• $250 – $7,500 per vulnerability
  • Safe harbor

Scope Increase (New functionality)

Update for August 23rd 2018

New functionality has been introduced around customer rewards.
The flow for this functionality requires more detailed explanation. Please review the data below, and the linked document to find out how to test this functionality.

Account Flow:

The below documentation contains information detailed information, screenshots, and API details used for exercising this functionality.



Researchers will need to have a rewards account on any of the grocery chains listed in Appendix A on the linked document. These will not be provisioned by Bugcrowd or Ibotta.

In Scope:

  • api.ibotta.com
  • api.ibops.net

Out Of Scope:

  • No attacks/tests of any kind should be performed on the Grocery websites/properties
  • Anything else not specified in the In Scope section

Focus Areas and concerns:

  1. Any ability for an attacker to sniff Grocery retailers credentials entered into ibotta.
  2. All phone logs, especially exceptions, need to be verified to not include credentials.
  3. Check for plaintext customer sensitive information sent to 3rd party from our endpoints.
  4. Input validation for database access for protection against injection.
  5. Test the restriction of HTTP methods to those we are in control of, or any attack vector against our endpoints.