Public Instacart bug reports.

Team Bounty Title
Instacart $150 Reverse Tab-nabbing at
Instacart $100 XSS at in
Instacart $100 Login with Google Not Authenticated on iOS App
Instacart $100 XSS in
Instacart $100 Access private list metadata
Instacart $150 Full access to any list
Instacart - User Information sent to client through websockets
Instacart $50 Seemingly sensitive information at /api/v2/zones
Instacart - [Critical] Subdomain Takeover
Instacart $100 WordPress Authentication Denial of Service
Instacart $150 Fetch private list metadata and any user's personal name
Instacart $50 READ .svg files by changing .svg into .png extension
Instacart - API OAuth Public Key disclosure in mobile app
Instacart $150 Brute force login and bypass locked account restrictions via iOS app
Instacart $150 Issues with uploading list images
Instacart $100 Hyperlink Injection in Friend Invitation Emails
Instacart - Reflected File Download on recipe list search
Instacart $250 shopper login_code's can be brute forced
Instacart $100 Image Upload Path Disclosure
Instacart $150 Host Header Injection/Redirection in:
Instacart $50 Server side request forgery on image upload for lists
Instacart $75 Missing rel=noreferrer tag allows link in list to change url of currently open tab
Instacart $200 Race Condition in Redeeming Coupons
Instacart $100 Cross-Site Request Forgery (CSRF)
Instacart $150 Stored XSS
Instacart $50 CSRF To change Email Notification Settings
Instacart - CSRF with redeem coupon request
Instacart - Authentication Bypass in Updating Personal Information
Instacart $100 Authorization Bypass in Delivery Chat Logs
Instacart $100 Cookie-Based Injection
Instacart $100 Cross-Site Scripting Reflected On Main Domain