv2; Access Token Exposure, the ability to scrape the site, and data flow to 3rd parties is intended and reports will be considered informational unless they are chained to create a larger vulnerability

Rating Taxonomy

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization of findings.

Safe Harbor:

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via support@bugcrowd.com before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.