[{"id":3646796,"new_policy":"Upserve is committed to protecting the privacy and security of our users. We recognize the valuable role security researchers play in making our services more secure and are committed to working with you to verify and resolve legitimate security vulnerabilities.  We ask that you carefully review this policy and scope to ensure the best experience for all involved.\n \n# Important Notes\n### Do not test with the live upserve.com site. Please review the scope for details on the test site URL specific for security research\n\n# Public Disclosure Policy\nUpserve supports public disclosure of most vulnerabilities following resolution. We ask that you not share vulnerability details with anyone other than Upserve or HackerOne prior to approved public disclosure through the HackerOne platform.\n* In most cases, Upserve will allow public disclosure of vulnerabilities within 30 days of resolution. \n* In some cases, Upserve will request that public disclosure is delayed. (for example, if we need to conduct private notifications first)\n* In limited cases, Upserve may request that a report remain private. In these cases, we will maintain open communication with the researcher about why we feel this is important.\n* Follow HackerOne's disclosure guidelines.\n\n# Program Rules\n* Please check the list of out-of-scope vulnerabilities and known issues before submitting a report.\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make every effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with the explicit permission of the account holder.\n* If we receive several reports for the same issue, we offer the bounty to the earliest report for which we had enough actionable information to identify the issue.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Our rewards are based on the impact of a vulnerability and we use CVSS v3 to guide our decisions on vulnerability impact. \n* Public Zero-day vulnerabilities that have had an official patch for less than 30 days will be awarded on a case by case basis.\n* Zero-day vulnerabilities found on third-party libraries/services used by Upserve will be awarded on a case by case basis. These vulnerabilities should be reported directly to the library or service maintainer. \n\n# A Note on Similar Submissions\nWe ask that researchers who are able to identify the same or similar types of issues in multiple locations across one of our applications combine those findings into a single submission that includes a description as well as the various locations where vulnerabilities have been identified. This greatly assists us in our triage process and allows us to process your submissions faster. The combined submissions will be evaluated holistically and will receive rewards corresponding to the collective findings. For example, if an application is discovered to have broken access control on a number of API endpoints, please submit a single submission that includes a list of those API endpoints. If separate submissions are made, they may be inadvertently closed as duplicates.\n\n# Test References and Documentation\n**Read carefully** for instructions and tips on testing: \n \n* Upserve Loyalty (https://app.upserve.com/b/upserve-hacker-cafe/) is a React application with a Ruby on Rails backend. REST API calls are made to app.upserve.com/c/ and cards.swipely.com. The application allows a consumer to register an account and enroll one or more credit cards into a restaurant's loyalty program. Purchases made by the consumer at the restaurant are tracked in the loyalty program and a reward is given when the consumer's account reaches a specified level. It is not currently possible for researchers to generate sales that apply to the loyalty program. We are interested in vulnerabilities that would allow a consumer to fraudulently add points to their own account or steal points from other accounts. Use the provided test restaurant Upserve Hacker Cafe only. **Testing on any other restaurant is prohibited without approval from Upserve.** \n    * To create a customer account, navigate to https://app.upserve.com/b/upserve-hacker-cafe/, enter in your email address, enter in a credit card number (either your own or you can use a credit card generator to create a fake one). The application will reject duplicate card numbers.\n    * cards.swipely.com provides an endpoint for adding payment cards to the vault. The endpoint returns a token which should not be reversible. This API should not be able to provide back full payment card numbers. \n\n* Upserve Online Ordering (OLO) (https://app.upserve.com/s/upserve-hacker-cafe) is a React application with a Ruby on Rails backend. REST API calls are made to orders.upserve.com and payments.upserve.com. Orders can be submitted to the test restaurant linked in this plan using any valid credit card number. Credit cards will not be charged or authorized with this restaurant. **Testing on any other restaurant is prohibited without approval from Upserve.**\n    * You may create an account or you can place orders without an account\n    * You may use any validly formatted credit card number - either your own, or you can use a credit card generator to create a fake one.\n    * Orders placed are submitted to the Upserve POS service and will most likely be rejected after 20 minutes unless someone at Upserve is actively working with this test restaurant\n    * payments.upserve.com provides an endpoint for adding payment cards to the vault. The endpoint returns a payment method token which is used by the OLO API. The token should not be reversible and should only be usable to the restaurant it was generated for. **The payments sandbox in use for testing is very lenient and will allow invalid card numbers to be used. If you think you've found a bug here we are happy to validate against a live gateway.**\n\n* Upserve.com (https://645892349820.vulnerbug.com) is a Wordpress application. **Do not test upserve.com directly.** Please only test https://645892349820.vulnerbug.com/. Our primary concern here would be defacement or attacks that can be leveraged against other Upserve assets.\n\n* teamhelp.upserve.com is a Wordpress application for internal use by team members. Users are required to sign-in with their Upserve Google account to access the information. There is non-public information on this site.  Our primary concern here would be access to non-public information, defacement, or vulnerabilities that would make social engineering more effective.  \n\n* Upserve HQ (https://app.upserve.com/partners/) is a Ruby on Rails application used by restaurants to view operational, sales, marketing, and finance information. \n    * Credentials are provided by invite only at this time (please don't ask).\n    * You are welcome to recon this asset, attempt authentication bypass, and search for anything else of impact.\n\n* Upserve POS HQ (https://hq.breadcrumb.com/) is a Ruby on Rails application used by restaurants to manage their point of sale tablets and view sales reports. \n    * Credentials are provided by invite only at this time (please don't ask).\n    * You are welcome to recon this asset, attempt authentication bypass, and search for anything else of impact.\n   \n* Upserve Inventory (https://inventory.upserve.com) is a PHP application used by restaurants to track and order inventory.\n    * Credentials are provided by invite only at this time (please don't ask).\n    * You are welcome to recon this asset, attempt authentication bypass, and search for anything else of impact.\n\n* Upserve HQ3 (https://hq.upserve.com) is a React application which wraps our other applications (Upserve HQ, Upserve POS HQ, Upserve Inventory, etc.) in to a single interface.\n    * Credentials are provided by invite only at this time (please don't ask).\n    * You are welcome to recon this asset, attempt authentication bypass, and search for anything else of impact.\n \n\n# Out of scope vulnerabilities \nThe following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries or software without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* User enumeration or Account oracles -- the ability to submit a phone number, email, UUID and receive back a message indicating an Upserve account exists.\n* Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.\n* Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.\n* Banner grabbing issues \n* Rate limiting issues\n* Missing best practices in email configuration (DMARC, SPF, DKIM, etc)\n* DNS issues \n\n# Known Issues\nThe following issues are already known to our team - please do not submit new reports related to them, as they will be considered duplicates.\n* Sessions do not expire after password change/reset\n* Attacker can enroll credit cards in another user's loyalty accounts\n* XML-RPC available on Wordpress sites (and associated DoS issues)\n* Subdomain Takeover \n\n# Safe Harbor\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our [Terms \u0026 Conditions](https://upserve.com/terms/), we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you and you have complied with Upserve's bug bounty policy, Upserve will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.\n\nWe will not share your report with a third-party without your permission and/or gaining their commitment they will not pursue legal action against you. Please note again that we can’t authorize out-of-scope testing in the name of third parties and such testing is beyond the scope of the program.\n\nPlease contact us at bugbounty@upserve.com before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\nThank you for helping keep Upserve and our users safe! If you have a question that is not answered on this page, please contact bugbounty@upserve.com\n\nIn order to encourage the adoption of bug bounty programs and promote uniform security best practices across the industry, Upserve reserves no rights in this bug bounty policy and so you are free to copy and modify it for your own purposes.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-14T15:08:24.624Z"},{"id":3642860,"new_policy":"Upserve is committed to protecting the privacy and security of our users. We recognize the valuable role security researchers play in making our services more secure and are committed to working with you to verify and resolve legitimate security vulnerabilities.  We ask that you carefully review this policy and scope to ensure the best experience for all involved.\n \n# Important Notes\n### Do not test with the live upserve.com site. Please review the scope for details on the test site URL specific for security research\n\n# Public Disclosure Policy\nUpserve supports public disclosure of most vulnerabilities following resolution. We ask that you not share vulnerability details with anyone other than Upserve or HackerOne prior to approved public disclosure through the HackerOne platform.\n* In most cases, Upserve will allow public disclosure of vulnerabilities within 30 days of resolution. \n* In some cases, Upserve will request that public disclosure is delayed. (for example, if we need to conduct private notifications first)\n* In limited cases, Upserve may request that a report remain private. In these cases, we will maintain open communication with the researcher about why we feel this is important.\n* Follow HackerOne's disclosure guidelines.\n\n# Program Rules\n* Please check the list of out-of-scope vulnerabilities and known issues before submitting a report.\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make every effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with the explicit permission of the account holder.\n* If we receive several reports for the same issue, we offer the bounty to the earliest report for which we had enough actionable information to identify the issue.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Our rewards are based on the impact of a vulnerability and we use CVSS v3 to guide our decisions on vulnerability impact. \n* Public Zero-day vulnerabilities that have had an official patch for less than 30 days will be awarded on a case by case basis.\n* Zero-day vulnerabilities found on third-party libraries/services used by Upserve will be awarded on a case by case basis. These vulnerabilities should be reported directly to the library or service maintainer. \n\n# A Note on Similar Submissions\nWe ask that researchers who are able to identify the same or similar types of issues in multiple locations across one of our applications combine those findings into a single submission that includes a description as well as the various locations where vulnerabilities have been identified. This greatly assists us in our triage process and allows us to process your submissions faster. The combined submissions will be evaluated holistically and will receive rewards corresponding to the collective findings. For example, if an application is discovered to have broken access control on a number of API endpoints, please submit a single submission that includes a list of those API endpoints. If separate submissions are made, they may be inadvertently closed as duplicates.\n\n# Test References and Documentation\n**Read carefully** for instructions and tips on testing: \n \n* Upserve Loyalty (https://app.upserve.com/b/upserve-hacker-cafe/) is a React application with a Ruby on Rails backend. REST API calls are made to app.upserve.com/c/ and cards.swipely.com. The application allows a consumer to register an account and enroll one or more credit cards into a restaurant's loyalty program. Purchases made by the consumer at the restaurant are tracked in the loyalty program and a reward is given when the consumer's account reaches a specified level. It is not currently possible for researchers to generate sales that apply to the loyalty program. We are interested in vulnerabilities that would allow a consumer to fraudulently add points to their own account or steal points from other accounts. Use the provided test restaurant Upserve Hacker Cafe only. **Testing on any other restaurant is prohibited without approval from Upserve.** \n    * To create a customer account, navigate to https://app.upserve.com/b/upserve-hacker-cafe/, enter in your email address, enter in a credit card number (either your own or you can use a credit card generator to create a fake one). The application will reject duplicate card numbers.\n    * cards.swipely.com provides an endpoint for adding payment cards to the vault. The endpoint returns a token which should not be reversible. This API should not be able to provide back full payment card numbers. \n\n* Upserve Online Ordering (OLO) (https://app.upserve.com/s/upserve-hacker-cafe) is a React application with a Ruby on Rails backend. REST API calls are made to orders.upserve.com and payments.upserve.com. Orders can be submitted to the test restaurant linked in this plan using any valid credit card number. Credit cards will not be charged or authorized with this restaurant. **Testing on any other restaurant is prohibited without approval from Upserve.**\n    * You may create an account or you can place orders without an account\n    * You may use any validly formatted credit card number - either your own, or you can use a credit card generator to create a fake one.\n    * Orders placed are submitted to the Upserve POS service and will most likely be rejected after 20 minutes unless someone at Upserve is actively working with this test restaurant\n    * payments.upserve.com provides an endpoint for adding payment cards to the vault. The endpoint returns a payment method token which is used by the OLO API. The token should not be reversible and should only be usable to the restaurant it was generated for. **The payments sandbox in use for testing is very lenient and will allow invalid card numbers to be used. If you think you've found a bug here we are happy to validate against a live gateway.**\n\n* Upserve.com (https://645892349820.vulnerbug.com) is a Wordpress application. **Do not test upserve.com directly.** Please only test https://645892349820.vulnerbug.com/. Our primary concern here would be defacement or attacks that can be leveraged against other Upserve assets.\n\n* teamhelp.upserve.com is a Wordpress application for internal use by team members. Users are required to sign-in with their Upserve Google account to access the information. There is non-public information on this site.  Our primary concern here would be access to non-public information, defacement, or vulnerabilities that would make social engineering more effective.  \n\n* Upserve HQ (https://app.upserve.com/partners/) is a Ruby on Rails application used by restaurants to view operational, sales, marketing, and finance information. \n    * Credentials are provided by invite only at this time (please don't ask).\n    * You are welcome to recon this asset, attempt authentication bypass, and search for anything else of impact.\n\n* Upserve POS HQ (https://hq.breadcrumb.com/) is a Ruby on Rails application used by restaurants to manage their point of sale tablets and view sales reports. \n    * Credentials are provided by invite only at this time (please don't ask).\n    * You are welcome to recon this asset, attempt authentication bypass, and search for anything else of impact.\n   \n* Upserve Inventory (https://inventory.upserve.com) is a PHP application used by restaurants to track and order inventory.\n    * Credentials are provided by invite only at this time (please don't ask).\n    * You are welcome to recon this asset, attempt authentication bypass, and search for anything else of impact.\n\n* Upserve HQ3 (https://hq.upserve.com) is a React application which wraps our other applications (Upserve HQ, Upserve POS HQ, Upserve Inventory, etc.) in to a single interface.\n    * Credentials are provided by invite only at this time (please don't ask).\n    * You are welcome to recon this asset, attempt authentication bypass, and search for anything else of impact.\n \n\n# Out of scope vulnerabilities \nThe following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries or software without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* User enumeration or Account oracles -- the ability to submit a phone number, email, UUID and receive back a message indicating an Upserve account exists.\n* Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.\n* Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.\n* Banner grabbing issues \n* Rate limiting issues\n* Missing best practices in email configuration (DMARC, SPF, DKIM, etc)\n* DNS issues \n\n# Known Issues\nThe following issues are already known to our team - please do not submit new reports related to them, as they will be considered duplicates.\n* Sessions do not expire after password change/reset\n* Attacker can enroll credit cards in another user's loyalty accounts\n* XML-RPC available on Wordpress sites (and associated DoS issues)\n* Subdomain Takeover Via Dangling NS records\n\n# Safe Harbor\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our [Terms \u0026 Conditions](https://upserve.com/terms/), we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you and you have complied with Upserve's bug bounty policy, Upserve will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.\n\nWe will not share your report with a third-party without your permission and/or gaining their commitment they will not pursue legal action against you. Please note again that we can’t authorize out-of-scope testing in the name of third parties and such testing is beyond the scope of the program.\n\nPlease contact us at bugbounty@upserve.com before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\nThank you for helping keep Upserve and our users safe! If you have a question that is not answered on this page, please contact bugbounty@upserve.com\n\nIn order to encourage the adoption of bug bounty programs and promote uniform security best practices across the industry, Upserve reserves no rights in this bug bounty policy and so you are free to copy and modify it for your own purposes.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-09-25T18:44:00.180Z"},{"id":3642652,"new_policy":"Upserve is committed to protecting the privacy and security of our users. We recognize the valuable role security researchers play in making our services more secure and are committed to working with you to verify and resolve legitimate security vulnerabilities.  We ask that you carefully review this policy and scope to ensure the best experience for all involved.\n \n# Important Notes\n### Do not test with the live upserve.com site. Please review the scope for details on the test site URL specific for security research\n\n# Public Disclosure Policy\nUpserve supports public disclosure of most vulnerabilities following resolution. We ask that you not share vulnerability details with anyone other than Upserve or HackerOne prior to approved public disclosure through the HackerOne platform.\n* In most cases, Upserve will allow public disclosure of vulnerabilities within 30 days of resolution. \n* In some cases, Upserve will request that public disclosure is delayed. (for example, if we need to conduct private notifications first)\n* In limited cases, Upserve may request that a report remain private. In these cases, we will maintain open communication with the researcher about why we feel this is important.\n* Follow HackerOne's disclosure guidelines.\n\n# Program Rules\n* Please check the list of out-of-scope vulnerabilities and known issues before submitting a report.\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make every effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with the explicit permission of the account holder.\n* If we receive several reports for the same issue, we offer the bounty to the earliest report for which we had enough actionable information to identify the issue.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Our rewards are based on the impact of a vulnerability and we use CVSS v3 to guide our decisions on vulnerability impact. \n* Public Zero-day vulnerabilities that have had an official patch for less than 30 days will be awarded on a case by case basis.\n* Zero-day vulnerabilities found on third-party libraries/services used by Upserve will be awarded on a case by case basis. These vulnerabilities should be reported directly to the library or service maintainer. \n\n# A Note on Similar Submissions\nWe ask that researchers who are able to identify the same or similar types of issues in multiple locations across one of our applications combine those findings into a single submission that includes a description as well as the various locations where vulnerabilities have been identified. This greatly assists us in our triage process and allows us to process your submissions faster. The combined submissions will be evaluated holistically and will receive rewards corresponding to the collective findings. For example, if an application is discovered to have broken access control on a number of API endpoints, please submit a single submission that includes a list of those API endpoints. If separate submissions are made, they may be inadvertently closed as duplicates.\n\n# Test References and Documentation\n**Read carefully** for instructions and tips on testing: \n \n* Upserve Loyalty (https://app.upserve.com/b/upserve-hacker-cafe/) is a React application with a Ruby on Rails backend. REST API calls are made to app.upserve.com/c/ and cards.swipely.com. The application allows a consumer to register an account and enroll one or more credit cards into a restaurant's loyalty program. Purchases made by the consumer at the restaurant are tracked in the loyalty program and a reward is given when the consumer's account reaches a specified level. It is not currently possible for researchers to generate sales that apply to the loyalty program. We are interested in vulnerabilities that would allow a consumer to fraudulently add points to their own account or steal points from other accounts. Use the provided test restaurant Upserve Hacker Cafe only. **Testing on any other restaurant is prohibited without approval from Upserve.** \n    * To create a customer account, navigate to https://app.upserve.com/b/upserve-hacker-cafe/, enter in your email address, enter in a credit card number (either your own or you can use a credit card generator to create a fake one). The application will reject duplicate card numbers.\n    * cards.swipely.com provides an endpoint for adding payment cards to the vault. The endpoint returns a token which should not be reversible. This API should not be able to provide back full payment card numbers. \n\n* Upserve Online Ordering (OLO) (https://app.upserve.com/s/upserve-hacker-cafe) is a React application with a Ruby on Rails backend. REST API calls are made to orders.upserve.com and payments.upserve.com. Orders can be submitted to the test restaurant linked in this plan using any valid credit card number. Credit cards will not be charged or authorized with this restaurant. **Testing on any other restaurant is prohibited without approval from Upserve.**\n    * You may create an account or you can place orders without an account\n    * You may use any validly formatted credit card number - either your own, or you can use a credit card generator to create a fake one.\n    * Orders placed are submitted to the Upserve POS service and will most likely be rejected after 20 minutes unless someone at Upserve is actively working with this test restaurant\n    * payments.upserve.com provides an endpoint for adding payment cards to the vault. The endpoint returns a payment method token which is used by the OLO API. The token should not be reversible and should only be usable to the restaurant it was generated for. **The payments sandbox in use for testing is very lenient and will allow invalid card numbers to be used. If you think you've found a bug here we are happy to validate against a live gateway.**\n\n* Upserve.com (https://645892349820.vulnerbug.com) is a Wordpress application. **Do not test upserve.com directly.** Please only test https://645892349820.vulnerbug.com/. Our primary concern here would be defacement or attacks that can be leveraged against other Upserve assets.\n\n* teamhelp.upserve.com is a Wordpress application for internal use by team members. Users are required to sign-in with their Upserve Google account to access the information. There is non-public information on this site.  Our primary concern here would be access to non-public information, defacement, or vulnerabilities that would make social engineering more effective.  \n\n* Upserve HQ (https://app.upserve.com/partners/) is a Ruby on Rails application used by restaurants to view operational, sales, marketing, and finance information. \n    * Credentials are provided by invite only at this time (please don't ask).\n    * You are welcome to recon this asset, attempt authentication bypass, and search for anything else of impact.\n\n* Upserve POS HQ (https://hq.breadcrumb.com/) is a Ruby on Rails application used by restaurants to manage their point of sale tablets and view sales reports. \n    * Credentials are provided by invite only at this time (please don't ask).\n    * You are welcome to recon this asset, attempt authentication bypass, and search for anything else of impact.\n   \n* Upserve Inventory (https://inventory.upserve.com) is a PHP application used by restaurants to track and order inventory.\n    * Credentials are provided by invite only at this time (please don't ask).\n    * You are welcome to recon this asset, attempt authentication bypass, and search for anything else of impact.\n\n* Upserve HQ3 (https://hq.upserve.com) is a React application which wraps our other applications (Upserve HQ, Upserve POS HQ, Upserve Inventory, etc.) in to a single interface.\n    * Credentials are provided by invite only at this time (please don't ask).\n    * You are welcome to recon this asset, attempt authentication bypass, and search for anything else of impact.\n \n\n# Out of scope vulnerabilities \nThe following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries or software without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* User enumeration or Account oracles -- the ability to submit a phone number, email, UUID and receive back a message indicating an Upserve account exists.\n* Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.\n* Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.\n* Banner grabbing issues \n* Rate limiting issues\n* Missing best practices in email configuration (DMARC, SPF, DKIM, etc)\n\n# Known Issues\nThe following issues are already known to our team - please do not submit new reports related to them, as they will be considered duplicates.\n* Sessions do not expire after password change/reset\n* Attacker can enroll credit cards in another user's loyalty accounts\n* XML-RPC available on Wordpress sites (and associated DoS issues)\n* Subdomain Takeover Via Dangling NS records\n\n# Safe Harbor\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our [Terms \u0026 Conditions](https://upserve.com/terms/), we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you and you have complied with Upserve's bug bounty policy, Upserve will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.\n\nWe will not share your report with a third-party without your permission and/or gaining their commitment they will not pursue legal action against you. Please note again that we can’t authorize out-of-scope testing in the name of third parties and such testing is beyond the scope of the program.