• $100 – $15,000 per vulnerability
  • Managed by Bugcrowd

Program stats

210 vulnerabilities rewarded

Validation within about 17 hours
75% of submissions are accepted or rejected within about 17 hours

$1,916.66 average payout (last 3 months)

Latest hall of famers

Recently joined this program

920 total

Welcome to the Bug Bounty!

At we greatly value the security of our site and resources, and the community of security researches that helps keep us safe. We appreciate everyone who looks at our site, and especially those who make us aware of issues and help us to fix them.

We award kudos nearly immediately after a submission (If it is accepted), and will move states around without awarding $$$ first. DO NOT BE ALARMED! You will get your award! We do this so we can be as quick and accurate with our rewards as possible.

This bounty requires explicit permission to disclose the results of a submission.

Questions, comments, or suggestions? Reach out to us at security['at']


In scope

Please note that for *, any part of * that is not explicitly mentioned in the out of scope section, is in scope; however, please ensure that you review the out-of-scope section, so as to ensure that you're only testing on hosts that are in scope. Thanks!


Specific things we like giving lots of money for:

Type Payout
Significant XSS $1,000 - $5,000
Authentication Bypass Up to $15,000
Vert/Horizontal Privilege Escalation $3,000 - $10,000
Significant Data Exposure Up to $10,000
Shell/RCE $5,000 - $15,000

General Payout:

Severity Payout
P1 $8,000 - $15,000
P2 $3,000 - $8,000
P3 $500 - $3,000
P4 $100 - $500

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the rating/prioritization of findings.


For (Our Main Ecommerce Site):
  • Please create an account at
  • You MUST use your Bugcrowd email alias when registering for an account.
  • Ex: [Bugcrowd Username}
  • Some useful information can be found here -
For (Our Merchant Portal):
  • Navigate to
  • Click "Apply now" In the top right hand corner.
  • Click either "Brand Manufacturer" or "Retailer" (Does not matter).
  • Use [your_bugcrowd_username] as the email.
  • Use "Bugcrowd" as the "Legal business name"
  • Use 000000000 (9 zero's) as the "Tax Identification Number"
  • Your account will be approved within 72 hrs of request!
  • API Documentation for this site can be found at
    • Remember to change all URL's to in the API calls.
For the Jet API (
  • Open up postman and load in the provided collection. (
  • Under the "auth" folder, you will see 4 requests
  • Make an account on
  • Fill in your credentials as environment varibales in postman.
  • Make all 4 requests in order.
  • In the responses you will recieve all of the toklens and keys needed to operate the API.
  • Start Testing!!! Please Check out the API Documentation at

Out of Scope Items:

Site/Addres Why is the same exact app just made for testing! is the same exact app just made for testing! 3rd Party Service 3rd Party Service 3rd Party Service 3rd Party Service 3rd Party Service 3rd Party Service 3rd Party Service 3rd Party Service

Additional Out of Scope Items:

  • Any 3rd party services
  • Physical security of Jet buildings. Please do not attempt to sneak into our premises either secretly or by using social engineering.
  • Phishing/Social Engineering Attacks against Jet Employees.
  • Any subsidiaries, parents, affiliates are not in scope unless explicitly mentioned in the in scope section.
  • Outdated software versions are subject to a 72-hour blackout period to grant time for internal patching and testing (for instance, issues resulting from a 0day, etc). Rewards will not be given for outdated software versions reported during this period.
  • Any global scope security defects in the Microsoft Azure platform.
  • Clickjacking
  • Rate Limiting Issues
  • Missing SPF on Non-Email Domain (i.e.

Program Rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.