iFood: Bug Bounty Program

  • $150 – $2,500 per vulnerability
  • Up to $2,600 maximum reward
  • Safe harbor

Program stats

  • Vulnerabilities rewarded 123
  • Validation within 3 days 75% of submissions are accepted or rejected within 3 days
  • Average payout $1,175 within the last 3 months

Latest hall of famers

Recently joined this program

Hey, you! Wanna be part of our cyber food program? So pay attention to how you can deliver vulnerabilities to us! Let the Hunger Games begin!
Thanks for your interest in the iFood bug bounty program! We're happy you're here.

Our goal is to set a benchmark for security and we see that ongoing process as a team effort. External security evaluations are an important part of the process and make iFood a better, safer environment. We need researchers who can think creatively and work outside the box to find security bugs. We are committed to working with you to verify, reproduce and respond to legitimate reported vulnerabilities covered by this page.

If you have something that you feel is close to exploitation, or if you'd like some information regarding the internals of our systems, or generally have any questions regarding the app that would help in your efforts, please create a submission and ask for that information. iFood will also accept flaw-hypothesis submissions, without penalty, and will work with you to develop a reasonable hypothesis into a working exploit, should one be possible.
This program is exclusively limited to app and web applications listed in this document. Please, take note of the current scope outlined below.


There's no need to reinvent the wheel. The iFood program will use what's best on the market and we hope to improve it over time! For now, we are using the Bugcrowd Vulnerability Rating Taxonomy. However, it's important to note: Sometimes, our analysis team can modify a vulnerability priority due to its likelihood or impact. But fear not, you'll be notified and a detailed explanation will be provided - along with the opportunity to appeal and make a case for a higher priority.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please submit through the Bugcrowd Support Portal. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.