\n\nPlease contact us at bugbounty@upserve.com before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\nThank you for helping keep Upserve and our users safe! If you have a question that is not answered on this page, please contact bugbounty@upserve.com\n\nIn order to encourage the adoption of bug bounty programs and promote uniform security best practices across the industry, Upserve reserves no rights in this bug bounty policy and so you are free to copy and modify it for your own purposes.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-09-21T15:16:55.849Z"},{"id":3634842,"new_policy":"Upserve is committed to protecting the privacy and security of our users. We recognize the valuable role security researchers play in making our services more secure and are committed to working with you to verify and resolve legitimate security vulnerabilities.  We ask that you carefully review this policy and scope to ensure the best experience for all involved.\n \n# Important Notes\n### Do not test with the live upserve.com site. Please review the scope for details on the test site URL specific for security research\n\n# Public Disclosure Policy\nUpserve supports public disclosure of most vulnerabilities following resolution. We ask that you not share vulnerability details with anyone other than Upserve or HackerOne prior to approved public disclosure through the HackerOne platform.\n* In most cases, Upserve will allow public disclosure of vulnerabilities within 30 days of resolution. \n* In some cases, Upserve will request that public disclosure is delayed. (for example, if we need to conduct private notifications first)\n* In limited cases, Upserve may request that a report remain private. In these cases, we will maintain open communication with the researcher about why we feel this is important.\n* Follow HackerOne's disclosure guidelines.\n\n# Program Rules\n* Please check the list of out-of-scope vulnerabilities and known issues before submitting a report.\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make every effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with the explicit permission of the account holder.\n* If we receive several reports for the same issue, we offer the bounty to the earliest report for which we had enough actionable information to identify the issue.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Our rewards are based on the impact of a vulnerability and we use CVSS v3 to guide our decisions on vulnerability impact. \n* Public Zero-day vulnerabilities that have had an official patch for less than 30 days will be awarded on a case by case basis.\n* Zero-day vulnerabilities found on third-party libraries/services used by Upserve will be awarded on a case by case basis. These vulnerabilities should be reported directly to the library or service maintainer. \n\n# A Note on Similar Submissions\nWe ask that researchers who are able to identify the same or similar types of issues in multiple locations across one of our applications combine those findings into a single submission that includes a description as well as the various locations where vulnerabilities have been identified. This greatly assists us in our triage process and allows us to process your submissions faster. The combined submissions will be evaluated holistically and will receive rewards corresponding to the collective findings. For example, if an application is discovered to have broken access control on a number of API endpoints, please submit a single submission that includes a list of those API endpoints. If separate submissions are made, they may be inadvertently closed as duplicates.\n\n# Test References and Documentation\n**Read carefully** for instructions and tips on testing: \n \n* Upserve Loyalty (https://app.upserve.com/b/upserve-hacker-cafe/) is a React application with a Ruby on Rails backend. REST API calls are made to app.upserve.com/c/ and cards.swipely.com. The application allows a consumer to register an account and enroll one or more credit cards into a restaurant's loyalty program. Purchases made by the consumer at the restaurant are tracked in the loyalty program and a reward is given when the consumer's account reaches a specified level. It is not currently possible for researchers to generate sales that apply to the loyalty program. We are interested in vulnerabilities that would allow a consumer to fraudulently add points to their own account or steal points from other accounts. Use the provided test restaurant Upserve Hacker Cafe only. **Testing on any other restaurant is prohibited without approval from Upserve.** \n    * To create a customer account, navigate to https://app.upserve.com/b/upserve-hacker-cafe/, enter in your email address, enter in a credit card number (either your own or you can use a credit card generator to create a fake one). The application will reject duplicate card numbers.\n    * cards.swipely.com provides an endpoint for adding payment cards to the vault. The endpoint returns a token which should not be reversible. This API should not be able to provide back full payment card numbers. \n\n* Upserve Online Ordering (OLO) (https://app.upserve.com/s/upserve-hacker-cafe) is a React application with a Ruby on Rails backend. REST API calls are made to orders.upserve.com and payments.upserve.com. Orders can be submitted to the test restaurant linked in this plan using any valid credit card number. Credit cards will not be charged or authorized with this restaurant. **Testing on any other restaurant is prohibited without approval from Upserve.**\n    * You may create an account or you can place orders without an account\n    * You may use any validly formatted credit card number - either your own, or you can use a credit card generator to create a fake one.\n    * Orders placed are submitted to the Upserve POS service and will most likely be rejected after 20 minutes unless someone at Upserve is actively working with this test restaurant\n    * payments.upserve.com provides an endpoint for adding payment cards to the vault. The endpoint returns a payment method token which is used by the OLO API. The token should not be reversible and should only be usable to the restaurant it was generated for. **The payments sandbox in use for testing is very lenient and will allow invalid card numbers to be used. If you think you've found a bug here we are happy to validate against a live gateway.**\n\n* Upserve.com (https://645892349820.vulnerbug.com) is a Wordpress application. **Do not test upserve.com directly.** Please only test https://645892349820.vulnerbug.com/. Our primary concern here would be defacement or attacks that can be leveraged against other Upserve assets.\n\n* teamhelp.upserve.com is a Wordpress application for internal use by team members. Users are required to sign-in with their Upserve Google account to access the information. There is non-public information on this site.  Our primary concern here would be access to non-public information, defacement, or vulnerabilities that would make social engineering more effective.  \n\n* Upserve HQ (https://app.upserve.com/partners/) is a Ruby on Rails application used by restaurants to view operational, sales, marketing, and finance information. \n    * Credentials are provided by invite only at this time (please don't ask).\n    * You are welcome to recon this asset, attempt authentication bypass, and search for anything else of impact.\n\n* Upserve POS HQ (https://hq.breadcrumb.com/) is a Ruby on Rails application used by restaurants to manage their point of sale tablets and view sales reports. \n    * Credentials are provided by invite only at this time (please don't ask).\n    * You are welcome to recon this asset, attempt authentication bypass, and search for anything else of impact.\n   \n* Upserve Inventory (https://inventory.upserve.com) is a PHP application used by restaurants to track and order inventory.\n    * Credentials are provided by invite only at this time (please don't ask).\n    * You are welcome to recon this asset, attempt authentication bypass, and search for anything else of impact.\n\n* Upserve HQ3 (https://hq.upserve.com) is a React application which wraps our other applications (Upserve HQ, Upserve POS HQ, Upserve Inventory, etc.) in to a single interface.\n    * Credentials are provided by invite only at this time (please don't ask).\n    * You are welcome to recon this asset, attempt authentication bypass, and search for anything else of impact.\n \n\n# Out of scope vulnerabilities \nThe following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries or software without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* User enumeration or Account oracles -- the ability to submit a phone number, email, UUID and receive back a message indicating an Upserve account exists.\n* Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.\n* Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.\n* Banner grabbing issues \n* Rate limiting issues\n* Missing best practices in email configuration (DMARC, SPF, DKIM, etc)\n\n# Known Issues\nThe following issues are already known to our team - please do not submit new reports related to them, as they will be considered duplicates.\n* Sessions do not expire after password change/reset\n* Attacker can enroll credit cards in another user's loyalty accounts\n* XML-RPC available on Wordpress sites (and associated DoS issues)\n\n# Safe Harbor\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our [Terms \u0026 Conditions](https://upserve.com/terms/), we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you and you have complied with Upserve's bug bounty policy, Upserve will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.\n\nWe will not share your report with a third-party without your permission and/or gaining their commitment they will not pursue legal action against you. Please note again that we can’t authorize out-of-scope testing in the name of third parties and such testing is beyond the scope of the program.\n\nPlease contact us at bugbounty@upserve.com before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\nThank you for helping keep Upserve and our users safe! If you have a question that is not answered on this page, please contact bugbounty@upserve.com\n\nIn order to encourage the adoption of bug bounty programs and promote uniform security best practices across the industry, Upserve reserves no rights in this bug bounty policy and so you are free to copy and modify it for your own purposes.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-04-10T14:11:13.459Z"},{"id":3633202,"new_policy":"Upserve is committed to protecting the privacy and security of our users. We recognize the valuable role security researchers play in making our services more secure and are committed to working with you to verify and resolve legitimate security vulnerabilities.  We ask that you carefully review this policy and scope to ensure the best experience for all involved.\n \n# Important Notes\n### Do not test with the live upserve.com site. Please review the scope for details on the test site URL specific for security research\n\n# Public Disclosure Policy\nUpserve supports public disclosure of most vulnerabilities following resolution. We ask that you not share vulnerability details with anyone other than Upserve or HackerOne prior to approved public disclosure through the HackerOne platform.\n* In most cases, Upserve will allow public disclosure of vulnerabilities within 30 days of resolution. \n* In some cases, Upserve will request that public disclosure is delayed. (for example, if we need to conduct private notifications first)\n* In limited cases, Upserve may request that a report remain private. In these cases, we will maintain open communication with the researcher about why we feel this is important.\n* Follow HackerOne's disclosure guidelines.\n\n# Program Rules\n* Please check the list of out-of-scope vulnerabilities and known issues before submitting a report.\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make every effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with the explicit permission of the account holder.\n* If we receive several reports for the same issue, we offer the bounty to the earliest report for which we had enough actionable information to identify the issue.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Our rewards are based on the impact of a vulnerability and we use CVSS v3 to guide our decisions on vulnerability impact. \n* Public Zero-day vulnerabilities that have had an official patch for less than 30 days will be awarded on a case by case basis.\n* Zero-day vulnerabilities found on third-party libraries/services used by Upserve will be awarded on a case by case basis. These vulnerabilities should be reported directly to the library or service maintainer. \n\n# A Note on Similar Submissions\nWe ask that researchers who are able to identify the same or similar types of issues in multiple locations across one of our applications combine those findings into a single submission that includes a description as well as the various locations where vulnerabilities have been identified. This greatly assists us in our triage process and allows us to process your submissions faster. The combined submissions will be evaluated holistically and will receive rewards corresponding to the collective findings. For example, if an application is discovered to have broken access control on a number of API endpoints, please submit a single submission that includes a list of those API endpoints. If separate submissions are made, they may be inadvertently closed as duplicates.\n\n# Test References and Documentation\n**Read carefully** for instructions and tips on testing: \n \n* Upserve Loyalty (https://app.upserve.com/b/upserve-hacker-cafe/) is a React application with a Ruby on Rails backend. REST API calls are made to app.upserve.com/c/ and cards.swipely.com. The application allows a consumer to register an account and enroll one or more credit cards into a restaurant's loyalty program. Purchases made by the consumer at the restaurant are tracked in the loyalty program and a reward is given when the consumer's account reaches a specified level. It is not currently possible for researchers to generate sales that apply to the loyalty program. We are interested in vulnerabilities that would allow a consumer to fraudulently add points to their own account or steal points from other accounts. Use the provided test restaurant Upserve Hacker Cafe only. **Testing on any other restaurant is prohibited without approval from Upserve.** \n    * To create a customer account, navigate to https://app.upserve.com/b/upserve-hacker-cafe/, enter in your email address, enter in a credit card number (either your own or you can use a credit card generator to create a fake one). The application will reject duplicate card numbers.\n    * cards.swipely.com provides an endpoint for adding payment cards to the vault. The endpoint returns a token which should not be reversible. This API should not be able to provide back full payment card numbers. \n\n* Upserve Online Ordering (OLO) (https://app.upserve.com/s/upserve-hacker-cafe) is a React application with a Ruby on Rails backend. REST API calls are made to orders.upserve.com and payments.upserve.com. Orders can be submitted to the test restaurant linked in this plan using any valid credit card number. Credit cards will not be charged or authorized with this restaurant. **Testing on any other restaurant is prohibited without approval from Upserve.**\n    * You may create an account or you can place orders without an account\n    * You may use any validly formatted credit card number - either your own, or you can use a credit card generator to create a fake one.\n    * Orders placed are submitted to the Upserve POS service and will most likely be rejected after 20 minutes unless someone at Upserve is actively working with this test restaurant\n    * payments.upserve.com provides an endpoint for adding payment cards to the vault. The endpoint returns a payment method token which is used by the OLO API. The token should not be reversible and should only be usable to the restaurant it was generated for. **The payments sandbox in use for testing is very lenient and will allow invalid card numbers to be used. If you think you've found a bug here we are happy to validate against a live gateway.**\n\n* Upserve.com (https://645892349820.vulnerbug.com) is a Wordpress application. **Do not test upserve.com directly.** Please only test https://645892349820.vulnerbug.com/. Our primary concern here would be defacement or attacks that can be leveraged against other Upserve assets.\n\n* teamhelp.upserve.com is a Wordpress application for internal use by team members. Users are required to sign-in with their Upserve Google account to access the information. There is non-public information on this site.  Our primary concern here would be access to non-public information, defacement, or vulnerabilities that would make social engineering more effective.  \n\n* Upserve HQ (https://app.upserve.com/partners/) is a Ruby on Rails application used by restaurants to view operational, sales, marketing, and finance information. \n    * Credentials are provided by invite only at this time (please don't ask).\n    * You are welcome to recon this asset, attempt authentication bypass, and search for anything else of impact.\n\n* Upserve POS HQ (https://hq.breadcrumb.com/) is a Ruby on Rails application used by restaurants to manage their point of sale tablets and view sales reports. \n    * Credentials are provided by invite only at this time (please don't ask).\n    * You are welcome to recon this asset, attempt authentication bypass, and search for anything else of impact.\n    \n* Upserve Live Mobile App - This app is for restaurants to view operational and sales information.\n    * Credentials are provided by invite only at this time (please don't ask).\n    * You are welcome to recon this asset, attempt authentication bypass, and search for anything else of impact.\n\n* Upserve POS iPad App - This app is our point of sale app for restaurants.\n    * Credentials are provided by invite only at this time (please don't ask).\n    * You are welcome to recon this asset, attempt authentication bypass, and search for anything else of impact.\n\n* Upserve Inventory (https://inventory.upserve.com) is a PHP application used by restaurants to track and order inventory.\n    * Credentials are provided by invite only at this time (please don't ask).\n    * You are welcome to recon this asset, attempt authentication bypass, and search for anything else of impact.\n\n* Upserve HQ3 (https://hq.upserve.com) is a React application which wraps our other applications (Upserve HQ, Upserve POS HQ, Upserve Inventory, etc.) in to a single interface.\n    * Credentials are provided by invite only at this time (please don't ask).\n    * You are welcome to recon this asset, attempt authentication bypass, and search for anything else of impact.\n \n\n# Out of scope vulnerabilities \nThe following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries or software without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* User enumeration or Account oracles -- the ability to submit a phone number, email, UUID and receive back a message indicating an Upserve account exists.\n* Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.\n* Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.\n* Banner grabbing issues \n* Rate limiting issues\n* Missing best practices in email configuration (DMARC, SPF, DKIM, etc)\n\n# Known Issues\nThe following issues are already known to our team - please do not submit new reports related to them, as they will be considered duplicates.\n* Sessions do not expire after password change/reset\n* Attacker can enroll credit cards in another user's loyalty accounts\n* XML-RPC available on Wordpress sites (and associated DoS issues)\n\n# Safe Harbor\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our [Terms \u0026 Conditions](https://upserve.com/terms/), we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you and you have complied with Upserve's bug bounty policy, Upserve will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.\n\nWe will not share your report with a third-party without your permission and/or gaining their commitment they will not pursue legal action against you. Please note again that we can’t authorize out-of-scope testing in the name of third parties and such testing is beyond the scope of the program.\n\nPlease contact us at bugbounty@upserve.com before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\nThank you for helping keep Upserve and our users safe! If you have a question that is not answered on this page, please contact bugbounty@upserve.com\n\nIn order to encourage the adoption of bug bounty programs and promote uniform security best practices across the industry, Upserve reserves no rights in this bug bounty policy and so you are free to copy and modify it for your own purposes.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-03-17T21:27:13.674Z"},{"id":3628189,"new_policy":"Upserve is committed to protecting the privacy and security of our users. We recognize the valuable role security researchers play in making our services more secure and are committed to working with you to verify and resolve legitimate security vulnerabilities.  We ask that you carefully review this policy and scope to ensure the best experience for all involved.\n \n# Important Notes\n### Do not test with the live upserve.com site. Please review the scope for details on the test site URL specific for security research\n\n# Public Disclosure Policy\nUpserve supports public disclosure of most vulnerabilities following resolution. We ask that you not share vulnerability details with anyone other than Upserve or HackerOne prior to approved public disclosure through the HackerOne platform.\n* In most cases, Upserve will allow public disclosure of vulnerabilities within 30 days of resolution. \n* In some cases, Upserve will request that public disclosure is delayed. (for example, if we need to conduct private notifications first)\n* In limited cases, Upserve may request that a report remain private. In these cases, we will maintain open communication with the researcher about why we feel this is important.\n* Follow HackerOne's disclosure guidelines.\n\n# Program Rules\n* Please check the list of out-of-scope vulnerabilities and known issues before submitting a report.\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make every effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with the explicit permission of the account holder.\n* If we receive several reports for the same issue, we offer the bounty to the earliest report for which we had enough actionable information to identify the issue.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Our rewards are based on the impact of a vulnerability and we use CVSS v3 to guide our decisions on vulnerability impact. \n\n# A Note on Similar Submissions\nWe ask that researchers who are able to identify the same or similar types of issues in multiple locations across one of our applications combine those findings into a single submission that includes a description as well as the various locations where vulnerabilities have been identified. This greatly assists us in our triage process and allows us to process your submissions faster. The combined submissions will be evaluated holistically and will receive rewards corresponding to the collective findings. For example, if an application is discovered to have broken access control on a number of API endpoints, please submit a single submission that includes a list of those API endpoints. If separate submissions are made, they may be inadvertently closed as duplicates.\n\n# Test References and Documentation\n**Read carefully** for instructions and tips on testing: \n \n* Upserve Loyalty (https://app.upserve.com/b/upserve-hacker-cafe/) is a React application with a Ruby on Rails backend. REST API calls are made to app.upserve.com/c/ and cards.swipely.com. The application allows a consumer to register an account and enroll one or more credit cards into a restaurant's loyalty program. Purchases made by the consumer at the restaurant are tracked in the loyalty program and a reward is given when the consumer's account reaches a specified level. It is not currently possible for researchers to generate sales that apply to the loyalty program. We are interested in vulnerabilities that would allow a consumer to fraudulently add points to their own account or steal points from other accounts. Use the provided test restaurant Upserve Hacker Cafe only. **Testing on any other restaurant is prohibited without approval from Upserve.** \n    * To create a customer account, navigate to https://app.upserve.com/b/upserve-hacker-cafe/, enter in your email address, enter in a credit card number (either your own or you can use a credit card generator to create a fake one). The application will reject duplicate card numbers.\n    * cards.swipely.com provides an endpoint for adding payment cards to the vault. The endpoint returns a token which should not be reversible. This API should not be able to provide back full payment card numbers. \n\n* Upserve Online Ordering (OLO) (https://app.upserve.com/s/upserve-hacker-cafe) is a React application with a Ruby on Rails backend. REST API calls are made to orders.upserve.com and payments.upserve.com. Orders can be submitted to the test restaurant linked in this plan using any valid credit card number. Credit cards will not be charged or authorized with this restaurant. **Testing on any other restaurant is prohibited without approval from Upserve.**\n    * You may create an account or you can place orders without an account\n    * You may use any validly formatted credit card number - either your own, or you can use a credit card generator to create a fake one.\n    * Orders placed are submitted to the Upserve POS service and will most likely be rejected after 20 minutes unless someone at Upserve is actively working with this test restaurant\n    * payments.upserve.com provides an endpoint for adding payment cards to the vault. The endpoint returns a payment method token which is used by the OLO API. The token should not be reversible and should only be usable to the restaurant it was generated for. **The payments sandbox in use for testing is very lenient and will allow invalid card numbers to be used. If you think you've found a bug here we are happy to validate against a live gateway.**\n\n* Upserve.com (https://645892349820.vulnerbug.com) is a Wordpress application. **Do not test upserve.com directly.** Please only test https://645892349820.vulnerbug.com/. Our primary concern here would be defacement or attacks that can be leveraged against other Upserve assets.\n\n* teamhelp.upserve.com is a Wordpress application for internal use by team members. Users are required to sign-in with their Upserve Google account to access the information. There is non-public information on this site.  Our primary concern here would be access to non-public information, defacement, or vulnerabilities that would make social engineering more effective.  \n\n* Upserve HQ (https://app.upserve.com/partners/) is a Ruby on Rails application used by restaurants to view operational, sales, marketing, and finance information. \n    * Credentials are provided by invite only at this time (please don't ask).\n    * You are welcome to recon this asset, attempt authentication bypass, and search for anything else of impact.\n\n* Upserve POS HQ (https://hq.breadcrumb.com/) is a Ruby on Rails application used by restaurants to manage their point of sale tablets and view sales reports. \n    * Credentials are provided by invite only at this time (please don't ask).\n    * You are welcome to recon this asset, attempt authentication bypass, and search for anything else of impact.\n    \n* Upserve Live Mobile App - This app is for restaurants to view operational and sales information.\n    * Credentials are provided by invite only at this time (please don't ask).\n    * You are welcome to recon this asset, attempt authentication bypass, and search for anything else of impact.\n\n* Upserve POS iPad App - This app is our point of sale app for restaurants.\n    * Credentials are provided by invite only at this time (please don't ask).\n    * You are welcome to recon this asset, attempt authentication bypass, and search for anything else of impact.\n\n* Upserve Inventory (https://inventory.upserve.com) is a PHP application used by restaurants to track and order inventory.\n    * Credentials are provided by invite only at this time (please don't ask).\n    * You are welcome to recon this asset, attempt authentication bypass, and search for anything else of impact.\n\n* Upserve HQ3 (https://hq.upserve.com) is a React application which wraps our other applications (Upserve HQ, Upserve POS HQ, Upserve Inventory, etc.) in to a single interface.\n    * Credentials are provided by invite only at this time (please don't ask).\n    * You are welcome to recon this asset, attempt authentication bypass, and search for anything else of impact.\n \n\n# Out of scope vulnerabilities \nThe following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries or software without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* User enumeration or Account oracles -- the ability to submit a phone number, email, UUID and receive back a message indicating an Upserve account exists.\n* Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.