Ibotta
- $50 – $5,000 per vulnerability
All domains/properties owned by Ibotta are in scope!
- Ibotta continuously pushes out new code.
- Please take care when testing on production not to compromise the functioning of any Ibotta assets or users on the platform.
Recent Scope Additions
We highly recommend you take a look at this additional attack surface – which hopefully means more vulnerabilities!
| Name | URL | Description |
|---|---|---|
| Chrome Extension Beta | Access Here | Here is a User Guide The Ibotta team is looking for testing that ensures the pop-up interaction with their other product areas (such as the next item or loyalty card linking) is secure and would like to know about any sensitive data exposure. |
| Web v2 | Access Here | This is a refreshed web application for the Ibotta Team. Please note that there are some scope exclusions for this target: Access Token Exposure, the ability to scrape the site, and data flow to 3rd parties is intended and reports will be considered informational unless they are chained to create a larger vulnerability. |
Rewards
| $ | iOS, Android, API | Web |
|---|---|---|
| P1 | $5,000 | $1,500 |
| P2 | $2,250 | $900 |
| P3 | $750 | $300 |
| P4 | $250 | $100 |
Scope and rewards
Program rules
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.