\n* Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.\n* Banner grabbing issues \n* Rate limiting issues\n* Missing best practices in email configuration (DMARC, SPF, DKIM, etc)\n\n# Known Issues\nThe following issues are already known to our team - please do not submit new reports related to them, as they will be considered duplicates.\n* Sessions do not expire after password change/reset\n* Attacker can enroll credit cards in another user's loyalty accounts\n* XML-RPC available on Wordpress sites (and associated DoS issues)\n\n# Safe Harbor\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our [Terms \u0026 Conditions](https://upserve.com/terms/), we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you and you have complied with Upserve's bug bounty policy, Upserve will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.\n\nWe will not share your report with a third-party without your permission and/or gaining their commitment they will not pursue legal action against you. Please note again that we can’t authorize out-of-scope testing in the name of third parties and such testing is beyond the scope of the program.\n\nPlease contact us at bugbounty@upserve.com before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\nThank you for helping keep Upserve and our users safe! If you have a question that is not answered on this page, please contact bugbounty@upserve.com\n\nIn order to encourage the adoption of bug bounty programs and promote uniform security best practices across the industry, Upserve reserves no rights in this bug bounty policy and so you are free to copy and modify it for your own purposes.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-01-13T18:53:55.606Z"},{"id":3620951,"new_policy":"Upserve is committed to protecting the privacy and security of our users. We recognize the valuable role security researchers play in making our services more secure and are committed to working with you to verify and resolve legitimate security vulnerabilities.  We ask that you carefully review this policy and scope to ensure the best experience for all involved.\n \n# Important Notes\n### Do not test with the live upserve.com site. Please review the scope for details on the test site URL specific for security research\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n\n# Public Disclosure Policy\nUpserve supports public disclosure of most vulnerabilities following resolution. We ask that you not share vulnerability details with anyone other than Upserve or HackerOne prior to approved public disclosure through the HackerOne platform.\n* In most cases, Upserve will allow public disclosure of vulnerabilities within 30 days of resolution. \n* In some cases, Upserve will request that public disclosure is delayed. (for example, if we need to conduct private notifications first)\n* In limited cases, Upserve may request that a report remain private. In these cases, we will maintain open communication with the researcher about why we feel this is important.\n* Follow HackerOne's disclosure guidelines.\n\n# Report Quality\n* Please consider the attack scenario and exploitability of the bug.\n* Please provide detailed reports with reproducible steps and **demonstrable impact**. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* If you’re unsure of the direct impact, but feel you may have found something interesting, please submit a detailed report and ask.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n\n# Program Rules\n* Please check the list of out-of-scope vulnerabilities and known issues before submitting a report.\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make every effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Bounty amounts below are the minimum we will pay per category for bounty eligible assets. We aim to be fair; all reward amounts are at our discretion and based on demonstrable impact.\n* If we receive several reports for the same issue, we offer the bounty to the earliest report for which we had enough actionable information to identify the issue.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n# Vulnerability Impact and Rewards\nOur rewards are based on the demonstrable impact of a vulnerability. We use CVSS v3 to guide our decisions on vulnerability impact. Things that influence the impact of an issue are the scale of exposure, mitigating factors, and multiplying factors.  All valid reports are eligible to receive a HackerOne reputation reward. For assets eligible for a paid bounty, Upserve may provide rewards based on the impact of a vulnerability. Please note these are general guidelines and examples, and that reward decisions are up to the discretion of Upserve. \n\n### Critical:\nCritical vulnerabilities have a CVSS v3.0 score of 9.0 or higher and they can be readily compromised with publicly available malware, exploits, or techniques.\n\nExamples of issues that Upserve might consider of critical impact include:\n \n* Gaining unauthorized access to any merchant’s account or data (e.g. credit card numbers, transaction information, etc.)\n* Gaining unauthorized access to any customer’s account or data (e.g. credit card numbers, etc.)\n* Gaining unauthorized access to any production systems (e.g. shell access, code execution, etc.)\n* Exposed credentials that could result in access to production systems or deployment pipelines (e.g. API keys, access tokens, etc.)\n* The ability to cause monetary impact to Upserve, a merchant, or a customer (e.g. creating orders with a payment method you don't own, issue refunds, manipulating order totals, etc.)\n \n### High:\nHigh severity vulnerabilities have a CVSS v3.0 score of 7.0 to 8.9. \n\nExamples of issues that Upserve might consider high impact include:\n\n* Targeted attacks that result in access to an individual merchant or customer’s account or data (e.g. reflected XSS that requires social engineering)\n* Direct object references to sensitive information\n \n### Medium: \nMedium severity vulnerabilities have a CVSS v3.0 score of 4.0 to 6.9.\n\nExamples of issues that Upserve might consider medium impact include:\n\n* Issues that impact less sensitive assets, such as the public marketing sites\n* Being able to modify a merchant or customer’s settings without their permission\n* Content injection that allows for convincing phishing attacks (e.g. HTML injection or XSS in an unauthenticated domain)\n* Open URL redirection\n \n### Low: \nLow severity vulnerabilities have a CVSS v3.0 score of 0.1 to 3.9.\n\nExamples of issues that Upserve might consider low impact include:\n\n* Leaks of less sensitive information that has a demonstrable impact\n* Directory traversal\n\n# Test Plans \n**Read carefully** for instructions and tips on testing: \n \n* Upserve Loyalty (https://app.upserve.com/b/swipely-bistro) is a React application with a Ruby on Rails backend. REST API calls are made to app.upserve.com/c/ and cards.swipely.com. The application allows a consumer to register an account and enroll one or more credit cards into a restaurant's loyalty program. Purchases made by the consumer at the restaurant are tracked in the loyalty program and a reward is given when the consumer's account reaches a specified level. It is not currently possible for researchers to generate sales that apply to the loyalty program. We are interested in vulnerabilities that would allow a consumer to fraudulently add points to their own account or steal points from other accounts. Use the provided test restaurant Swipely Bistro only. **Testing on any other restaurant is prohibited without approval from Upserve.** \n    * To create a customer account, navigate to https://app.upserve.com/b/swipely-bistro, enter in your email address, enter in a credit card number (either your own or you can use a credit card generator to create a fake one). The application will reject duplicate card numbers.\n    * cards.swipely.com provides an endpoint for adding payment cards to the vault. The endpoint returns a token which should not be reversible. This API should not be able to provide back full payment card numbers. \n\n* Upserve Online Ordering (OLO) (https://app.upserve.com/s/upserve-lounge-test-providence-2) is a React application with a Ruby on Rails backend. REST API calls are made to orders.upserve.com and payments.upserve.com. Orders can be submitted to the test restaurant linked in this plan using any valid credit card number. Credit cards will not be charged or authorized with this restaurant. **Testing on any other restaurant is prohibited without approval from Upserve.**\n    * You may create an account or you can place orders without an account\n    * You may use any validly formatted credit card number - either your own, or you can use a credit card generator to create a fake one.\n    * Orders placed are submitted to the Upserve POS service and will most likely be rejected after 20 minutes unless someone at Upserve is actively working with this test restaurant\n    * payments.upserve.com provides an endpoint for adding payment cards to the vault. The endpoint returns a payment method token which is used by the OLO API. The token should not be reversible and should only be usable to the restaurant it was generated for. **The payments sandbox in use for testing is very lenient and will allow invalid card numbers to be used. If you think you've found a bug here we are happy to validate against a live gateway.**\n\n* Upserve.com, RestaurantInsider.com (https://645892349820.vulnerbug.com) is a Wordpress application. **Do not test upserve.com or restaurantinsider.com directly.** Please only test https://645892349820.vulnerbug.com/. Our primary concern here would be defacement, but there isn’t much sensitive data or functionality here - as such, reward amounts for this property will typically be lower.\n\n* teamhelp.upserve.com is a Wordpress application for internal use by team members. Users are required to sign-in with their Upserve Google account to access the information. There is non-public information on this site.  Our primary concern here would be access to non-public information or defacement.  Reward amounts for this property will typically be lower than our customer-facing applications.\n\n* Upserve HQ (https://app.upserve.com/partners/) is a Ruby on Rails application used by restaurants to view operational, sales, marketing, and finance information. \n    * Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n\n* Upserve POS HQ (https://hq.breadcrumb.com/) is a Ruby on Rails application used by restaurants to manage their point of sale tablets and view sales reports. \n    * Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n    \n* Upserve Live Mobile App - This app is for restaurants to view operational and sales information.\n    * Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n\n* Upserve POS iPad App - This app is our point of sale app for restaurants.\n    * Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n \n\n# Out of scope vulnerabilities \nThe following issues are considered out of scope:\n \n* Wordpress user enumeration\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Account oracles -- the ability to submit a phone number, email, UUID and receive back a message indicating an Upserve account exists.\n* Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.\n* Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.\n* Banner grabbing issues \n* Rate limiting issues\n* Missing best practices in email configuration (DMARC, SPF, DKIM, etc)\n\n# Known Issues\nThe following issues are already known to our team - please do not submit new reports related to them, as they will be considered duplicates.\n* Sessions do not expire after password change/reset\n* Attacker can enroll credit cards in another user's loyalty accounts\n* XML-RPC available on Wordpress sites (and associated DoS issues)\n\n# Safe Harbor\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our [Terms \u0026 Conditions](https://upserve.com/terms/), we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you and you have complied with Upserve's bug bounty policy, Upserve will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.\n\nWe will not share your report with a third-party without your permission and/or gaining their commitment they will not pursue legal action against you. Please note again that we can’t authorize out-of-scope testing in the name of third parties and such testing is beyond the scope of the program.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\nThank you for helping keep Upserve and our users safe! If you have a question that is not answered on this page, please contact bugbounty@upserve.com\n\nIn order to encourage the adoption of bug bounty programs and promote uniform security best practices across the industry, Upserve reserves no rights in this bug bounty policy and so you are free to copy and modify it for your own purposes.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-10-10T15:17:52.020Z"},{"id":3598412,"new_policy":"Upserve is committed to protecting the privacy and security of our users. We recognize the valuable role security researchers play in making our services more secure and are committed to working with you to verify and resolve legitimate security vulnerabilities.  We ask that you carefully review this policy and scope to ensure the best experience for all involved.\n \n# Important Notes\n### Do not test with the live upserve.com site. Please review the scope for details on the test site URL specific for security research\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n\n# Public Disclosure Policy\nUpserve supports public disclosure of most vulnerabilities following resolution. We ask that you not share vulnerability details with anyone other than Upserve or HackerOne prior to approved public disclosure through the HackerOne platform.\n* In most cases, Upserve will allow public disclosure of vulnerabilities within 30 days of resolution. \n* In some cases, Upserve will request that public disclosure is delayed. (for example, if we need to conduct private notifications first)\n* In limited cases, Upserve may request that a report remain private. In these cases, we will maintain open communication with the researcher about why we feel this is important.\n* Follow HackerOne's disclosure guidelines.\n\n# Report Quality\n* Please consider the attack scenario and exploitability of the bug.\n* Please provide detailed reports with reproducible steps and **demonstrable impact**. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* If you’re unsure of the direct impact, but feel you may have found something interesting, please submit a detailed report and ask.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n\n# Program Rules\n* Please check the list of out-of-scope vulnerabilities and known issues before submitting a report.\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make every effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Bounty amounts below are the minimum we will pay per category for bounty eligible assets. We aim to be fair; all reward amounts are at our discretion and based on demonstrable impact.\n* If we receive several reports for the same issue, we offer the bounty to the earliest report for which we had enough actionable information to identify the issue.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n# Vulnerability Impact and Rewards\nOur rewards are based on the demonstrable impact of a vulnerability. We use CVSS v3 to guide our decisions on vulnerability impact. Things that influence the impact of an issue are the scale of exposure, mitigating factors, and multiplying factors.  All valid reports are eligible to receive a HackerOne reputation reward. For assets eligible for a paid bounty, Upserve may provide rewards based on the impact of a vulnerability. Please note these are general guidelines and examples, and that reward decisions are up to the discretion of Upserve. \n\n### Critical:\nCritical vulnerabilities have a CVSS v3.0 score of 9.0 or higher and they can be readily compromised with publicly available malware, exploits, or techniques.\n\nExamples of issues that Upserve might consider of critical impact include:\n \n* Gaining unauthorized access to any merchant’s account or data (e.g. credit card numbers, transaction information, etc.)\n* Gaining unauthorized access to any customer’s account or data (e.g. credit card numbers, etc.)\n* Gaining unauthorized access to any production systems (e.g. shell access, code execution, etc.)\n* Exposed credentials that could result in access to production systems or deployment pipelines (e.g. API keys, access tokens, etc.)\n* The ability to cause monetary impact to Upserve, a merchant, or a customer (e.g. creating orders with a payment method you don't own, issue refunds, manipulating order totals, etc.)\n \n### High:\nHigh severity vulnerabilities have a CVSS v3.0 score of 7.0 to 8.9. \n\nExamples of issues that Upserve might consider high impact include:\n\n* Targeted attacks that result in access to an individual merchant or customer’s account or data (e.g. reflected XSS that requires social engineering)\n* Direct object references to sensitive information\n \n### Medium: \nMedium severity vulnerabilities have a CVSS v3.0 score of 4.0 to 6.9.\n\nExamples of issues that Upserve might consider medium impact include:\n\n* Issues that impact less sensitive assets, such as the public marketing sites\n* Being able to modify a merchant or customer’s settings without their permission\n* Content injection that allows for convincing phishing attacks (e.g. HTML injection or XSS in an unauthenticated domain)\n* Open URL redirection\n \n### Low: \nLow severity vulnerabilities have a CVSS v3.0 score of 0.1 to 3.9.\n\nExamples of issues that Upserve might consider low impact include:\n\n* Leaks of less sensitive information that has a demonstrable impact\n* Directory traversal\n\n# Test Plans \n**Read carefully** for instructions and tips on testing: \n \n* Upserve Loyalty (https://app.upserve.com/b/swipely-bistro) is a React application with a Ruby on Rails backend. REST API calls are made to app.upserve.com/c/ and cards.swipely.com. The application allows a consumer to register an account and enroll one or more credit cards into a restaurant's loyalty program. Purchases made by the consumer at the restaurant are tracked in the loyalty program and a reward is given when the consumer's account reaches a specified level. It is not currently possible for researchers to generate sales that apply to the loyalty program. We are interested in vulnerabilities that would allow a consumer to fraudulently add points to their own account or steal points from other accounts. Use the provided test restaurant Swipely Bistro only. **Testing on any other restaurant is prohibited without approval from Upserve.** \n    * To create a customer account, navigate to https://app.upserve.com/b/swipely-bistro, enter in your email address, enter in a credit card number (either your own or you can use a credit card generator to create a fake one). The application will reject duplicate card numbers.\n    * cards.swipely.com provides an endpoint for adding payment cards to the vault. The endpoint returns a token which should not be reversible. This API should not be able to provide back full payment card numbers. \n\n* Upserve Online Ordering (OLO) (https://app.upserve.com/s/upserve-lounge-test-providence-2) is a React application with a Ruby on Rails backend. REST API calls are made to orders.upserve.com and payments.upserve.com. Orders can be submitted to the test restaurant linked in this plan using any valid credit card number. Credit cards will not be charged or authorized with this restaurant. **Testing on any other restaurant is prohibited without approval from Upserve.**\n    * You may create an account or you can place orders without an account\n    * You may use any validly formatted credit card number - either your own, or you can use a credit card generator to create a fake one.\n    * Orders placed are submitted to the Upserve POS service and will most likely be rejected after 20 minutes unless someone at Upserve is actively working with this test restaurant\n    * payments.upserve.com provides an endpoint for adding payment cards to the vault. The endpoint returns a payment method token which is used by the OLO API. The token should not be reversible and should only be usable to the restaurant it was generated for. **The payments sandbox in use for testing is very lenient and will allow invalid card numbers to be used. If you think you've found a bug here we are happy to validate against a live gateway.**\n\n* Upserve.com, RestaurantInsider.com (https://645892349820.vulnerbug.com) is a Wordpress application. **Do not test upserve.com or restaurantinsider.com directly.** Please only test https://645892349820.vulnerbug.com/. Our primary concern here would be defacement, but there isn’t much sensitive data or functionality here - as such, reward amounts for this property will typically be lower.\n\n* theacademy.upserve.com is a Wordpress application hosting customer education materials. The application allows users to search for and view videos. \n\n* teamhelp.upserve.com is a Wordpress application for internal use by team members. Users are required to sign-in with their Upserve Google account to access the information. There is non-public information on this site.  Our primary concern here would be access to non-public information or defacement.  Reward amounts for this property will typically be lower than our customer-facing applications.\n\n* Upserve HQ (https://app.upserve.com/partners/) is a Ruby on Rails application used by restaurants to view operational, sales, marketing, and finance information. \n    * Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n\n* Upserve POS HQ (https://hq.breadcrumb.com/) is a Ruby on Rails application used by restaurants to manage their point of sale tablets and view sales reports. \n    * Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n    \n* Upserve Live Mobile App - This app is for restaurants to view operational and sales information.\n    * Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n\n* Upserve POS iPad App - This app is our point of sale app for restaurants.\n    * Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n \n\n# Out of scope vulnerabilities \nThe following issues are considered out of scope:\n \n* Wordpress user enumeration\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Account oracles -- the ability to submit a phone number, email, UUID and receive back a message indicating an Upserve account exists.\n* Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.\n* Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.\n* Banner grabbing issues \n* Rate limiting issues\n* Missing best practices in email configuration (DMARC, SPF, DKIM, etc)\n\n# Known Issues\nThe following issues are already known to our team - please do not submit new reports related to them, as they will be considered duplicates.\n* Sessions do not expire after password change/reset\n* Attacker can enroll credit cards in another user's loyalty accounts\n* XML-RPC available on Wordpress sites (and associated DoS issues)\n\n# Safe Harbor\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our [Terms \u0026 Conditions](https://upserve.com/terms/), we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you and you have complied with Upserve's bug bounty policy, Upserve will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.\n\nWe will not share your report with a third-party without your permission and/or gaining their commitment they will not pursue legal action against you. Please note again that we can’t authorize out-of-scope testing in the name of third parties and such testing is beyond the scope of the program.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\nThank you for helping keep Upserve and our users safe! If you have a question that is not answered on this page, please contact bugbounty@upserve.com\n\nIn order to encourage the adoption of bug bounty programs and promote uniform security best practices across the industry, Upserve reserves no rights in this bug bounty policy and so you are free to copy and modify it for your own purposes.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-12-17T16:23:57.275Z"},{"id":3597008,"new_policy":"Upserve is committed to protecting the privacy and security of our users. We recognize the valuable role security researchers play in making our services more secure and are committed to working with you to verify and resolve legitimate security vulnerabilities.  We ask that you carefully review this policy and scope to ensure the best experience for all involved.\n \n# Important Notes\n### Do not test with the live upserve.com site. Please review the scope for details on the test site URL specific for security research\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n\n# Public Disclosure Policy\nUpserve supports public disclosure of most vulnerabilities following resolution. We ask that you not share vulnerability details with anyone other than Upserve or HackerOne prior to approved public disclosure through the HackerOne platform.\n* In most cases, Upserve will allow public disclosure of vulnerabilities within 30 days of resolution. \n* In some cases, Upserve will request that public disclosure is delayed. (for example, if we need to conduct private notifications first)\n* In limited cases, Upserve may request that a report remain private. In these cases, we will maintain open communication with the researcher about why we feel this is important.\n* Follow HackerOne's disclosure guidelines.\n\n# Report Quality\n* Please consider the attack scenario and exploitability of the bug.\n* Please provide detailed reports with reproducible steps and **demonstrable impact**. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* If you’re unsure of the direct impact, but feel you may have found something interesting, please submit a detailed report and ask.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n\n# Program Rules\n* Please check the list of out-of-scope vulnerabilities and known issues before submitting a report.\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make every effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Bounty amounts below are the minimum we will pay per category for bounty eligible assets. We aim to be fair; all reward amounts are at our discretion and based on demonstrable impact.\n* If we receive several reports for the same issue, we offer the bounty to the earliest report for which we had enough actionable information to identify the issue.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n# Vulnerability Impact and Rewards\nOur rewards are based on the demonstrable impact of a vulnerability. We use CVSS v3 to guide our decisions on vulnerability impact. Things that influence the impact of an issue are the scale of exposure, mitigating factors, and multiplying factors.  All valid reports are eligible to receive a HackerOne reputation reward. For assets eligible for a paid bounty, Upserve may provide rewards based on the impact of a vulnerability. Please note these are general guidelines and examples, and that reward decisions are up to the discretion of Upserve. \n\n### Critical:\nCritical vulnerabilities have a CVSS v3.0 score of 9.0 or higher and they can be readily compromised with publicly available malware, exploits, or techniques.\n\nExamples of issues that Upserve might consider of critical impact include:\n \n* Gaining unauthorized access to any merchant’s account or data (e.g. credit card numbers, transaction information, etc.)\n* Gaining unauthorized access to any customer’s account or data (e.g. credit card numbers, etc.)\n* Gaining unauthorized access to any production systems (e.g. shell access, code execution, etc.)\n* Exposed credentials that could result in access to production systems or deployment pipelines (e.g. API keys, access tokens, etc.)\n* The ability to cause monetary impact to Upserve, a merchant, or a customer (e.g. creating orders with a payment method you don't own, issue refunds, manipulating order totals, etc.)\n \n### High:\nHigh severity vulnerabilities have a CVSS v3.0 score of 7.0 to 8.9. \n\nExamples of issues that Upserve might consider high impact include:\n\n* Targeted attacks that result in access to an individual merchant or customer’s account or data (e.g. reflected XSS that requires social engineering)\n* Direct object references to sensitive information\n \n### Medium: \nMedium severity vulnerabilities have a CVSS v3.0 score of 4.0 to 6.9.\n\nExamples of issues that Upserve might consider medium impact include:\n\n* Issues that impact less sensitive assets, such as the public marketing sites\n* Being able to modify a merchant or customer’s settings without their permission\n* Content injection that allows for convincing phishing attacks (e.g. HTML injection or XSS in an unauthenticated domain)\n* Open URL redirection\n \n### Low: \nLow severity vulnerabilities have a CVSS v3.0 score of 0.1 to 3.9.\n\nExamples of issues that Upserve might consider low impact include:\n\n* Leaks of less sensitive information that has a demonstrable impact\n* Directory traversal\n\n# Test Plans \n**Read carefully** for instructions and tips on testing: \n \n* Upserve Loyalty (https://app.upserve.com/b/swipely-bistro) is a React application with a Ruby on Rails backend. REST API calls are made to app.upserve.com/c/ and cards.swipely.com. The application allows a consumer to register an account and enroll one or more credit cards into a restaurant's loyalty program. Purchases made by the consumer at the restaurant are tracked in the loyalty program and a reward is given when the consumer's account reaches a specified level. It is not currently possible for researchers to generate sales that apply to the loyalty program. We are interested in vulnerabilities that would allow a consumer to fraudulently add points to their own account or steal points from other accounts. Use the provided test restaurant Swipely Bistro only. **Testing on any other restaurant is prohibited without approval from Upserve.** \n    * To create a customer account, navigate to https://app.upserve.com/b/swipely-bistro, enter in your email address, enter in a credit card number (either your own or you can use a credit card generator to create a fake one). The application will reject duplicate card numbers.\n    * cards.swipely.com provides an endpoint for adding payment cards to the vault. The endpoint returns a token which should not be reversible. This API should not be able to provide back full payment card numbers. \n\n* Upserve Online Ordering (OLO) (https://app.upserve.com/s/upserve-lounge-test-providence-2) is a React application with a Ruby on Rails backend. REST API calls are made to orders.upserve.com and payments.upserve.com. Orders can be submitted to the test restaurant linked in this plan using any valid credit card number. Credit cards will not be charged or authorized with this restaurant. **Testing on any other restaurant is prohibited without approval from Upserve.**\n    * You may create an account or you can place orders without an account\n    * You may use any validly formatted credit card number - either your own, or you can use a credit card generator to create a fake one.\n    * Orders placed are submitted to the Upserve POS service and will most likely be rejected after 20 minutes unless someone at Upserve is actively working with this test restaurant\n    * payments.upserve.com provides an endpoint for adding payment cards to the vault. The endpoint returns a payment method token which is used by the OLO API. The token should not be reversible and should only be usable to the restaurant it was generated for.\n\n* Upserve.com, RestaurantInsider.com (https://645892349820.vulnerbug.com) is a Wordpress application. **Do not test upserve.com or restaurantinsider.com directly.** Please only test https://645892349820.vulnerbug.com/. Our primary concern here would be defacement, but there isn’t much sensitive data or functionality here - as such, reward amounts for this property will typically be lower.\n\n* theacademy.upserve.com is a Wordpress application hosting customer education materials. The application allows users to search for and view videos. \n\n* teamhelp.upserve.com is a Wordpress application for internal use by team members. Users are required to sign-in with their Upserve Google account to access the information. There is non-public information on this site.  Our primary concern here would be access to non-public information or defacement.  Reward amounts for this property will typically be lower than our customer-facing applications.\n\n* Upserve HQ (https://app.upserve.com/partners/) is a Ruby on Rails application used by restaurants to view operational, sales, marketing, and finance information. \n    * Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n\n* Upserve POS HQ (https://hq.breadcrumb.com/) is a Ruby on Rails application used by restaurants to manage their point of sale tablets and view sales reports. \n    * Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n    \n* Upserve Live Mobile App - This app is for restaurants to view operational and sales information.\n    * Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n\n* Upserve POS iPad App - This app is our point of sale app for restaurants.\n    * Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n \n\n# Out of scope vulnerabilities \nThe following issues are considered out of scope:\n \n* Wordpress user enumeration\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Account oracles -- the ability to submit a phone number, email, UUID and receive back a message indicating an Upserve account exists.\n* Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.\n* Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.\n* Banner grabbing issues \n* Rate limiting issues\n* Missing best practices in email configuration (DMARC, SPF, DKIM, etc)\n\n# Known Issues\nThe following issues are already known to our team - please do not submit new reports related to them, as they will be considered duplicates.\n* Sessions do not expire after password change/reset\n* Attacker can enroll credit cards in another user's loyalty accounts\n* XML-RPC available on Wordpress sites (and associated DoS issues)\n\n# Safe Harbor\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our [Terms \u0026 Conditions](https://upserve.com/terms/), we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you and you have complied with Upserve's bug bounty policy, Upserve will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.\n\nWe will not share your report with a third-party without your permission and/or gaining their commitment they will not pursue legal action against you. Please note again that we can’t authorize out-of-scope testing in the name of third parties and such testing is beyond the scope of the program.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\nThank you for helping keep Upserve and our users safe! If you have a question that is not answered on this page, please contact bugbounty@upserve.com\n\nIn order to encourage the adoption of bug bounty programs and promote uniform security best practices across the industry, Upserve reserves no rights in this bug bounty policy and so you are free to copy and modify it for your own purposes.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-12-05T14:53:06.728Z"},{"id":3597007,"new_policy":"Upserve is committed to protecting the privacy and security of our users. We recognize the valuable role security researchers play in making our services more secure and are committed to working with you to verify and resolve legitimate security vulnerabilities.  We ask that you carefully review this policy and scope to ensure the best experience for all involved.\n \n# Important Notes\n### Do not test with the live upserve.com site. Please review the scope for details on the test site URL specific for security research\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n\n# Public Disclosure Policy\nUpserve supports public disclosure of most vulnerabilities following resolution. We ask that you not share vulnerability details with anyone other than Upserve or HackerOne prior to approved public disclosure through the HackerOne platform.\n* In most cases, Upserve will allow public disclosure of vulnerabilities within 30 days of resolution. \n* In some cases, Upserve will request that public disclosure is delayed. (for example, if we need to conduct private notifications first)\n* In limited cases, Upserve may request that a report remain private. In these cases, we will maintain open communication with the researcher about why we feel this is important.\n* Follow HackerOne's disclosure guidelines.\n\n# Report Quality\n* Please consider the attack scenario and exploitability of the bug.\n* Please provide detailed reports with reproducible steps and **demonstrable impact**. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* If you’re unsure of the direct impact, but feel you may have found something interesting, please submit a detailed report and ask.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n\n# Program Rules\n* Please check the list of out-of-scope vulnerabilities and known issues before submitting a report.\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make every effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Bounty amounts below are the minimum we will pay per category for bounty eligible assets. We aim to be fair; all reward amounts are at our discretion and based on demonstrable impact.\n* If we receive several reports for the same issue, we offer the bounty to the earliest report for which we had enough actionable information to identify the issue.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n# Rewards\nOur rewards are based on the demonstrable impact of a vulnerability. Things that influence the impact of an issue are the scale of exposure, mitigating factors, and multiplying factors.  All valid reports are eligible to receive a HackerOne reputation reward. For assets eligible for a paid bounty, Upserve may provide rewards based on the impact of a vulnerability. Please note these are general guidelines and examples, and that reward decisions are up to the discretion of Upserve. \n\n### Critical severity bugs:\nExamples of issues that Upserve would consider critical impact include:\n \n* Gaining unauthorized access to any merchant’s account or data (e.g. credit card numbers, transaction information, etc.)\n* Gaining unauthorized access to any customer’s account or data (e.g. credit card numbers, etc.)\n* Gaining unauthorized access to any production systems (e.g. shell access, code execution, etc.)\n* Exposed credentials that could result in access to production systems or deployment pipelines (e.g. API keys, access tokens, etc.)\n* The ability to cause monetary impact to Upserve, a merchant, or a customer (e.g. creating orders with a payment method you don't own, issue refunds, manipulating order totals, etc.)\n \n### High severity bugs:\nExamples of issues that Upserve would consider high impact include:\n\n* Targeted attacks that result in access to an individual merchant or customer’s account or data (e.g. reflected XSS that requires social engineering)\n* Direct object references to sensitive information\n \n### Medium severity bugs: \nExamples of issues that Upserve would consider medium impact include:\n\n* Issues that impact less sensitive assets, such as the public marketing sites\n* Being able to modify a merchant or customer’s settings without their permission\n* Content injection that allows for convincing phishing attacks (e.g. HTML injection or XSS in an unauthenticated domain)\n* Open URL redirection\n \n### Low severity bugs: \nExamples of issues that Upserve would consider low impact include:\n\n* Leaks of less sensitive information that has a demonstrable impact\n* Directory traversal\n\n# Test Plans \n**Read carefully** for instructions and tips on testing: \n \n* Upserve Loyalty (https://app.upserve.com/b/swipely-bistro) is a React application with a Ruby on Rails backend. REST API calls are made to app.upserve.com/c/ and cards.swipely.com. The application allows a consumer to register an account and enroll one or more credit cards into a restaurant's loyalty program. Purchases made by the consumer at the restaurant are tracked in the loyalty program and a reward is given when the consumer's account reaches a specified level. It is not currently possible for researchers to generate sales that apply to the loyalty program. We are interested in vulnerabilities that would allow a consumer to fraudulently add points to their own account or steal points from other accounts. Use the provided test restaurant Swipely Bistro only. **Testing on any other restaurant is prohibited without approval from Upserve.** \n    * To create a customer account, navigate to https://app.upserve.com/b/swipely-bistro, enter in your email address, enter in a credit card number (either your own or you can use a credit card generator to create a fake one). The application will reject duplicate card numbers.\n    * cards.swipely.com provides an endpoint for adding payment cards to the vault. The endpoint returns a token which should not be reversible. This API should not be able to provide back full payment card numbers. \n\n* Upserve Online Ordering (OLO) (https://app.upserve.com/s/upserve-lounge-test-providence-2) is a React application with a Ruby on Rails backend. REST API calls are made to orders.upserve.com and payments.upserve.com. Orders can be submitted to the test restaurant linked in this plan using any valid credit card number. Credit cards will not be charged or authorized with this restaurant. **Testing on any other restaurant is prohibited without approval from Upserve.**\n    * You may create an account or you can place orders without an account\n    * You may use any validly formatted credit card number - either your own, or you can use a credit card generator to create a fake one.\n    * Orders placed are submitted to the Upserve POS service and will most likely be rejected after 20 minutes unless someone at Upserve is actively working with this test restaurant\n    * payments.upserve.com provides an endpoint for adding payment cards to the vault. The endpoint returns a payment method token which is used by the OLO API. The token should not be reversible and should only be usable to the restaurant it was generated for.\n\n* Upserve.com, RestaurantInsider.com (https://645892349820.vulnerbug.com) is a Wordpress application. **Do not test upserve.com or restaurantinsider.com directly.** Please only test https://645892349820.vulnerbug.com/. Our primary concern here would be defacement, but there isn’t much sensitive data or functionality here - as such, reward amounts for this property will typically be lower.\n\n* theacademy.upserve.com is a Wordpress application hosting customer education materials. The application allows users to search for and view videos. \n\n* teamhelp.upserve.com is a Wordpress application for internal use by team members. Users are required to sign-in with their Upserve Google account to access the information. There is non-public information on this site.  Our primary concern here would be access to non-public information or defacement.  Reward amounts for this property will typically be lower than our customer-facing applications.\n\n* Upserve HQ (https://app.upserve.com/partners/) is a Ruby on Rails application used by restaurants to view operational, sales, marketing, and finance information. \n    * Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n\n* Upserve POS HQ (https://hq.breadcrumb.com/) is a Ruby on Rails application used by restaurants to manage their point of sale tablets and view sales reports. \n    * Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n    \n* Upserve Live Mobile App - This app is for restaurants to view operational and sales information.\n    * Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n\n* Upserve POS iPad App - This app is our point of sale app for restaurants.\n    * Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n \n\n# Out of scope vulnerabilities \nThe following issues are considered out of scope:\n \n* Wordpress user enumeration\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Account oracles -- the ability to submit a phone number, email, UUID and receive back a message indicating an Upserve account exists.\n* Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.\n* Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.\n* Banner grabbing issues \n* Rate limiting issues\n* Missing best practices in email configuration (DMARC, SPF, DKIM, etc)\n\n# Known Issues\nThe following issues are already known to our team - please do not submit new reports related to them, as they will be considered duplicates.\n* Sessions do not expire after password change/reset\n* Attacker can enroll credit cards in another user's loyalty accounts\n* XML-RPC available on Wordpress sites (and associated DoS issues)\n\n# Safe Harbor\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our [Terms \u0026 Conditions](https://upserve.com/terms/), we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you and you have complied with Upserve's bug bounty policy, Upserve will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.\n\nWe will not share your report with a third-party without your permission and/or gaining their commitment they will not pursue legal action against you. Please note again that we can’t authorize out-of-scope testing in the name of third parties and such testing is beyond the scope of the program.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\nThank you for helping keep Upserve and our users safe! If you have a question that is not answered on this page, please contact bugbounty@upserve.com\n\nIn order to encourage the adoption of bug bounty programs and promote uniform security best practices across the industry, Upserve reserves no rights in this bug bounty policy and so you are free to copy and modify it for your own purposes.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-12-05T14:30:44.328Z"},{"id":3597006,"new_policy":"Upserve is committed to protecting the privacy and security of our users. We recognize the valuable role security researchers play in making our services more secure and are committed to working with you to verify and resolve legitimate security vulnerabilities.  We ask that you carefully review this policy and scope to ensure the best experience for all involved.\n \n# Important Notes\n### Do not test with the live upserve.com site. Please review the scope for details on the test site URL specific for security research\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n\n# Public Disclosure Policy\nUpserve supports public disclosure of most vulnerabilities following resolution. We ask that you not share vulnerability details with anyone other than Upserve or HackerOne prior to approved public disclosure through the HackerOne platform.\n* In most cases, Upserve will allow public disclosure of vulnerabilities within 30 days of resolution. \n* In some cases, Upserve will request that public disclosure is delayed. (for example, if we need to conduct private notifications first)\n* In limited cases, Upserve may request that a report remain private. In these cases, we will maintain open communication with the researcher about why we feel this is important.\n* Follow HackerOne's disclosure guidelines.\n\n# Report Quality\n* Please consider the attack scenario and exploitability of the bug.\n* Please provide detailed reports with reproducible steps and **demonstrable impact**. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* If you’re unsure of the direct impact, but feel you may have found something interesting, please submit a detailed report and ask.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n\n# Program Rules\n* Please check the list of out-of-scope vulnerabilities and known issues before submitting a report.\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make every effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Bounty amounts below are the minimum we will pay per category for bounty eligible assets. We aim to be fair; all reward amounts are at our discretion and based on demonstrable impact.\n* If we receive several reports for the same issue, we offer the bounty to the earliest report for which we had enough actionable information to identify the issue.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n# Rewards\nOur rewards are based on the demonstrable impact of a vulnerability. Things that influence the impact of an issue are the scale of exposure, mitigating factors, and multiplying factors.  All valid reports are eligible to receive a HackerOne reputation reward. For assets eligible for a paid bounty, Upserve may provide rewards based on the impact of a vulnerability. Please note these are general guidelines and examples, and that reward decisions are up to the discretion of Upserve. \n\n### Critical severity bugs:\nExamples of issues that Upserve would consider critical impact include:\n \n* Gaining unauthorized access to any merchant’s account or data (e.g. credit card numbers, transaction information, etc.)\n* Gaining unauthorized access to any customer’s account or data (e.g. credit card numbers, etc.)\n* Gaining unauthorized access to any production systems (e.g. shell access, code execution, etc.)\n* Exposed credentials that could result in access to production systems or deployment pipelines (e.g. API keys, access tokens, etc.)\n* The ability to cause monetary impact to Upserve, a merchant, or a customer (e.g. creating orders with a payment method you don't own, issue refunds, manipulating order totals, etc.)\n \n### High severity bugs:\nExamples of issues that Upserve would consider high impact include:\n\n* Targeted attacks that result in access to an individual merchant or customer’s account or data (e.g. reflected XSS that requires social engineering)\n* Direct object references to sensitive information\n \n### Medium severity bugs: \nExamples of issues that Upserve would consider medium impact include:\n\n* Issues that impact less sensitive assets, such as the public marketing sites\n* Being able to modify a merchant or customer’s settings without their permission\n* Content injection that allows for convincing phishing attacks (e.g. HTML injection or XSS in an unauthenticated domain)\n* Open URL redirection\n \n### Low severity bugs: \nExamples of issues that Upserve would consider low impact include:\n\n* Leaks of less sensitive information that has a demonstrable impact\n* Directory traversal\n\n# Test Plans \n**Read carefully** for instructions and tips on testing: \n \n* Upserve Loyalty (https://app.upserve.com/b/swipely-bistro) is a React application with a Ruby on Rails backend. REST API calls are made to app.upserve.com/c/ and cards.swipely.com. The application allows a consumer to register an account and enroll one or more credit cards into a restaurant's loyalty program. Purchases made by the consumer at the restaurant are tracked in the loyalty program and a reward is given when the consumer's account reaches a specified level. It is not currently possible for researchers to generate sales that apply to the loyalty program. We are interested in vulnerabilities that would allow a consumer to fraudulently add points to their own account or steal points from other accounts. Use the provided test restaurant Swipely Bistro only. **Testing on any other restaurant is prohibited without approval from Upserve.** \n    * To create a customer account, navigate to https://app.upserve.com/b/swipely-bistro, enter in your email address, enter in a credit card number (either your own or you can use a credit card generator to create a fake one). The application will reject duplicate card numbers.\n    * cards.swipely.com provides an endpoint for adding payment cards to the vault. The endpoint returns a token which should not be reversible. This API should not be able to provide back full payment card numbers. \n\n* Upserve Online Ordering (OLO) (https://app.upserve.com/s/upserve-lounge-test-providence-2) is a React application with a Ruby on Rails backend. REST API calls are made to orders.upserve.com and payments.upserve.com. Orders can be submitted to the test restaurant linked in this plan using any valid credit card number. Credit cards will not be charged or authorized with this restaurant. **Testing on any other restaurant is prohibited without approval from Upserve.**\n    * You may create an account or you can place orders without an account\n    * You may use any validly formatted credit card number - either your own, or you can use a credit card generator to create a fake one.\n    * Orders placed are submitted to the Upserve POS service and will most likely be rejected after 20 minutes unless someone at Upserve is actively working with this test restaurant\n    * payments.upserve.com provides an endpoint for adding payment cards to the vault. The endpoint returns a payment method token which is used by the OLO API. The token should not be reversible and should only be usable to the restaurant it was generated for.\n\n* Upserve.com, RestaurantInsider.com (https://645892349820.vulnerbug.com) is a Wordpress application hosted by WPEngine. **Do not test upserve.com or restaurantinsider.com directly.** Please only test https://645892349820.vulnerbug.com/. Our primary concern here would be defacement, but there isn’t much sensitive data or functionality here - as such, reward amounts for this property will typically be lower.\n\n* theacademy.upserve.com is a Wordpress application hosting customer education materials. The application allows users to search for and view videos. \n\n* teamhelp.upserve.com is a Wordpress application for internal use by team members. Users are required to sign-in with their Upserve Google account to access the information. There is non-public information on this site.  Our primary concern here would be access to non-public information or defacement.  Reward amounts for this property will typically be lower than our customer-facing applications.\n\n* Upserve HQ (https://app.upserve.com/partners/) is a Ruby on Rails application used by restaurants to view operational, sales, marketing, and finance information. \n    * Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n\n* Upserve POS HQ (https://hq.breadcrumb.com/) is a Ruby on Rails application used by restaurants to manage their point of sale tablets and view sales reports. \n    * Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n    \n* Upserve Live Mobile App - This app is for restaurants to view operational and sales information.\n    * Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n\n* Upserve POS iPad App - This app is our point of sale app for restaurants.\n    * Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n \n\n# Out of scope vulnerabilities \nThe following issues are considered out of scope:\n \n* Wordpress user enumeration\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Account oracles -- the ability to submit a phone number, email, UUID and receive back a message indicating an Upserve account exists.\n* Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.\n* Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.\n* Banner grabbing issues \n* Rate limiting issues\n* Missing best practices in email configuration (DMARC, SPF, DKIM, etc)\n\n# Known Issues\nThe following issues are already known to our team - please do not submit new reports related to them, as they will be considered duplicates.\n* Sessions do not expire after password change/reset\n* Attacker can enroll credit cards in another user's loyalty accounts\n* XML-RPC available on Wordpress sites (and associated DoS issues)\n\n# Safe Harbor\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our [Terms \u0026 Conditions](https://upserve.com/terms/), we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you and you have complied with Upserve's bug bounty policy, Upserve will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.\n\nWe will not share your report with a third-party without your permission and/or gaining their commitment they will not pursue legal action against you. Please note again that we can’t authorize out-of-scope testing in the name of third parties and such testing is beyond the scope of the program.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\nThank you for helping keep Upserve and our users safe! If you have a question that is not answered on this page, please contact bugbounty@upserve.com\n\nIn order to encourage the adoption of bug bounty programs and promote uniform security best practices across the industry, Upserve reserves no rights in this bug bounty policy and so you are free to copy and modify it for your own purposes.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-12-05T14:29:21.039Z"},{"id":3588740,"new_policy":"Upserve is committed to protecting the privacy and security of our users. We recognize the valuable role security researchers play in making our services more secure and are committed to working with you to verify and resolve legitimate security vulnerabilities.  We ask that you carefully review this policy and scope to ensure the best experience for all involved.\n \n# Important Notes\n### Do not test with the live upserve.com site. Please review the scope for details on the test site URL specific for security research\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n\n# Public Disclosure Policy\nUpserve supports public disclosure of most vulnerabilities following resolution. We ask that you not share vulnerability details with anyone other than Upserve or HackerOne prior to approved public disclosure through the HackerOne platform.\n* In most cases, Upserve will allow public disclosure of vulnerabilities within 30 days of resolution. \n* In some cases, Upserve will request that public disclosure is delayed. (for example, if we need to conduct private notifications first)\n* In limited cases, Upserve may request that a report remain private. In these cases, we will maintain open communication with the researcher about why we feel this is important.\n* Follow HackerOne's disclosure guidelines.\n\n# Report Quality\n* Please consider the attack scenario and exploitability of the bug.\n* Please provide detailed reports with reproducible steps and **demonstrable impact**. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* If you’re unsure of the direct impact, but feel you may have found something interesting, please submit a detailed report and ask.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n\n# Program Rules\n* Please check the list of out-of-scope vulnerabilities and known issues before submitting a report.\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make every effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Bounty amounts below are the minimum we will pay per category for bounty eligible assets. We aim to be fair; all reward amounts are at our discretion and based on demonstrable impact.\n* If we receive several reports for the same issue, we offer the bounty to the earliest report for which we had enough actionable information to identify the issue.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n# Rewards\nOur rewards are based on the demonstrable impact of a vulnerability. Things that influence the impact of an issue are the scale of exposure, mitigating factors, and multiplying factors.  All valid reports are eligible to receive a HackerOne reputation reward. For assets eligible for a paid bounty, Upserve may provide rewards based on the impact of a vulnerability. Please note these are general guidelines and examples, and that reward decisions are up to the discretion of Upserve. \n\n### Critical severity bugs:\nExamples of issues that Upserve would consider critical impact include:\n \n* Gaining unauthorized access to any merchant’s account or data (e.g. credit card numbers, transaction information, etc.)\n* Gaining unauthorized access to any customer’s account or data (e.g. credit card numbers, etc.)\n* Gaining unauthorized access to any production systems (e.g. shell access, code execution, etc.)\n* Exposed credentials that could result in access to production systems or deployment pipelines (e.g. API keys, access tokens, etc.)\n* The ability to cause monetary impact to Upserve, a merchant, or a customer (e.g. creating orders with a payment method you don't own, issue refunds, manipulating order totals, etc.)\n \n### High severity bugs:\nExamples of issues that Upserve would consider high impact include:\n\n* Targeted attacks that result in access to an individual merchant or customer’s account or data (e.g. reflected XSS that requires social engineering)\n* Direct object references to sensitive information\n \n### Medium severity bugs: \nExamples of issues that Upserve would consider medium impact include:\n\n* Issues that impact less sensitive assets, such as the public marketing sites\n* Being able to modify a merchant or customer’s settings without their permission\n* Content injection that allows for convincing phishing attacks (e.g. HTML injection or XSS in an unauthenticated domain)\n* Open URL redirection\n \n### Low severity bugs: \nExamples of issues that Upserve would consider low impact include:\n\n* Leaks of less sensitive information that has a demonstrable impact\n* Directory traversal\n\n# Test Plans \n**Read carefully** for instructions and tips on testing: \n \n* Upserve Loyalty (https://app.upserve.com/b/swipely-bistro) is a React application with a Ruby on Rails backend. REST API calls are made to app.upserve.com/c/ and cards.swipely.com. The application allows a consumer to register an account and enroll one or more credit cards into a restaurant's loyalty program. Purchases made by the consumer at the restaurant are tracked in the loyalty program and a reward is given when the consumer's account reaches a specified level. It is not currently possible for researchers to generate sales that apply to the loyalty program. We are interested in vulnerabilities that would allow a consumer to fraudulently add points to their own account or steal points from other accounts. Use the provided test restaurant Swipely Bistro only. **Testing on any other restaurant is prohibited without approval from Upserve.** \n    * To create a customer account, navigate to https://app.upserve.com/b/swipely-bistro, enter in your email address, enter in a credit card number (either your own or you can use a credit card generator to create a fake one). The application will reject duplicate card numbers.\n    * cards.swipely.com provides an endpoint for adding payment cards to the vault. The endpoint returns a token which should not be reversible. This API should not be able to provide back full payment card numbers. \n\n* Upserve Online Ordering (OLO) (https://app.upserve.com/s/upserve-lounge-test-providence-2) is a React application with a Ruby on Rails backend. REST API calls are made to orders.upserve.com and payments.upserve.com. Orders can be submitted to the test restaurant linked in this plan using any valid credit card number. Credit cards will not be charged or authorized with this restaurant. **Testing on any other restaurant is prohibited without approval from Upserve.**\n    * You may create an account or you can place orders without an account\n    * You may use any validly formatted credit card number - either your own, or you can use a credit card generator to create a fake one.\n    * Orders placed are submitted to the Breadcrumb POS service and will most likely be rejected after 20 minutes unless someone at Upserve is actively working with this test restaurant\n    * payments.upserve.com provides an endpoint for adding payment cards to the vault. The endpoint returns a payment method token which is used by the OLO API. The token should not be reversible and should only be usable to the restaurant it was generated for.\n\n* Upserve.com, RestaurantInsider.com (https://645892349820.vulnerbug.com) is a Wordpress application hosted by WPEngine. **Do not test upserve.com or restaurantinsider.com directly.** Please only test https://645892349820.vulnerbug.com/. Our primary concern here would be defacement, but there isn’t much sensitive data or functionality here - as such, reward amounts for this property will typically be lower.\n\n* theacademy.upserve.com is a Wordpress application hosting customer education materials. The application allows users to search for and view videos. \n\n* teamhelp.upserve.com is a Wordpress application for internal use by team members. Users are required to sign-in with their Upserve Google account to access the information. There is non-public information on this site.  Our primary concern here would be access to non-public information or defacement.  Reward amounts for this property will typically be lower than our customer-facing applications.\n\n* Upserve HQ (https://app.upserve.com/partners/) is a Ruby on Rails application used by restaurants to view operational, sales, marketing, and finance information. \n    * Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n\n* Breadcrumb HQ (https://hq.breadcrumb.com/) is a Ruby on Rails application used by restaurants to manage their point of sale tablets and view sales reports. \n    * Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n    \n* Upserve Live Mobile App - This app is for restaurants to view operational and sales information.\n    * Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n\n* Breadcrumb Pro iPad App - This app is our point of sale app for restaurants.\n    * Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n \n\n# Out of scope vulnerabilities \nThe following issues are considered out of scope:\n \n* Wordpress user enumeration\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Account oracles -- the ability to submit a phone number, email, UUID and receive back a message indicating an Upserve account exists.\n* Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.\n* Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.\n* Banner grabbing issues \n* Rate limiting issues\n* Missing best practices in email configuration (DMARC, SPF, DKIM, etc)\n\n# Known Issues\nThe following issues are already known to our team - please do not submit new reports related to them, as they will be considered duplicates.\n* Sessions do not expire after password change/reset\n* Attacker can enroll credit cards in another user's loyalty accounts\n* XML-RPC available on Wordpress sites (and associated DoS issues)\n* phpMyAdmin accessible on teamhelp.upserve.com\n\n# Safe Harbor\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our [Terms \u0026 Conditions](https://upserve.com/terms/), we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you and you have complied with Upserve's bug bounty policy, Upserve will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.\n\nWe will not share your report with a third-party without your permission and/or gaining their commitment they will not pursue legal action against you. Please note again that we can’t authorize out-of-scope testing in the name of third parties and such testing is beyond the scope of the program.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\nThank you for helping keep Upserve and our users safe! If you have a question that is not answered on this page, please contact bugbounty@upserve.com\n\nIn order to encourage the adoption of bug bounty programs and promote uniform security best practices across the industry, Upserve reserves no rights in this bug bounty policy and so you are free to copy and modify it for your own purposes.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-09-14T18:41:34.145Z"},{"id":3588722,"new_policy":"Upserve is committed to protecting the privacy and security of our users. We recognize the valuable role security researchers play in making our services more secure and are committed to working with you to verify and resolve legitimate security vulnerabilities.  We ask that you carefully review this policy and scope to ensure the best experience for all involved.\n \n# Important Notes\n### Do not test with the live upserve.com site. Please review the scope for details on the test site URL specific for security research\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n\n# Public Disclosure Policy\nUpserve supports public disclosure of most vulnerabilities following resolution. We ask that you not share vulnerability details with anyone other than Upserve or HackerOne prior to approved public disclosure through the HackerOne platform.\n* In most cases, Upserve will allow public disclosure of vulnerabilities within 30 days of resolution. \n* In some cases, Upserve will request that public disclosure is delayed. (for example, if we need to conduct private notifications first)\n* In limited cases, Upserve may request that a report remain private. In these cases, we will maintain open communication with the researcher about why we feel this is important.\n* Follow HackerOne's disclosure guidelines.\n\n# Report Quality\n* Please consider the attack scenario and exploitability of the bug.\n* Please provide detailed reports with reproducible steps and **demonstrable impact**. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* If you’re unsure of the direct impact, but feel you may have found something interesting, please submit a detailed report and ask.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n\n# Program Rules\n* Please check the list of out-of-scope vulnerabilities and known issues before submitting a report.\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make every effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Bounty amounts below are the minimum we will pay per category for bounty eligible assets. We aim to be fair; all reward amounts are at our discretion and based on demonstrable impact.\n* If we receive several reports for the same issue, we offer the bounty to the earliest report for which we had enough actionable information to identify the issue.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n# Rewards\nOur rewards are based on the demonstrable impact of a vulnerability. Things that influence the impact of an issue are the scale of exposure, mitigating factors, and multiplying factors.  All valid reports are eligible to receive a HackerOne reputation reward. For assets eligible for a paid bounty, Upserve may provide rewards based on the impact of a vulnerability. Please note these are general guidelines and examples, and that reward decisions are up to the discretion of Upserve. \n\n### Critical severity bugs:\nExamples of issues that Upserve would consider critical impact include:\n \n* Gaining unauthorized access to any merchant’s account or data (e.g. credit card numbers, transaction information, etc.)\n* Gaining unauthorized access to any customer’s account or data (e.g. credit card numbers, etc.)\n* Gaining unauthorized access to any production systems (e.g. shell access, code execution, etc.)\n* Exposed credentials that could result in access to production systems or deployment pipelines (e.g. API keys, access tokens, etc.)\n* The ability to cause monetary impact to Upserve, a merchant, or a customer (e.g. creating orders with a payment method you don't own, issue refunds, manipulating order totals, etc.)\n \n### High severity bugs:\nExamples of issues that Upserve would consider high impact include:\n\n* Targeted attacks that result in access to an individual merchant or customer’s account or data (e.g. reflected XSS that requires social engineering)\n* Direct object references to sensitive information\n \n### Medium severity bugs: \nExamples of issues that Upserve would consider medium impact include:\n\n* Issues that impact less sensitive assets, such as the public marketing sites\n* Being able to modify a merchant or customer’s settings without their permission\n* Content injection that allows for convincing phishing attacks (e.g. HTML injection or XSS in an unauthenticated domain)\n* Open URL redirection\n \n### Low severity bugs: \nExamples of issues that Upserve would consider low impact include:\n\n* Leaks of less sensitive information that has a demonstrable impact\n* Directory traversal\n\n# Test Plans \n**Read carefully** for instructions and tips on testing: \n \n* Upserve Loyalty (https://app.upserve.com/b/swipely-bistro) is a React application with a Ruby on Rails backend. REST API calls are made to app.upserve.com/c/ and cards.swipely.com. The application allows a consumer to register an account and enroll one or more credit cards into a restaurant's loyalty program. Purchases made by the consumer at the restaurant are tracked in the loyalty program and a reward is given when the consumer's account reaches a specified level. It is not currently possible for researchers to generate sales that apply to the loyalty program. We are interested in vulnerabilities that would allow a consumer to fraudulently add points to their own account or steal points from other accounts. Use the provided test restaurant Swipely Bistro only. **Testing on any other restaurant is prohibited without approval from Upserve.** \n    * To create a customer account, navigate to https://app.upserve.com/b/swipely-bistro, enter in your email address, enter in a credit card number (either your own or you can use a credit card generator to create a fake one). The application will reject duplicate card numbers.\n    * cards.swipely.com provides an endpoint for adding payment cards to the vault. The endpoint returns a token which should not be reversible. This API should not be able to provide back full payment card numbers. \n\n* Upserve Online Ordering (OLO) (https://app.upserve.com/s/upserve-lounge-test-providence-2) is a React application with a Ruby on Rails backend. REST API calls are made to orders.upserve.com and payments.upserve.com. Orders can be submitted to the test restaurant linked in this plan using any valid credit card number. Credit cards will not be charged or authorized with this restaurant. **Testing on any other restaurant is prohibited without approval from Upserve.**\n    * You may create an account or you can place orders without an account\n    * You may use any validly formatted credit card number - either your own, or you can use a credit card generator to create a fake one.\n    * Orders placed are submitted to the Breadcrumb POS service and will most likely be rejected after 20 minutes unless someone at Upserve is actively working with this test restaurant\n    * payments.upserve.com provides an endpoint for adding payment cards to the vault. The endpoint returns a payment method token which is used by the OLO API. The token should not be reversible and should only be usable to the restaurant it was generated for.\n\n* Upserve.com, RestaurantInsider.com (https://645892349820.vulnerbug.com) is a Wordpress application hosted by WPEngine. **Do not test upserve.com or restaurantinsider.com directly.** Please only test https://645892349820.vulnerbug.com/. Our primary concern here would be defacement, but there isn’t much sensitive data or functionality here - as such, reward amounts for this property will typically be lower.\n\n* theacademy.upserve.com is a Wordpress application hosting customer education materials. The application allows users to search for and view videos. \n\n* teamhelp.upserve.com is a Wordpress application for internal use by team members. Users are required to sign-in with their Upserve Google account to access the information. There is non-public information on this site.  Our primary concern here would be access to non-public information or defacement.  Reward amounts for this property will typically be lower than our customer-facing applications.\n\n* auditmyprocessor.com is a Wordpress application for restaurants to calculate their payment processing fees.\n\n* Upserve HQ (https://app.upserve.com/partners/) is a Ruby on Rails application used by restaurants to view operational, sales, marketing, and finance information. \n    * Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n\n* Breadcrumb HQ (https://hq.breadcrumb.com/) is a Ruby on Rails application used by restaurants to manage their point of sale tablets and view sales reports. \n    * Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n    \n* Upserve Live Mobile App - This app is for restaurants to view operational and sales information.\n    * Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n\n* Breadcrumb Pro iPad App - This app is our point of sale app for restaurants.\n    * Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n \n\n# Out of scope vulnerabilities \nThe following issues are considered out of scope:\n \n* Wordpress user enumeration\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Account oracles -- the ability to submit a phone number, email, UUID and receive back a message indicating an Upserve account exists.\n* Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.\n* Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.\n* Banner grabbing issues \n* Rate limiting issues\n* Missing best practices in email configuration (DMARC, SPF, DKIM, etc)\n\n# Known Issues\nThe following issues are already known to our team - please do not submit new reports related to them, as they will be considered duplicates.\n* Sessions do not expire after password change/reset\n* Attacker can enroll credit cards in another user's loyalty accounts\n* XML-RPC available on Wordpress sites (and associated DoS issues)\n* phpMyAdmin accessible on teamhelp.upserve.com\n\n# Safe Harbor\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our [Terms \u0026 Conditions](https://upserve.com/terms/), we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you and you have complied with Upserve's bug bounty policy, Upserve will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.\n\nWe will not share your report with a third-party without your permission and/or gaining their commitment they will not pursue legal action against you. Please note again that we can’t authorize out-of-scope testing in the name of third parties and such testing is beyond the scope of the program.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\nThank you for helping keep Upserve and our users safe! If you have a question that is not answered on this page, please contact bugbounty@upserve.com\n\nIn order to encourage the adoption of bug bounty programs and promote uniform security best practices across the industry, Upserve reserves no rights in this bug bounty policy and so you are free to copy and modify it for your own purposes.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-09-14T13:53:05.524Z"},{"id":3582425,"new_policy":"Upserve is committed to protecting the privacy and security of our users. We recognize the valuable role security researchers play in making our services more secure and are committed to working with you to verify and resolve legitimate security vulnerabilities.  We ask that you carefully review this policy and scope to ensure the best experience for all involved.\n \n# Important Notes\n* **Do not test with the live upserve.com site**. Please review the scope for details on the test site URL specific for security research\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n\n# Public Disclosure Policy\nUpserve supports public disclosure of most vulnerabilities following resolution. We ask that you not share vulnerability details with anyone other than Upserve or HackerOne prior to approved public disclosure through the HackerOne platform.\n* In most cases, Upserve will allow public disclosure of vulnerabilities within 30 days of resolution. \n* In some cases, Upserve will request that public disclosure is delayed. (for example, if we need to conduct private notifications first)\n* In limited cases, Upserve may request that a report remain private. In these cases, we will maintain open communication with the researcher about why we feel this is important.\n* Follow HackerOne's disclosure guidelines.\n\n# Report Quality\n* Please consider the attack scenario and exploitability of the bug.\n* Please provide detailed reports with reproducible steps and **demonstrable impact**. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* If you’re unsure of the direct impact, but feel you may have found something interesting, please submit a detailed report and ask.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n\n# Program Rules\n* Please check the list of out-of-scope vulnerabilities and known issues before submitting a report.\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make every effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Bounty amounts below are the minimum we will pay per category for bounty eligible assets. We aim to be fair; all reward amounts are at our discretion and based on demonstrable impact.\n* If we receive several reports for the same issue, we offer the bounty to the earliest report for which we had enough actionable information to identify the issue.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n# Rewards\nOur rewards are based on the demonstrable impact of a vulnerability. Things that influence the impact of an issue are the scale of exposure, mitigating factors, and multiplying factors.  All valid reports are eligible to receive a HackerOne reputation reward. For assets eligible for a paid bounty, Upserve may provide rewards based on the impact of a vulnerability. Please note these are general guidelines and examples, and that reward decisions are up to the discretion of Upserve. \n\n### Critical severity bugs:\nExamples of issues that Upserve would consider critical impact include:\n \n* Gaining unauthorized access to any merchant’s account or data (e.g. credit card numbers, transaction information, etc.)\n* Gaining unauthorized access to any customer’s account or data (e.g. credit card numbers, etc.)\n* Gaining unauthorized access to any production systems (e.g. shell access, code execution, etc.)\n* Exposed credentials that could result in access to production systems or deployment pipelines (e.g. API keys, access tokens, etc.)\n* The ability to cause monetary impact to Upserve, a merchant, or a customer (e.g. creating orders with a payment method you don't own, issue refunds, manipulating order totals, etc.)\n \n### High severity bugs:\nExamples of issues that Upserve would consider high impact include:\n\n* Targeted attacks that result in access to an individual merchant or customer’s account or data (e.g. reflected XSS that requires social engineering)\n* Direct object references to sensitive information\n \n### Medium severity bugs: \nExamples of issues that Upserve would consider medium impact include:\n\n* Issues that impact less sensitive assets, such as the public marketing sites\n* Being able to modify a merchant or customer’s settings without their permission\n* Content injection that allows for convincing phishing attacks (e.g. HTML injection or XSS in an unauthenticated domain)\n* Open URL redirection\n \n### Low severity bugs: \nExamples of issues that Upserve would consider low impact include:\n\n* Leaks of less sensitive information that has a demonstrable impact\n* Directory traversal\n\n# Test Plans \n**Read carefully** for instructions and tips on testing: \n \n* Upserve Loyalty (https://app.upserve.com/b/swipely-bistro) is a React application with a Ruby on Rails backend. REST API calls are made to app.upserve.com/c/ and cards.swipely.com. The application allows a consumer to register an account and enroll one or more credit cards into a restaurant's loyalty program. Purchases made by the consumer at the restaurant are tracked in the loyalty program and a reward is given when the consumer's account reaches a specified level. It is not currently possible for researchers to generate sales that apply to the loyalty program. We are interested in vulnerabilities that would allow a consumer to fraudulently add points to their own account or steal points from other accounts. Use the provided test restaurant Swipely Bistro only. **Testing on any other restaurant is prohibited without approval from Upserve.** \n    * To create a customer account, navigate to https://app.upserve.com/b/swipely-bistro, enter in your email address, enter in a credit card number (either your own or you can use a credit card generator to create a fake one). The application will reject duplicate card numbers.\n    * cards.swipely.com provides an endpoint for adding payment cards to the vault. The endpoint returns a token which should not be reversible. This API should not be able to provide back full payment card numbers. \n\n* Upserve Online Ordering (OLO) (https://app.upserve.com/s/upserve-lounge-test-providence-2) is a React application with a Ruby on Rails backend. REST API calls are made to orders.upserve.com and payments.upserve.com. Orders can be submitted to the test restaurant linked in this plan using any valid credit card number. Credit cards will not be charged or authorized with this restaurant. **Testing on any other restaurant is prohibited without approval from Upserve.**\n    * You may create an account or you can place orders without an account\n    * You may use any validly formatted credit card number - either your own, or you can use a credit card generator to create a fake one.\n    * Orders placed are submitted to the Breadcrumb POS service and will most likely be rejected after 20 minutes unless someone at Upserve is actively working with this test restaurant\n    * payments.upserve.com provides an endpoint for adding payment cards to the vault. The endpoint returns a payment method token which is used by the OLO API. The token should not be reversible and should only be usable to the restaurant it was generated for.\n\n* Upserve.com, RestaurantInsider.com (https://645892349820.vulnerbug.com) is a Wordpress application hosted by WPEngine. **Do not test upserve.com or restaurantinsider.com directly.** Please only test https://645892349820.vulnerbug.com/. Our primary concern here would be defacement, but there isn’t much sensitive data or functionality here - as such, reward amounts for this property will typically be lower.\n\n* theacademy.upserve.com is a Wordpress application hosting customer education materials. The application allows users to search for and view videos. \n\n* teamhelp.upserve.com is a Wordpress application for internal use by team members. Users are required to sign-in with their Upserve Google account to access the information. There is non-public information on this site.  Our primary concern here would be access to non-public information or defacement.  Reward amounts for this property will typically be lower than our customer-facing applications.\n\n* auditmyprocessor.com is a Wordpress application for restaurants to calculate their payment processing fees.\n\n* Upserve HQ (https://app.upserve.com/partners/) is a Ruby on Rails application used by restaurants to view operational, sales, marketing, and finance information. \n    * Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n\n* Breadcrumb HQ (https://hq.breadcrumb.com/) is a Ruby on Rails application used by restaurants to manage their point of sale tablets and view sales reports. \n    * Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n    \n* Upserve Live Mobile App - This app is for restaurants to view operational and sales information.\n    * Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n\n* Breadcrumb Pro iPad App - This app is our point of sale app for restaurants.\n    * Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n \n\n# Out of scope vulnerabilities \nThe following issues are considered out of scope:\n \n* Wordpress user enumeration\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Account oracles -- the ability to submit a phone number, email, UUID and receive back a message indicating an Upserve account exists.\n* Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.\n* Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.\n* Banner grabbing issues \n* Rate limiting issues\n* Missing best practices in email configuration (DMARC, SPF, DKIM, etc)\n\n# Known Issues\nThe following issues are already known to our team - please do not submit new reports related to them, as they will be considered duplicates.\n* Sessions do not expire after password change/reset\n* Attacker can enroll credit cards in another user's loyalty accounts\n* XML-RPC available on Wordpress sites (and associated DoS issues)\n* phpMyAdmin accessible on teamhelp.upserve.com\n\n# Safe Harbor\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our [Terms \u0026 Conditions](https://upserve.com/terms/), we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you and you have complied with Upserve's bug bounty policy, Upserve will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.\n\nWe will not share your report with a third-party without your permission and/or gaining their commitment they will not pursue legal action against you. Please note again that we can’t authorize out-of-scope testing in the name of third parties and such testing is beyond the scope of the program.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\nThank you for helping keep Upserve and our users safe! If you have a question that is not answered on this page, please contact bugbounty@upserve.com\n\nIn order to encourage the adoption of bug bounty programs and promote uniform security best practices across the industry, Upserve reserves no rights in this bug bounty policy and so you are free to copy and modify it for your own purposes.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-07-12T12:56:19.177Z"},{"id":3579739,"new_policy":"Upserve is committed to protecting the privacy and security of our users. We recognize the valuable role security researchers play in making our services more secure and are committed to working with you to verify and resolve legitimate security vulnerabilities.  We ask that you carefully review this policy and scope to ensure the best experience for all involved.\n \n# Important Notes\n* **Do not test with the live upserve.com site**. Please review the scope for details on the test site URL specific for security research\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n\n# Public Disclosure Policy\nUpserve supports public disclosure of most vulnerabilities following resolution. We ask that you not share vulnerability details with anyone other than Upserve or HackerOne prior to approved public disclosure through the HackerOne platform.\n* In most cases, Upserve will allow public disclosure of vulnerabilities within 30 days of resolution. \n* In some cases, Upserve will request that public disclosure is delayed. (for example, if we need to conduct private notifications first)\n* In limited cases, Upserve may request that a report remain private. In these cases, we will maintain open communication with the researcher about why we feel this is important.\n* Follow HackerOne's disclosure guidelines.\n\n# Report Quality\n* Please consider the attack scenario and exploitability of the bug.\n* Please provide detailed reports with reproducible steps and **demonstrable impact**. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* If you’re unsure of the direct impact, but feel you may have found something interesting, please submit a detailed report and ask.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n\n# Program Rules\n* Please check the list of out-of-scope vulnerabilities and known issues before submitting a report.\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make every effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Bounty amounts below are the minimum we will pay per category for bounty eligible assets. We aim to be fair; all reward amounts are at our discretion and based on demonstrable impact.\n* If we receive several reports for the same issue, we offer the bounty to the earliest report for which we had enough actionable information to identify the issue.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n# Rewards\nOur rewards are based on the demonstrable impact of a vulnerability. Things that influence the impact of an issue are the scale of exposure, mitigating factors, and multiplying factors.  All valid reports are eligible to receive a HackerOne reputation reward. For assets eligible for a paid bounty, Upserve may provide rewards based on the impact of a vulnerability. Please note these are general guidelines and examples, and that reward decisions are up to the discretion of Upserve. \n \n| Critical | High | Medium | Low |\n|----------|--------|---------|------|\n|  $2,500  | $1,500 | $500    | $100 |\n\n### Critical severity bugs - minimum $2500:\nExamples of issues that Upserve would consider critical impact include:\n \n* Gaining unauthorized access to any merchant’s account or data (e.g. credit card numbers, transaction information, etc.)\n* Gaining unauthorized access to any customer’s account or data (e.g. credit card numbers, etc.)\n* Gaining unauthorized access to any production systems (e.g. shell access, code execution, etc.)\n* Exposed credentials that could result in access to production systems or deployment pipelines (e.g. API keys, access tokens, etc.)\n* The ability to cause monetary impact to Upserve, a merchant, or a customer (e.g. creating orders with a payment method you don't own, issue refunds, manipulating order totals, etc.)\n \n### High severity bugs - minimum $1500:\nExamples of issues that Upserve would consider high impact include:\n\n* Targeted attacks that result in access to an individual merchant or customer’s account or data (e.g. reflected XSS that requires social engineering)\n* Direct object references to sensitive information\n \n### Medium severity bugs - minimum $500: \nExamples of issues that Upserve would consider medium impact include:\n\n* Issues that impact less sensitive assets, such as the public marketing sites\n* Being able to modify a merchant or customer’s settings without their permission\n* Content injection that allows for convincing phishing attacks (e.g. HTML injection or XSS in an unauthenticated domain)\n* Open URL redirection\n \n### Low severity bugs - minimum $100: \nExamples of issues that Upserve would consider low impact include:\n\n* Leaks of less sensitive information that has a demonstrable impact\n* Directory traversal\n\n# Test Plans \n**Read carefully** for instructions and tips on testing: \n \n* Upserve Loyalty (https://app.upserve.com/b/swipely-bistro) is a React application with a Ruby on Rails backend. REST API calls are made to app.upserve.com/c/ and cards.swipely.com. The application allows a consumer to register an account and enroll one or more credit cards into a restaurant's loyalty program. Purchases made by the consumer at the restaurant are tracked in the loyalty program and a reward is given when the consumer's account reaches a specified level. It is not currently possible for researchers to generate sales that apply to the loyalty program. We are interested in vulnerabilities that would allow a consumer to fraudulently add points to their own account or steal points from other accounts. Use the provided test restaurant Swipely Bistro only. **Testing on any other restaurant is prohibited without approval from Upserve.** \n    * To create a customer account, navigate to https://app.upserve.com/b/swipely-bistro, enter in your email address, enter in a credit card number (either your own or you can use a credit card generator to create a fake one). The application will reject duplicate card numbers.\n    * cards.swipely.com provides an endpoint for adding payment cards to the vault. The endpoint returns a token which should not be reversible. This API should not be able to provide back full payment card numbers. \n\n* Upserve Online Ordering (OLO) (https://app.upserve.com/s/upserve-lounge-test-providence-2) is a React application with a Ruby on Rails backend. REST API calls are made to orders.upserve.com and payments.upserve.com. Orders can be submitted to the test restaurant linked in this plan using any valid credit card number. Credit cards will not be charged or authorized with this restaurant. **Testing on any other restaurant is prohibited without approval from Upserve.**\n    * You may create an account or you can place orders without an account\n    * You may use any validly formatted credit card number - either your own, or you can use a credit card generator to create a fake one.\n    * Orders placed are submitted to the Breadcrumb POS service and will most likely be rejected after 20 minutes unless someone at Upserve is actively working with this test restaurant\n    * payments.upserve.com provides an endpoint for adding payment cards to the vault. The endpoint returns a payment method token which is used by the OLO API. The token should not be reversible and should only be usable to the restaurant it was generated for.\n\n* Upserve.com, RestaurantInsider.com (https://645892349820.vulnerbug.com) is a Wordpress application hosted by WPEngine. **Do not test upserve.com or restaurantinsider.com directly.** Please only test https://645892349820.vulnerbug.com/. Our primary concern here would be defacement, but there isn’t much sensitive data or functionality here - as such, reward amounts for this property will typically be lower.\n\n* theacademy.upserve.com is a Wordpress application hosting customer education materials. The application allows users to search for and view videos. \n\n* teamhelp.upserve.com is a Wordpress application for internal use by team members. Users are required to sign-in with their Upserve Google account to access the information. There is non-public information on this site.  Our primary concern here would be access to non-public information or defacement.  Reward amounts for this property will typically be lower than our customer-facing applications.\n\n* auditmyprocessor.com is a Wordpress application for restaurants to calculate their payment processing fees.\n\n* Upserve HQ (https://app.upserve.com/partners/) is a Ruby on Rails application used by restaurants to view operational, sales, marketing, and finance information. \n    * Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n\n* Breadcrumb HQ (https://hq.breadcrumb.com/) is a Ruby on Rails application used by restaurants to manage their point of sale tablets and view sales reports. \n    * Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n    \n* Upserve Live Mobile App - This app is for restaurants to view operational and sales information.\n    * Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n\n* Breadcrumb Pro iPad App - This app is our point of sale app for restaurants.\n    * Without credentials, only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n \n\n# Out of scope vulnerabilities \nThe following issues are considered out of scope:\n \n* Wordpress user enumeration\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Account oracles -- the ability to submit a phone number, email, UUID and receive back a message indicating an Upserve account exists.\n* Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.\n* Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.\n* Banner grabbing issues \n* Rate limiting issues\n* Missing best practices in email configuration (DMARC, SPF, DKIM, etc)\n\n# Known Issues\nThe following issues are already known to our team - please do not submit new reports related to them, as they will be considered duplicates.\n* Sessions do not expire after password change/reset\n* Attacker can enroll credit cards in another user's loyalty accounts\n* XML-RPC available on Wordpress sites (and associated DoS issues)\n* phpMyAdmin accessible on teamhelp.upserve.com\n\n# Safe Harbor\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our [Terms \u0026 Conditions](https://upserve.com/terms/), we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you and you have complied with Upserve's bug bounty policy, Upserve will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.\n\nWe will not share your report with a third-party without your permission and/or gaining their commitment they will not pursue legal action against you. Please note again that we can’t authorize out-of-scope testing in the name of third parties and such testing is beyond the scope of the program.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\nThank you for helping keep Upserve and our users safe! If you have a question that is not answered on this page, please contact bugbounty@upserve.com\n\nIn order to encourage the adoption of bug bounty programs and promote uniform security best practices across the industry, Upserve reserves no rights in this bug bounty policy and so you are free to copy and modify it for your own purposes.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-06-12T17:28:02.668Z"},{"id":3577642,"new_policy":"Upserve is committed to protecting the privacy and security of our users. We recognize the valuable role security researchers play in making our services more secure and are committed to working with you to verify and resolve legitimate security vulnerabilities.  We ask that you carefully review this policy and scope to ensure the best experience for all involved.\n \n# Important Notes\n* **Do not test with the live upserve.com site**. Please review the scope for details on the test site URL specific for security research\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n\n# Public Disclosure Policy\nUpserve supports public disclosure of most vulnerabilities following resolution. We ask that you not share vulnerability details with anyone other than Upserve or HackerOne prior to approved public disclosure through the HackerOne platform.\n* In most cases, Upserve will allow public disclosure of vulnerabilities within 30 days of resolution. \n* In some cases, Upserve will request that public disclosure be delayed. (for example if we need to conduct private notifications first)\n* In limited cases, Upserve may request that a report remain private. In these cases we will maintain open communicaton with the researcher about why we feel this is important.\n* Follow HackerOne's disclosure guidelines.\n\n# Report Quality\n* Please consider the attack scenario and exploitability of the bug.\n* Please provide detailed reports with reproducible steps and **demonstrable impact**. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* If you’re unsure of the direct impact, but feel you may have found something interesting, please submit a detailed report and ask.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n\n# Program Rules\n* Please check the list of out-of-scope vulnerabilities and known issues before submitting a report.\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make every effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n* Bounty amounts below are the minimum we will pay per category for bounty eligible assets. We aim to be fair; all reward amounts are at our discretion and based on demonstrable impact.\n* If we receive several reports for the same issue, we offer the bounty to the earliest report for which we had enough actionable information to identify the issue.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n# Rewards\nOur rewards are based on the demonstrable impact of a vulnerability. Things that influence the impact of an issue are the scale of exposure, mitigating factors, and multiplying factors.  All valid reports are eligible to receive a HackerOne reputation reward. For assets eligible for a paid bounty, Upserve may provide rewards based on the impact of a vulnerability. Please note these are general guidelines and examples, and that reward decisions are up to the discretion of Upserve. \n \n| Critical | High | Medium | Low |\n|----------|--------|---------|------|\n|  $2,500  | $1,500 | $500    | $100 |\n\n### Critical severity bugs - minimum $2500:\nExamples of issues that Upserve would consider critical impact include:\n \n* Gaining unauthorized access to any merchant’s account or data (e.g. credit card numbers, transaction information, etc.)\n* Gaining unauthorized access to any customer’s account or data (e.g. credit card numbers, etc.)\n* Gaining unauthorized access to any production systems (e.g. shell access, code execution, etc.)\n* Exposed credentials that could result in access to production systems or deployment pipelines (e.g. API keys, access tokens, etc.)\n* The ability to cause monetary impact to Upserve, a merchant, or a customer (e.g. creating orders with a payment method you don't own, issue refunds, manipulating order totals, etc.)\n \n### High severity bugs - minimum $1500:\nExamples of issues that Upserve would consider high impact include:\n\n* Targeted attacks that result in access to an individual merchant or customer’s account or data (e.g. reflected XSS that requires social engineering)\n* Direct object references to sensitive information\n \n### Medium severity bugs - minimum $500: \nExamples of issues that Upserve would consider medium impact include:\n\n* Issues that impact less sensitive assets, such as the public marketing sites\n* Being able to modify a merchant or customer’s settings without their permission\n* Content injection that allows for convincing phishing attacks (e.g. HTML injection or XSS in an unauthenticated domain)\n* Open URL redirection\n \n### Low severity bugs - minimum $100: \nExamples of issues that Upserve would consider low impact include:\n\n* Leaks of less sensitive information that has a demonstrable impact\n* Directory traversal\n\n# Test Plans \n**Read carefully** for instructions and tips on testing: \n \n* Upserve Loyalty (https://app.upserve.com/b/swipely-bistro) is a React application with a Ruby on Rails backend. REST API calls are made to app.upserve.com/c/ and cards.swipely.com. The application allows a consumer to register an account and enroll one or more credit cards in to a restaurant's loyalty program. Purchases made by the consumer at the restaurant are tracked in the loyalty program and a reward is given when the consumer's account reaches a specified level. It is not currently possible for researchers to generate sales that apply to the loyalty program. We are interested in vulnerabilities that would allow a consumer to fraudulently add points to their own account or steal points from other accounts. Use the provided test restaurant Swipely Bistro only. **Testing on any other restaurant is prohibited without approval from Upserve.** \n    * To create a customer account, navigate to https://app.upserve.com/b/swipely-bistro, enter in your email address, enter in a credit card number (either your own, or you can use a credit card generator to create a fake one). The application will reject duplicate card numbers.\n    * cards.swipely.com provides an endpoint for adding payment cards to the vault. The endpoint returns a token which should not be reversable. This API should not be able to provide back full payment card numbers. \n\n* Upserve Online Ordering (OLO) (https://app.upserve.com/s/upserve-lounge-test-providence-2) is a React application with a Ruby on Rails backend. REST API calls are made to orders.upserve.com and payments.upserve.com. Orders can be submitted to the test restaurant linked in this plan using any valid credit card number. Credit cards will not be charged or authorized with this restaurant. **Testing on any other restaurant is prohibited without approval from Upserve.**\n    * You may create an account or you can place orders without an account\n    * You may use any validly formatted credit card number - either your own, or you can use a credit card generator to create a fake one.\n    * Orders placed are submitted to the Breadcrumb POS service and will most likely be rejected after 20 minutes unless someone at Upserve is actively working with this test restaurant\n    * payments.upserve.com provides an endpoint for adding payment cards to the vault. The endpoint returns a payment method token which is used by the OLO API. The token should not be reversable and should only be usable to the restaurant it was generated for.\n\n* Upserve.com, RestaurantInsider.com (https://645892349820.vulnerbug.com) is a Wordpress application hosted by WPEngine. **Do not test upserve.com or restaurantinsider.com directly.** Please only test https://645892349820.vulnerbug.com/. Our primary concern here would be defacement, but there isn’t much sensitive data or functionality here - as such, reward amounts for this property will typically be lower.\n\n* theacademy.upserve.com is a Wordpress application hosting customer education materials. The application allows users to search for and view videos. \n\n* teamhelp.upserve.com is a Wordpress application for internal use by team members. Users are required to sign-in with their Upserve Google account to access the information. There is non-public information on this site.  Our primary concern here would be access to non-public information or defacement.  Reward amounts for this property will typically be lower than our customer facing applications.\n\n* auditmyprocessor.com is a Wordpress application for restaurants to calculate their payment processing fees.\n\n* Upserve HQ (https://app.upserve.com/partners/) is a Ruby on Rails application used by restaurants to view operational, sales, marketing, and finance information. \n    * Without credentials only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n\n* Breadcrumb HQ (https://hq.breadcrumb.com/) is a Ruby on Rails application used by restaurants to manage their point of sale tablets and view sales reports. \n    * Without credentials only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n    \n* Upserve Live Mobile App - This app is for restaurants to view operational and sales information.\n    * Without credentials only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n\n* Breadcrumb Pro iPad App - This app is our point of sale app for restaurants.\n    * Without credentials only authentication bypass can be tested. Credentials are provided by invite only at this time (please don't ask).\n \n\n# Out of scope vulnerabilities \nThe following issues are considered out of scope:\n \n* Wordpress user enumeration\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Account oracles -- the ability to submit a phone number, email, UUID and receive back a message indicating an Upserve account exists.\n* Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.\n* Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.\n* Banner grabbing issues \n* Rate limiting issues\n* Missing best practices in email configuration (DMARC, SPF, DKIM, etc)\n\n# Known Issues\nThe following issues are already known to our team - please do not submit new reports related to them, as they will be considered duplicates.\n* Sessions do not expire after password change/reset\n* Attacker can enroll credit cards in another user's loyalty accounts\n* xmlrpc available on Wordpress sites (and associated DoS issues)\n* phpMyAdmin accessible on teamhelp.upserve.com\n\n# Safe Harbor\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our [Terms \u0026 Conditions](https://upserve.com/terms/), we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you and you have complied with Upserve's bug bounty policy, Upserve will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.\n\nWe will not share your report with a third-party without your permission and/or gaining their commitment they will not pursue legal action against you. Please note again that we can’t authorize out-of-scope testing in the name of third parties and such testing is beyond the scope of the program.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\nThank you for helping keep Upserve and our users safe! If you have a question that is not answered on this page, please contact bugbounty@upserve.com\n\nIn order to encourage the adoption of bug bounty programs and promote uniform security best practices across the industry, Upserve reserves no rights in this bug bounty policy and so you are free to copy and modify it for your own purposes.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-05-24T17:12:03.049Z"},{"id":3577373,"new_policy":"Upserve is committed to protecting the privacy and security of our users. We recognize the valuable role security researchers play in making our services more secure and are committed to working with you to verify and resolve legitimate security vulnerabilities.  We ask that you carefully review this policy and scope to ensure the best experience for all involved.\n \n# Important Notes\n* **Do not test with the live upserve.com site**. Please review the scope for details on the test site URL specific for security research\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n\n# Public Disclosure Policy\nUpserve supports public disclosure of most vulnerabilities following resolution. We ask that you not share vulnerability details with anyone other than Upserve or HackerOne prior to approved public disclosure through the HackerOne platform.\n* In most cases, Upserve will allow public disclosure of vulnerabilities within 30 days of resolution. \n* In some cases, Upserve will request that public disclosure be delayed. (for example if we need to conduct private notifications first)\n* In limited cases, Upserve may request that a report remain private. In these cases we will maintain open communicaton with the researcher about why we feel this is important.\n* Follow HackerOne's disclosure guidelines.\n\n# Report Quality\n* Please consider the attack scenario and exploitability of the bug.\n* Please provide detailed reports with reproducible steps and **demonstrable impact**. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* If you’re unsure of the direct impact, but feel you may have found something interesting, please submit a detailed report and ask.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n\n# Program Rules\n* Please check the list of out-of-scope vulnerabilities and known issues before submitting a report.\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make every effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n* Bounty amounts below are the minimum we will pay per category for bounty eligible assets. We aim to be fair; all reward amounts are at our discretion and based on demonstrable impact.\n* If we receive several reports for the same issue, we offer the bounty to the earliest report for which we had enough actionable information to identify the issue.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n# Rewards\nOur rewards are based on the demonstrable impact of a vulnerability. Things that influence the impact of an issue are the scale of exposure, mitigating factors, and multiplying factors.  All valid reports are eligible to receive a HackerOne reputation reward. For assets eligible for a paid bounty, Upserve may provide rewards based on the impact of a vulnerability. Please note these are general guidelines and examples, and that reward decisions are up to the discretion of Upserve. \n \n| Critical | High | Medium | Low |\n|----------|--------|---------|------|\n|  $2,500  | $1,500 | $500    | $100 |\n\n### Critical severity bugs - minimum $2500:\nExamples of issues that Upserve would consider critical impact include:\n \n* Gaining unauthorized access to any merchant’s account or data (e.g. credit card numbers, transaction information, etc.)\n* Gaining unauthorized access to any customer’s account or data (e.g. credit card numbers, etc.)\n* Gaining unauthorized access to any production systems (e.g. shell access, code execution, etc.)\n* Exposed credentials that could result in access to production systems or deployment pipelines (e.g. API keys, access tokens, etc.)\n* The ability to cause monetary impact to Upserve, a merchant, or a customer (e.g. creating orders with a payment method you don't own, issue refunds, manipulating order totals, etc.)\n \n### High severity bugs - minimum $1500:\nExamples of issues that Upserve would consider high impact include:\n\n* Targeted attacks that result in access to an individual merchant or customer’s account or data (e.g. reflected XSS that requires social engineering)\n* Direct object references to sensitive information\n \n### Medium severity bugs - minimum $500: \nExamples of issues that Upserve would consider medium impact include:\n\n* Issues that impact less sensitive assets, such as the public marketing sites\n* Being able to modify a merchant or customer’s settings without their permission\n* Content injection that allows for convincing phishing attacks (e.g. HTML injection or XSS in an unauthenticated domain)\n* Open URL redirection\n \n### Low severity bugs - minimum $100: \nExamples of issues that Upserve would consider low impact include:\n\n* Leaks of less sensitive information that has a demonstrable impact\n* Directory traversal\n\n# Test Plans \n**Read carefully** for instructions and tips on testing: \n \n* app.upserve.com (merchant UI) - Currently we are not provisioning merchant test accounts, but feel free to test against the login page (https://app.upserve.com/sign_in) or attempt to escalate to merchant level access.\n\n* app.upserve.com (consumer UI) - This is our loyalty program for customers. \n    * To create a customer account, navigate to https://app.upserve.com/b/swipely-bistro, enter in your email address, enter in a credit card number (either your own, or you can use a credit card generator to create a fake one). \n\n* cards.swipely.com - This is the API our loyalty application uses to enroll cards in the system.\n\n* 645892349820.vulnerbug.com - This is our test version of our marketing and community website (upserve.com). It is running on Wordpress on third party infrastructure. Our primary concern here would be defacement, but there isn’t much sensitive data or functionality here - as such, reward amounts for this property will typically be lower.\n\n* teamhelp.upserve.com - This is our internal employee information/help desk site.  It is running on Wordpress on third party infrastructure.  There is non-public information on this site.  Our primary concern here would be access to non-public information or defacement.  Reward amounts for this property will typically be lower than our customer facing applications.\n \n* hq.breadcrumb.com - This is a portal for merchants. Feel free to test against this, but we are not creating merchant test accounts at this time.\n \n* Upserve Live Mobile App - This app is for merchants. Feel free to test against this, but we are not creating merchant test accounts at this time.\n\n* Breadcrumb Pro iPad App - This app is our point of sale app for merchants.  Feel free to test against this, but we are not creating merchant test accounts at this time.\n \n\n# Out of scope vulnerabilities \nThe following issues are considered out of scope:\n \n* Wordpress user enumeration\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Account oracles -- the ability to submit a phone number, email, UUID and receive back a message indicating an Upserve account exists.\n* Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.\n* Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.\n* Banner grabbing issues \n* Rate limiting issues\n* Missing best practices in email configuration (DMARC, SPF, DKIM, etc)\n\n# Known Issues\nThe following issues are already known to our team - please do not submit new reports related to them, as they will be considered duplicates.\n* Sessions do not expire after password change/reset\n* Attacker can enroll credit cards in another user's loyalty accounts\n* xmlrpc available on Wordpress sites (and associated DoS issues)\n* phpMyAdmin accessible on teamhelp.upserve.com\n\n# Safe Harbor\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our [Terms \u0026 Conditions](https://upserve.com/terms/), we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you and you have complied with Upserve's bug bounty policy, Upserve will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.\n\nWe will not share your report with a third-party without your permission and/or gaining their commitment they will not pursue legal action against you. Please note again that we can’t authorize out-of-scope testing in the name of third parties and such testing is beyond the scope of the program.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\nThank you for helping keep Upserve and our users safe! If you have a question that is not answered on this page, please contact bugbounty@upserve.com\n\nIn order to encourage the adoption of bug bounty programs and promote uniform security best practices across the industry, Upserve reserves no rights in this bug bounty policy and so you are free to copy and modify it for your own purposes.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-05-21T16:26:04.450Z"},{"id":3575790,"new_policy":"Upserve is committed to protecting the privacy and security of our users. We recognize the valuable role security researchers play in making our services more secure and are committed to working with you to verify and resolve legitimate security vulnerabilities.  We ask that you carefully review this policy and scope to ensure the best experience for all involved.\n \n# Important Notes\n* **Do not test with the live upserve.com site**. Please review the scope for details on the test site URL specific for security research\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n\n# Public Disclosure Policy\nUpserve supports public disclosure of most vulnerabilities following resolution. We ask that you not share vulnerability details with anyone other than Upserve or HackerOne prior to approved public disclosure through the HackerOne platform.\n* In most cases, Upserve will allow public disclosure of vulnerabilities within 30 days of resolution. \n* In some cases, Upserve will request that public disclosure be delayed. (for example if we need to conduct private notifications first)\n* In limited cases, Upserve may request that a report remain private. In these cases we will maintain open communicaton with the researcher about why we feel this is important.\n* Follow HackerOne's disclosure guidelines.\n\n# Report Quality\n* Please consider the attack scenario and exploitability of the bug.\n* Please provide detailed reports with reproducible steps and **demonstrable impact**. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* If you’re unsure of the direct impact, but feel you may have found something interesting, please submit a detailed report and ask.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n\n# Program Rules\n* Please check the list of out-of-scope vulnerabilities and known issues before submitting a report.\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make every effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n* Bounty amounts below are the minimum we will pay per category for bounty eligible assets. We aim to be fair; all reward amounts are at our discretion and based on demonstrable impact.\n* If we receive several reports for the same issue, we offer the bounty to the earliest report for which we had enough actionable information to identify the issue.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n# Rewards\nOur rewards are based on the demonstrable impact of a vulnerability. Things that influence the impact of an issue are the scale of exposure, mitigating factors, and multiplying factors.  All valid reports are eligible to receive a HackerOne reputation reward. For assets eligible for a paid bounty, Upserve may provide rewards based on the impact of a vulnerability. Please note these are general guidelines and examples, and that reward decisions are up to the discretion of Upserve. \n \n| Critical | High | Medium | Low |\n|----------|--------|---------|------|\n|  $2,500  | $1,500 | $500    | $100 |\n\n### Critical severity bugs - minimum $2500:\nExamples of issues that Upserve would consider critical impact include:\n \n* Gaining unauthorized access to any merchant’s account or data (e.g. credit card numbers, transaction information, etc.)\n* Gaining unauthorized access to any customer’s account or data (e.g. credit card numbers, etc.)\n* Gaining unauthorized access to any production systems (e.g. shell access, code execution, etc.)\n* Exposed credentials that could result in access to production systems or deployment pipelines (e.g. API keys, access tokens, etc.)\n* The ability to cause monetary impact to Upserve, a merchant, or a customer (e.g. creating orders with a payment method you don't own, issue refunds, manipulating order totals, etc.)\n \n### High severity bugs - minimum $1500:\nExamples of issues that Upserve would consider high impact include:\n\n* Targeted attacks that result in access to an individual merchant or customer’s account or data (e.g. reflected XSS that requires social engineering)\n* Direct object references to sensitive information\n \n### Medium severity bugs - minimum $500: \nExamples of issues that Upserve would consider medium impact include:\n\n* Issues that impact less sensitive assets, such as the public marketing sites\n* Being able to modify a merchant or customer’s settings without their permission\n* Content injection that allows for convincing phishing attacks (e.g. HTML injection or XSS in an unauthenticated domain)\n* Open URL redirection\n \n### Low severity bugs - minimum $100: \nExamples of issues that Upserve would consider low impact include:\n\n* Leaks of less sensitive information that has a demonstrable impact\n* Directory traversal\n\n# Test Plans \n**Read carefully** for instructions and tips on testing: \n \n* app.upserve.com (merchant UI) - Currently we are not provisioning merchant test accounts, but feel free to test against the login page (https://app.upserve.com/sign_in) or attempt to escalate to merchant level access.\n\n* app.upserve.com (consumer UI) - This is our loyalty program for customers. \n    * To create a customer account, navigate to https://app.upserve.com/b/swipely-bistro, enter in your email address, enter in a credit card number (either your own, or you can use a credit card generator to create a fake one). \n\n* cards.swipely.com - This is the API our loyalty application uses to enroll cards in the system.\n\n* 645892349820.vulnerbug.com - This is our test version of our marketing and community website (upserve.com). It is running on Wordpress on third party infrastructure. Our primary concern here would be defacement, but there isn’t much sensitive data or functionality here - as such, reward amounts for this property will typically be lower.\n\n* teamhelp.upserve.com - This is our internal employee information/help desk site.  It is running on Wordpress on third party infrastructure.  There is non-public information on this site.  Our primary concern here would be access to non-public information or defacement.  Reward amounts for this property will typically be lower than our customer facing applications.\n \n* hq.breadcrumb.com - This is a portal for merchants. Feel free to test against this, but we are not creating merchant test accounts at this time.\n \n* Upserve Live Mobile App - This app is for merchants. Feel free to test against this, but we are not creating merchant test accounts at this time.\n\n* Breadcrumb Pro iPad App - This app is our point of sale app for merchants.  Feel free to test against this, but we are not creating merchant test accounts at this time.\n \n\n# Out of scope vulnerabilities \nThe following issues are considered out of scope:\n \n* Wordpress user enumeration\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Account oracles -- the ability to submit a phone number, email, UUID and receive back a message indicating an Upserve account exists.\n* Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.\n* Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.\n* Banner grabbing issues \n* Rate limiting issues\n* Missing best practices in email configuration (DMARC, SPF, DKIM, etc)\n\n# Known Issues\nThe following issues are already known to our team - please do not submit new reports related to them, as they will be considered duplicates.\n* Sessions do not expire after password change/reset\n* Attacker can enroll credit cards in another user's loyalty accounts\n* xmlrpc available on Wordpress sites (and associated DoS issues)\n* phpMyAdmin accessible on teamhelp.upserve.com\n\n# Safe Harbor\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our [Terms \u0026 Conditions](https://upserve.com/terms/), we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you and you have complied with Upserve's bug bounty policy, Upserve will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.\n\nWe will not share your report with a third-party without your permission and/or gaining their commitment they will not pursue legal action against you. Please note again that we can’t authorize out-of-scope testing in the name of third parties and such testing is beyond the scope of the program.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\nThank you for helping keep Upserve and our users safe! If you have a question that is not answered on this page, please contact bugbounty@upserve.com\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-05-07T19:15:12.906Z"},{"id":3575413,"new_policy":"Upserve is committed to protecting the privacy and security of our users. We recognize the valuable role security researchers play in making our services more secure and are committed to working with you to verify and resolve legitimate security vulnerabilities.  We ask that you carefully review this policy to ensure the best experience for all involved.\n \n# Important Notes\n* **Do not test with the live upserve.com site**. Please review the scope for details on the test site URL specific for security research\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n\n# Public Disclosure Policy\nUpserve supports public disclosure of most vulnerabilities following resolution. We ask that you not share vulnerability details with anyone other than Upserve or HackerOne prior to approved public disclosure through the HackerOne platform.\n* In most cases, Upserve will allow public disclosure of vulnerabilities within 30 days of resolution. \n* In some cases, Upserve will request that public disclosure be delayed. (for example if we need to conduct private notifications first)\n* In limited cases, Upserve may request that a report remain private. In these cases we will maintain open communicaton with the researcher about why we feel this is important.\n* Follow HackerOne's disclosure guidelines.\n\n# Communication Guidelines\n* We will make a best effort to respond to incoming reports within 2 business days.\n* We will make a best effort to validate a legitimate security issue and make a bounty determination within 10 business days.\n* We aim to keep you informed about our progress, so please do not submit requests for updates unless we've missed the above targets.\n\n# Report Quality\n* Please consider the attack scenario and exploitability of the bug.\n* Please provide detailed reports with reproducible steps and **demonstrable impact**. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Please include your understanding of the security impact of the issue. Our bounty payouts are directly tied to security impact, so the more detail you can provide, the better.\n* If you’re unsure of the direct impact, but feel you may have found something interesting, please submit a detailed report and ask.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n\n# Program Rules\n* Please check the list of out-of-scope and known issues before submitting a report. We will close these reports as 'Not Applicable'.\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make every effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n* Bounty amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion and based on demonstrable impact.\n* If we receive several reports for the same issue, we offer the bounty to the earliest report for which we had enough actionable information to identify the issue.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n# Rewards\nOur rewards are based on the demonstrable impact of a vulnerability. Things that influence the impact of an issue are the scale of exposure, mitigating factors, and multiplying factors.  Please note these are general guidelines and examples, and that reward decisions are up to the discretion of Upserve. \n \n| Critical | High | Medium | Low |\n|----------|--------|---------|------|\n|  $2,500  | $1,500 | $500    | $100 |\n\n### Critical severity bugs - minimum $2500:\nExamples of issues that Upserve would consider critical impact include:\n \n* Gaining unauthorized access to any merchant’s account or data (e.g. credit card numbers, transaction information, etc.)\n* Gaining unauthorized access to any customer’s account or data (e.g. credit card numbers, etc.)\n* Gaining unauthorized access to any production systems (e.g. shell access, code execution, etc.)\n* Exposed credentials that could result in access to production systems or deployment pipelines (e.g. API keys, access tokens, etc.)\n* The ability to cause monetary impact to Upserve, a merchant, or a customer (e.g. creating orders with a payment method you don't own, issue refunds, manipulating order totals, etc.)\n \n### High severity bugs - minimum $1500:\nExamples of issues that Upserve would consider high impact include:\n\n* Targeted attacks that result in access to an individual merchant or customer’s account or data (e.g. reflected XSS that requires social engineering)\n* Direct object references to sensitive information\n \n### Medium severity bugs - minimum $500: \nExamples of issues that Upserve would consider medium impact include:\n\n* Issues that impact less sensitive assets, such as the public marketing sites\n* Being able to modify a merchant or customer’s settings without their permission\n* Content injection that allows for convincing phishing attacks (e.g. HTML injection or XSS in an unauthenticated domain)\n* Open URL redirection\n \n### Low severity bugs - minimum $100: \nExamples of issues that Upserve would consider low impact include:\n\n* Leaks of less sensitive information that has a demonstrable impact\n* Directory traversal\n\n# Test Plans \n**Read carefully** for instructions and tips on testing: \n \n* app.upserve.com (merchant UI) - Currently we are not provisioning merchant test accounts, but feel free to test against the login page (https://app.upserve.com/sign_in) or attempt to escalate to merchant level access.\n\n* app.upserve.com (consumer UI) - This is our loyalty program for customers. \n    * To create a customer account, navigate to https://app.upserve.com/b/swipely-bistro, enter in your email address, enter in a credit card number (either your own, or you can use a credit card generator to create a fake one). \n\n* cards.swipely.com - This is the API our loyalty application uses to enroll cards in the system.\n\n* 645892349820.vulnerbug.com - This is our test version of our marketing and community website (upserve.com). It is running on Wordpress on third party infrastructure. Our primary concern here would be defacement, but there isn’t much sensitive data or functionality here - as such, reward amounts for this property will typically be lower.\n\n* teamhelp.upserve.com - This is our internal employee information/help desk site.  It is running on Wordpress on third party infrastructure.  There is non-public information on this site.  Our primary concern here would be access to non-public information or defacement.  Reward amounts for this property will typically be lower than our customer facing applications.\n \n* hq.breadcrumb.com - This is a portal for merchants. Feel free to test against this, but we are not creating merchant test accounts at this time.\n \n* Upserve Live Mobile App - This app is for merchants. Feel free to test against this, but we are not creating merchant test accounts at this time.\n\n* Breadcrumb Pro iPad App - This app is our point of sale app for merchants.  Feel free to test against this, but we are not creating merchant test accounts at this time.\n \n\n# Out of scope vulnerabilities \nThe following issues are considered out of scope:\n \n* Wordpress user enumeration\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Account oracles -- the ability to submit a phone number, email, UUID and receive back a message indicating an Upserve account exists.\n* Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.\n* Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.\n* Banner grabbing issues \n* Rate limiting issues\n* Missing best practices in email configuration (DMARC, SPF, DKIM, etc)\n\n# Known Issues\nThe following issues are already known to our team - please do not submit new reports related to them, as they will be considered duplicates.\n* Sessions do not expire after password change/reset\n* Attacker can enroll credit cards in another user's loyalty accounts\n* xmlrpc available on Wordpress sites (and associated DoS issues)\n* phpMyAdmin accessible on teamhelp.upserve.com\n\n# Safe Harbor\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our [Terms \u0026 Conditions](https://upserve.com/terms/), we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you and you have complied with Upserve's bug bounty policy, Upserve will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities.\n\nWe will not share your report with a third-party without your permission and/or gaining their commitment they will not pursue legal action against you. Please note again that we can’t authorize out-of-scope testing in the name of third parties and such testing is beyond the scope of the program.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\nThank you for helping keep Upserve and our users safe! If you have a question that is not answered on this page, please contact bugbounty@upserve.com\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-05-03T17:23:06.400Z"},{"id":3573353,"new_policy":"Upserve is committed to protecting the privacy and security of our users. We recognize the valuable role security researchers play in making our services more secure and are committed to working with you to verify and resolve legitimate security vulnerabilities.  We ask that you carefully review this policy to ensure the best experience for all involved.\n \n# Important Notes\n* **Do not test with the live upserve.com site**. Please review the scope for details on the test site URL specific for security research\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n* If you have a question that is not answered on this page, please contact bugbounty@upserve.com\n\n# Public Disclosure Policy\nUpserve supports public disclosure of most vulnerabilities following resolution. We ask that you not share vulnerability details with anyone other than Upserve or HackerOne prior to approved public disclosure through the HackerOne platform.\n* In most cases, Upserve will allow public disclosure of vulnerabilities within 30 days of resolution. \n* In some cases, Upserve will request that public disclosure be delayed. (for example if we need to conduct private notifications first)\n* In limited cases, Upserve may request that a report remain private. In these cases we will maintain open communicaton with the researcher about why we feel this is important.\n* Follow HackerOne's disclosure guidelines.\n\n# Communication Guidelines\n* We will make a best effort to respond to incoming reports within 2 business days.\n* We will make a best effort to validate a legitimate security issue and make a bounty determination within 10 business days.\n* We aim to keep you informed about our progress, so please do not submit requests for updates unless we've missed the above targets.\n\n# Report Quality\n* Please consider the attack scenario and exploitability of the bug.\n* Please provide detailed reports with reproducible steps and **demonstrable impact**. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Please include your understanding of the security impact of the issue. Our bounty payouts are directly tied to security impact, so the more detail you can provide, the better.\n* If you’re unsure of the direct impact, but feel you may have found something interesting, please submit a detailed report and ask.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n\n# Program Rules\n* Please check the list of out-of-scope and known issues before submitting a report. We will close these reports as 'Not Applicable'.\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make every effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n* Bounty amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion and based on demonstrable impact.\n* If we receive several reports for the same issue, we offer the bounty to the earliest report for which we had enough actionable information to identify the issue.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n# Rewards\nOur rewards are based on the demonstrable impact of a vulnerability. Things that influence the impact of an issue are the scale of exposure, mitigating factors, and multiplying factors.  Please note these are general guidelines and examples, and that reward decisions are up to the discretion of Upserve. \n \n| Critical | High | Medium | Low |\n|----------|--------|---------|------|\n|  $2,500  | $1,500 | $500    | $100 |\n\n### Critical severity bugs - minimum $2500:\nExamples of issues that Upserve would consider critical impact include:\n \n* Gaining unauthorized access to any merchant’s account or data (e.g. credit card numbers, transaction information, etc.)\n* Gaining unauthorized access to any customer’s account or data (e.g. credit card numbers, etc.)\n* Gaining unauthorized access to any production systems (e.g. shell access, code execution, etc.)\n* Exposed credentials that could result in access to production systems or deployment pipelines (e.g. API keys, access tokens, etc.)\n* The ability to cause monetary impact to Upserve, a merchant, or a customer (e.g. creating orders with a payment method you don't own, issue refunds, manipulating order totals, etc.)\n \n### High severity bugs - minimum $1500:\nExamples of issues that Upserve would consider high impact include:\n\n* Targeted attacks that result in access to an individual merchant or customer’s account or data (e.g. reflected XSS that requires social engineering)\n* Direct object references to sensitive information\n \n### Medium severity bugs - minimum $500: \nExamples of issues that Upserve would consider medium impact include:\n\n* Issues that impact less sensitive assets, such as the public marketing sites\n* Being able to modify a merchant or customer’s settings without their permission\n* Content injection that allows for convincing phishing attacks (e.g. HTML injection or XSS in an unauthenticated domain)\n* Open URL redirection\n \n### Low severity bugs - minimum $100: \nExamples of issues that Upserve would consider low impact include:\n\n* Leaks of less sensitive information that has a demonstrable impact\n* Directory traversal\n\n# Test Plans \n**Read carefully** for instructions and tips on testing: \n \n* app.upserve.com (merchant UI) - Currently we are not provisioning merchant test accounts, but feel free to test against the login page (https://app.upserve.com/sign_in) or attempt to escalate to merchant level access.\n\n* app.upserve.com (consumer UI) - This is our loyalty program for customers. \n    * To create a customer account, navigate to https://app.upserve.com/b/swipely-bistro, enter in your email address, enter in a credit card number (either your own, or you can use a credit card generator to create a fake one). \n\n* cards.swipely.com - This is the API our loyalty application uses to enroll cards in the system.\n\n* 645892349820.vulnerbug.com - This is our test version of our marketing and community website (upserve.com). It is running on Wordpress on third party infrastructure. Our primary concern here would be defacement, but there isn’t much sensitive data or functionality here - as such, reward amounts for this property will typically be lower.\n\n* teamhelp.upserve.com - This is our internal employee information/help desk site.  It is running on Wordpress on third party infrastructure.  There is non-public information on this site.  Our primary concern here would be access to non-public information or defacement.  Reward amounts for this property will typically be lower than our customer facing applications.\n \n* hq.breadcrumb.com - This is a portal for merchants. Feel free to test against this, but we are not creating merchant test accounts at this time.\n \n* Upserve Live Mobile App - This app is for merchants. Feel free to test against this, but we are not creating merchant test accounts at this time.\n\n* Breadcrumb Pro iPad App - This app is our point of sale app for merchants.  Feel free to test against this, but we are not creating merchant test accounts at this time.\n \n\n# Out of scope vulnerabilities \nThe following issues are considered out of scope:\n \n* Wordpress user enumeration\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Account oracles -- the ability to submit a phone number, email, UUID and receive back a message indicating an Upserve account exists.\n* Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.\n* Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.\n* Banner grabbing issues \n* Rate limiting issues\n* Missing best practices in email configuration (DMARC, SPF, DKIM, etc)\n\n# Known Issues\nThe following issues are already known to our team - please do not submit new reports related to them, as they will be considered duplicates.\n* Sessions do not expire after password change/reset\n* Attacker can enroll credit cards in another user's loyalty accounts\n* xmlrpc available on Wordpress sites (and associated DoS issues)\n* phpMyAdmin accessible on teamhelp.upserve.com\n\n\nThank you for helping keep Upserve and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-04-09T18:25:11.043Z"},{"id":3570361,"new_policy":"Upserve is committed to protecting the privacy and security of our users. We recognize the valuable role security researchers play in making our services more secure and are committed to working with you to verify and resolve legitimate security vulnerabilities.  We ask that you carefully review this policy to ensure the best experience for all involved.\n \n# Important Notes\n* **Do not test with the live upserve.com site**. Please review the scope for details on the test site URL specific for security research\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n* If you have a question that is not answered on this page, please contact bugbounty@upserve.com\n\n# Public Disclosure Policy\nUpserve supports public disclosure of most vulnerabilities following resolution. We ask that you not share vulnerability details with anyone other than Upserve or HackerOne prior to approved public disclosure through the HackerOne platform.\n* In most cases, Upserve will allow public disclosure of vulnerabilities within 30 days of resolution. \n* In some cases, Upserve will request that public disclosure be delayed. (for example if we need to conduct private notifications first)\n* In limited cases, Upserve may request that a report remain private. In these cases we will maintain open communicaton with the researcher about why we feel this is important.\n* Follow HackerOne's disclosure guidelines.\n\n# Communication Guidelines\n* We will make a best effort to respond to incoming reports within 2 business days.\n* We will make a best effort to validate a legitimate security issue and make a bounty determination within 10 business days.\n* We aim to keep you informed about our progress, so please do not submit requests for updates unless we've missed the above targets.\n\n# Report Quality\n* Please consider the attack scenario and exploitability of the bug.\n* Please provide detailed reports with reproducible steps and **demonstrable impact**. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Please include your understanding of the security impact of the issue. Our bounty payouts are directly tied to security impact, so the more detail you can provide, the better.\n* If you’re unsure of the direct impact, but feel you may have found something interesting, please submit a detailed report and ask.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n\n# Program Rules\n* Please check the list of out-of-scope and known issues before submitting a report. We will close these reports as 'Not Applicable'.\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make every effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n* Bounty amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion and based on demonstrable impact.\n* If we receive several reports for the same issue, we offer the bounty to the earliest report for which we had enough actionable information to identify the issue.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n# Rewards\nOur rewards are based on the demonstrable impact of a vulnerability. Things that influence the impact of an issue are the scale of exposure, mitigating factors, and multiplying factors.  Please note these are general guidelines and examples, and that reward decisions are up to the discretion of Upserve. \n \n| Critical | High | Medium | Low |\n|----------|--------|---------|------|\n|  $2,500  | $1,500 | $500    | $100 |\n\n### Critical severity bugs - minimum $2500:\nExamples of issues that Upserve would consider critical impact include:\n \n* Gaining unauthorized access to any merchant’s account or data (e.g. credit card numbers, transaction information, etc.)\n* Gaining unauthorized access to any customer’s account or data (e.g. credit card numbers, etc.)\n* Gaining unauthorized access to any production systems (e.g. shell access, code execution, etc.)\n* Exposed credentials that could result in access to production systems or deployment pipelines (e.g. API keys, access tokens, etc.)\n* The ability to cause monetary impact to Upserve, a merchant, or a customer (e.g. creating orders with a payment method you don't own, issue refunds, manipulating order totals, etc.)\n \n### High severity bugs - minimum $1500:\nExamples of issues that Upserve would consider high impact include:\n\n* Targeted attacks that result in access to an individual merchant or customer’s account or data (e.g. reflected XSS that requires social engineering)\n* Direct object references to sensitive information\n \n### Medium severity bugs - minimum $500: \nExamples of issues that Upserve would consider medium impact include:\n\n* Issues that impact less sensitive assets, such as the public marketing sites\n* Being able to modify a merchant or customer’s settings without their permission\n* Content injection that allows for convincing phishing attacks (e.g. HTML injection or XSS in an unauthenticated domain)\n* Open URL redirection\n \n### Low severity bugs - minimum $100: \nExamples of issues that Upserve would consider low impact include:\n\n* Leaks of less sensitive information that has a demonstrable impact\n* Directory traversal\n\n# Test Plans \n**Read carefully** for instructions and tips on testing: \n \n* app.upserve.com (merchant UI) - Currently we are not provisioning merchant test accounts, but feel free to test against the login page (https://app.upserve.com/sign_in) or attempt to escalate to merchant level access.\n\n* app.upserve.com (consumer UI) - This is our loyalty program for customers. \n    * To create a customer account, navigate to https://app.upserve.com/b/swipely-bistro, enter in your email address, enter in a credit card number (either your own, or you can use a credit card generator to create a fake one). \n\n* cards.swipely.com - This is the API our loyalty application uses to enroll cards in the system.\n\n* 645892349820.vulnerbug.com - This is our test version of our marketing and community website (upserve.com). It is running on Wordpress on third party infrastructure. Our primary concern here would be defacement, but there isn’t much sensitive data or functionality here - as such, reward amounts for this property will typically be lower.\n\n* teamhelp.upserve.com - This is our internal employee information/help desk site.  It is running on Wordpress on third party infrastructure.  There is non-public information on this site.  Our primary concern here would be access to non-public information or defacement.  Reward amounts for this property will typically be lower than our customer facing applications.\n \n* hq.breadcrumb.com - This is a portal for merchants. Feel free to test against this, but we are not creating merchant test accounts at this time.\n \n* Upserve Live Mobile App - This app is for merchants. Feel free to test against this, but we are not creating merchant test accounts at this time.\n\n* Breadcrumb Pro iPad App - This app is our point of sale app for merchants.  Feel free to test against this, but we are not creating merchant test accounts at this time.\n \n\n# Out of scope vulnerabilities \nThe following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Account oracles -- the ability to submit a phone number, email, UUID and receive back a message indicating an Upserve account exists.\n* Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.\n* Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.\n* Banner grabbing issues \n* Rate limiting issues\n* Missing best practices in email configuration (DMARC, SPF, DKIM, etc)\n\n# Known Issues\nThe following issues are already known to our team - please do not submit new reports related to them, as they will be considered duplicates.\n* Sessions do not expire after password change/reset\n* Attacker can enroll credit cards in another user's loyalty accounts\n* xmlrpc available on Wordpress sites (and associated DoS issues)\n* phpMyAdmin accessible on teamhelp.upserve.com\n\n\nThank you for helping keep Upserve and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-03-07T15:34:53.335Z"},{"id":3570290,"new_policy":"Upserve is committed to protecting the privacy and security of our users. We recognize the valuable role security researchers play in making our services more secure and are committed to working with you to verify and resolve legitimate security vulnerabilities.  We ask that you carefully review this policy to ensure the best experience for all involved.\n \n# Important Notes\n* **Do not test with the live upserve.com site**. Please review the scope for details on the test site URL specific for security research\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n* If you have a question that is not answered on this page, please contact bugbounty@upserve.com\n\n# Public Disclosure Policy\nUpserve supports public disclosure of most vulnerabilities following resolution. We ask that you not share vulnerability details with anyone other than Upserve or HackerOne prior to approved public disclosure through the HackerOne platform.\n* In most cases, Upserve will allow public disclosure of vulnerabilities within 30 days of resolution. \n* In some cases, Upserve will request that public disclosure be delayed. (for example if we need to conduct private notifications first)\n* In limited cases, Upserve may request that a report remain private. In these cases we will maintain open communicaton with the researcher about why we feel this is important.\n* Follow HackerOne's disclosure guidelines.\n\n# Communication Guidelines\n* We will make a best effort to respond to incoming reports within 2 business days.\n* We will make a best effort to validate a legitimate security issue and make a bounty determination within 10 business days.\n* We aim to keep you informed about our progress, so please do not submit requests for updates unless we've missed the above targets.\n\n# Report Quality\n* Please consider the attack scenario and exploitability of the bug.\n* Please provide detailed reports with reproducible steps and **demonstrable impact**. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Please include your understanding of the security impact of the issue. Our bounty payouts are directly tied to security impact, so the more detail you can provide, the better.\n* If you’re unsure of the direct impact, but feel you may have found something interesting, please submit a detailed report and ask.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n\n# Program Rules\n* Please check the list of out-of-scope and known issues before submitting a report. We will close these reports as 'Not Applicable'.\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make every effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n* Bounty amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion and based on demonstrable impact.\n* If we receive several reports for the same issue, we offer the bounty to the earliest report for which we had enough actionable information to identify the issue.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n# Rewards\nOur rewards are based on the demonstrable impact of a vulnerability. Things that influence the impact of an issue are the scale of exposure, mitigating factors, and multiplying factors.  Please note these are general guidelines and examples, and that reward decisions are up to the discretion of Upserve. \n \n| Critical | High | Medium | Low |\n|----------|--------|---------|------|\n|  $2,500  | $1,500 | $500    | $100 |\n\n### Critical severity bugs - minimum $2500:\nExamples of issues that Upserve would consider critical impact include:\n \n* Gaining unauthorized access to any merchant’s account or data (e.g. credit card numbers, transaction information, etc.)\n* Gaining unauthorized access to any customer’s account or data (e.g. credit card numbers, etc.)\n* Gaining unauthorized access to any production systems (e.g. shell access, code execution, etc.)\n* Exposed credentials that could result in access to production systems or deployment pipelines (e.g. API keys, access tokens, etc.)\n* The ability to cause monetary impact to Upserve, a merchant, or a customer (e.g. creating orders with a payment method you don't own, issue refunds, manipulating order totals, etc.)\n \n### High severity bugs - minimum $1500:\nExamples of issues that Upserve would consider high impact include:\n\n* Targeted attacks that result in access to an individual merchant or customer’s account or data (e.g. reflected XSS that requires social engineering)\n* Direct object references to sensitive information\n \n### Medium severity bugs - minimum $500: \nExamples of issues that Upserve would consider medium impact include:\n\n* Issues that impact less sensitive assets, such as the public marketing sites\n* Being able to modify a merchant or customer’s settings without their permission\n* Content injection that allows for convincing phishing attacks (e.g. HTML injection or XSS in an unauthenticated domain)\n* Open URL redirection\n \n### Low severity bugs - minimum $100: \nExamples of issues that Upserve would consider low impact include:\n\n* Leaks of less sensitive information that has a demonstrable impact\n* Directory traversal\n\n# Test Plans \n**Read carefully** for instructions and tips on testing: \n \n* app.upserve.com (merchant UI) - Currently we are not provisioning merchant test accounts, but feel free to test against the login page (https://app.upserve.com/sign_in) or attempt to escalate to merchant level access.\n\n* app.upserve.com (consumer UI) - This is our loyalty program for customers. \n    * To create a customer account, navigate to https://app.upserve.com/b/swipely-bistro, enter in your email address, enter in a credit card number (either your own, or you can use a credit card generator to create a fake one). \n\n* cards.swipely.com - This is the API our loyalty application uses to enroll cards in the system.\n\n* 645892349820.vulnerbug.com - This is our test version of our marketing and community website (upserve.com). It is running on Wordpress on third party infrastructure. Our primary concern here would be defacement, but there isn’t much sensitive data or functionality here - as such, reward amounts for this property will typically be lower.\n\n* teamhelp.upserve.com - This is our internal employee information/help desk site.  It is running on Wordpress on third party infrastructure.  There is non-public information on this site.  Our primary concern here would be access to non-public information or defacement.  Reward amounts for this property will typically be lower than our customer facing applications.\n \n* hq.breadcrumb.com - This is a portal for merchants. Feel free to test against this, but we are not creating merchant test accounts at this time.\n \n* Upserve Live Mobile App - This app is for merchants. Feel free to test against this, but we are not creating merchant test accounts at this time.\n\n* Breadcrumb Pro iPad App - This app is our point of sale app for merchants.  Feel free to test against this, but we are not creating merchant test accounts at this time.\n \n\n# Out of scope vulnerabilities \nThe following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Account oracles -- the ability to submit a phone number, email, UUID and receive back a message indicating an Upserve account exists.\n* Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.\n* Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.\n* Banner grabbing issues \n* Rate limiting issues\n\n# Known Issues\nThe following issues are already known to our team - please do not submit new reports related to them, as they will be considered duplicates.\n* Sessions do not expire after password change/reset\n* Attacker can enroll credit cards in another user's loyalty accounts\n* xmlrpc available on Wordpress sites (and associated DoS issues)\n* phpMyAdmin accessible on teamhelp.upserve.com\n\n\nThank you for helping keep Upserve and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-03-06T22:24:27.953Z"},{"id":3570265,"new_policy":"Upserve is committed to protecting the privacy and security of our users. We recognize the valuable role security researchers play in making our services more secure and are committed to working with you to verify and resolve legitimate security vulnerabilities.  We ask that you carefully review this policy to ensure the best experience for all involved.\n \n# Public Disclosure Policy\nUpserve supports public disclosure of most vulnerabilities following resolution. We ask that you not share vulnerability details with anyone other than Upserve or HackerOne prior to approved public disclosure through the HackerOne platform.\n* In most cases, Upserve will allow public disclosure of vulnerabilities within 30 days of resolution. \n* In some cases, Upserve will request that public disclosure be delayed. (for example if we need to conduct private notifications first)\n* In limited cases, Upserve may request that a report remain private. In these cases we will maintain open communicaton with the researcher about why we feel this is important.\n* Follow HackerOne's disclosure guidelines.\n\n# Communication Guidelines\n* We will make a best effort to respond to incoming reports within 2 business days.\n* We will make a best effort to validate a legitimate security issue and make a bounty determination within 10 business days.\n* We aim to keep you informed about our progress, so please do not submit requests for updates unless we've missed the above targets.\n\n# Report Quality\n* Please consider the attack scenario and exploitability of the bug.\n* Please provide detailed reports with reproducible steps and **demonstrable impact**. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Please include your understanding of the security impact of the issue. Our bounty payouts are directly tied to security impact, so the more detail you can provide, the better.\n* If you’re unsure of the direct impact, but feel you may have found something interesting, please submit a detailed report and ask.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n\n# Program Rules\n* Please check the list of out-of-scope and known issues before submitting a report. We will close these reports as 'Not Applicable'.\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make every effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n* Bounty amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion and based on demonstrable impact.\n* If we receive several reports for the same issue, we offer the bounty to the earliest report for which we had enough actionable information to identify the issue.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n# Rewards\nOur rewards are based on the demonstrable impact of a vulnerability. Things that influence the impact of an issue are the scale of exposure, mitigating factors, and multiplying factors.  Please note these are general guidelines and examples, and that reward decisions are up to the discretion of Upserve. \n \n| Critical | High | Medium | Low |\n|----------|--------|---------|------|\n|  $2,500  | $1,500 | $500    | $100 |\n\n### Critical severity bugs - minimum $2500:\nExamples of issues that Upserve would consider critical impact include:\n \n* Gaining unauthorized access to any merchant’s account or data (e.g. credit card numbers, transaction information, etc.)\n* Gaining unauthorized access to any customer’s account or data (e.g. credit card numbers, etc.)\n* Gaining unauthorized access to any production systems (e.g. shell access, code execution, etc.)\n* Exposed credentials that could result in access to production systems or deployment pipelines (e.g. API keys, access tokens, etc.)\n* The ability to cause monetary impact to Upserve, a merchant, or a customer (e.g. creating orders with a payment method you don't own, issue refunds, manipulating order totals, etc.)\n \n### High severity bugs - minimum $1500:\nExamples of issues that Upserve would consider high impact include:\n\n* Targeted attacks that result in access to an individual merchant or customer’s account or data (e.g. reflected XSS that requires social engineering)\n* Direct object references to sensitive information\n \n### Medium severity bugs - minimum $500: \nExamples of issues that Upserve would consider medium impact include:\n\n* Issues that impact less sensitive assets, such as the public marketing sites\n* Being able to modify a merchant or customer’s settings without their permission\n* Content injection that allows for convincing phishing attacks (e.g. HTML injection or XSS in an unauthenticated domain)\n* Open URL redirection\n \n### Low severity bugs - minimum $100: \nExamples of issues that Upserve would consider low impact include:\n\n* Leaks of less sensitive information that has a demonstrable impact\n* Directory traversal\n\n# Test Plans \n**Read carefully** for instructions and tips on testing: \n \n* app.upserve.com (merchant UI) - Currently we are not provisioning merchant test accounts, but feel free to test against the login page (https://app.upserve.com/sign_in) or attempt to escalate to merchant level access.\n\n* app.upserve.com (consumer UI) - This is our loyalty program for customers. \n    * To create a customer account, navigate to https://app.upserve.com/b/swipely-bistro, enter in your email address, enter in a credit card number (either your own, or you can use a credit card generator to create a fake one). \n\n* cards.swipely.com - This is the API our loyalty application uses to enroll cards in the system.\n\n* 645892349820.vulnerbug.com - This is our test version of our marketing and community website (upserve.com). It is running on Wordpress on third party infrastructure. Our primary concern here would be defacement, but there isn’t much sensitive data or functionality here - as such, reward amounts for this property will typically be lower.\n\n* teamhelp.upserve.com - This is our internal employee information/help desk site.  It is running on Wordpress on third party infrastructure.  There is non-public information on this site.  Our primary concern here would be access to non-public information or defacement.  Reward amounts for this property will typically be lower than our customer facing applications.\n \n* hq.breadcrumb.com - This is a portal for merchants. Feel free to test against this, but we are not creating merchant test accounts at this time.\n \n* Upserve Live Mobile App - This app is for merchants. Feel free to test against this, but we are not creating merchant test accounts at this time.\n\n* Breadcrumb Pro iPad App - This app is our point of sale app for merchants.  Feel free to test against this, but we are not creating merchant test accounts at this time.\n \n\n# Out of scope vulnerabilities \nThe following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Account oracles -- the ability to submit a phone number, email, UUID and receive back a message indicating an Upserve account exists.\n* Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.\n* Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.\n* Banner grabbing issues \n* Rate limiting issues\n\n# Known Issues\nThe following issues are already known to our team - please do not submit new reports related to them, as they will be considered duplicates.\n* Sessions do not expire after password change/reset\n* Attacker can enroll credit cards in another user's loyalty accounts\n* xmlrpc available on Wordpress sites (and associated DoS issues)\n* phpMyAdmin accessible on teamhelp.upserve.com\n\n\nThank you for helping keep Upserve and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-03-06T14:31:54.623Z"},{"id":3570194,"new_policy":"Upserve is committed to protecting the privacy and security of our users. We recognize the valuable role security researchers play in making our services more secure and are committed to working with you to verify and resolve legitimate security vulnerabilities.  We ask that you carefully review this policy to ensure the best experience for all involved.\n \n# Public Disclosure Policy\nUpserve supports public disclosure of most vulnerabilities following resolution. We ask that you not share vulnerability details with anyone other than Upserve or HackerOne prior to approved public disclosure through the HackerOne platform.\n* In most cases, Upserve will allow public disclosure of vulnerabilities within 30 days of resolution. \n* In some cases, Upserve will request that public disclosure be delayed. (for example if we need to conduct private notifications first)\n* In limited cases, Upserve may request that a report remain private. In these cases we will maintain open communicaton with the researcher about why we feel this is important.\n* Follow HackerOne's disclosure guidelines.\n\n# Communication Guidelines\n* We will make a best effort to respond to incoming reports within 2 business days.\n* We will make a best effort to validate a legitimate security issue and make a bounty determination within 10 business days.\n* We aim to keep you informed about our progress, so please do not submit requests for updates unless we've missed the above targets.\n\n# Report Quality\n* Please consider the attack scenario and exploitability of the bug.\n* Please provide detailed reports with reproducible steps and **demonstrable impact**. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Please include your understanding of the security impact of the issue. Our bounty payouts are directly tied to security impact, so the more detail you can provide, the better.\n* If you’re unsure of the direct impact, but feel you may have found something interesting, please submit a detailed report and ask.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n\n# Program Rules\n* Please check the list of out-of-scope and known issues before submitting a report. We will close these reports as 'Not Applicable'.\n* **Do not run automated scans without checking with us first. They are often very noisy and disruptive.**\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make every effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. \n* Only interact with accounts you own or with explicit permission of the account holder.\n* Bounty amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion and based on demonstrable impact.\n* If we receive several reports for the same issue, we offer the bounty to the earliest report for which we had enough actionable information to identify the issue.\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n\n# Rewards\nOur rewards are based on the demonstrable impact of a vulnerability. Things that influence the impact of an issue are the scale of exposure, mitigating factors, and multiplying factors.  Please note these are general guidelines and examples, and that reward decisions are up to the discretion of Upserve. \n \n| Critical | High | Medium | Low |\n|----------|--------|---------|------|\n|  $2,500  | $1,500 | $500    | $100 |\n\n### Critical severity bugs - minimum $2500:\nExamples of issues that Upserve would consider critical impact include:\n \n* Gaining unauthorized access to any merchant’s account or data (e.g. credit card numbers, transaction information, etc.)\n* Gaining unauthorized access to any customer’s account or data (e.g. credit card numbers, etc.)\n* Gaining unauthorized access to any production systems (e.g. shell access, code execution, etc.)\n* Exposed credentials that could result in access to production systems or deployment pipelines (e.g. API keys, access tokens, etc.)\n* The ability to cause monetary impact to Upserve, a merchant, or a customer (e.g. creating orders with a payment method you don't own, issue refunds, manipulating order totals, etc.)\n \n### High severity bugs - minimum $1500:\nExamples of issues that Upserve would consider high impact include:\n\n* Targeted attacks that result in access to an individual merchant or customer’s account or data (e.g. reflected XSS that requires social engineering)\n* Direct object references to sensitive information\n \n### Medium severity bugs - minimum $500: \nExamples of issues that Upserve would consider medium impact include:\n\n* Issues that impact less sensitive assets, such as the public marketing sites\n* Being able to modify a merchant or customer’s settings without their permission\n* Content injection that allows for convincing phishing attacks (e.g. HTML injection or XSS in an unauthenticated domain)\n* Open URL redirection\n \n### Low severity bugs - minimum $100: \nExamples of issues that Upserve would consider low impact include:\n\n* Leaks of less sensitive information that has a demonstrable impact\n* Directory traversal\n\n# Test Plans \n**Read carefully** for instructions and tips on testing: \n \n* app.upserve.com (merchant UI) - Currently we are not provisioning merchant test accounts, but feel free to test against the login page (https://app.upserve.com/sign_in) or attempt to escalate to merchant level access.\n\n* app.upserve.com (consumer UI) - This is our loyalty program for customers. \n    * To create a customer account, navigate to https://app.upserve.com/b/swipely-bistro, enter in your email address, enter in a credit card number (either your own, or you can use a credit card generator to create a fake one). \n\n* cards.swipely.com - This is the API our loyalty application uses to enroll cards in the system.\n\n* 645892349820.vulnerbug.com - This is our test version of our marketing and community website (upserve.com). It is running on Wordpress on third party infrastructure. Our primary concern here would be defacement, but there isn’t much sensitive data or functionality here - as such, reward amounts for this property will typically be lower.\n\n* teamhelp.upserve.com - This is our internal employee information/help desk site.  It is running on Wordpress on third party infrastructure.  There is non-public information on this site.  Our primary concern here would be access to non-public information or defacement.  Reward amounts for this property will typically be lower than our customer facing applications.\n \n* hq.breadcrumb.com - This is a portal for merchants. Feel free to test against this, but we are not creating merchant test accounts at this time.\n \n* Upserve Live Mobile App - This app is for merchants. Feel free to test against this, but we are not creating merchant test accounts at this time.\n\n* Breadcrumb Pro iPad App - This app is our point of sale app for merchants.  Feel free to test against this, but we are not creating merchant test accounts at this time.\n \n\n# Out of scope vulnerabilities \nThe following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Account oracles -- the ability to submit a phone number, email, UUID and receive back a message indicating an Upserve account exists.\n* Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue.\n* Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.\n* Banner grabbing issues \n* Rate limiting issues\n\n# Known Issues\nThe following issues are already known to our team - please do not submit new reports related to them, as they will be considered duplicates.\n* Sessions do not expire after password change/reset\n* Attacker can enroll credit cards in another user's loyalty accounts\n\nThank you for helping keep Upserve and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-03-05T15:41:21.310Z"}]