Public Starbucks bug reports.

Team Bounty Title
Starbucks $2,000 Possible subdomain takeover at
Starbucks - Unable to register in starbucks app
Starbucks - Full Api Access and Run All Functions via Starbucks App
Starbucks - Java Deserialization RCE via JBoss on
Starbucks $500 Stored XSS in comments on*
Starbucks - [] Open Redirect and abuse of
Starbucks - Reflected XSS in /searchasyoutype/v1/search?x-api-key=
Starbucks - Unable to register in starbucks IN app
Starbucks $250 DOM XSS on via "pr_zip_location" parameter
Starbucks $750 Persistent CSRF in /GiftCert-AddToBasket prevents purchases on eCommerce sites
Starbucks - Lack of Controls Allowing for Card and PIN Enumeration Leading to Fraud
Starbucks - csrf
Starbucks - Time-based Blind SQLi on
Starbucks - is reachable via ip address thus possible to link any doamin to Starbucks.
Starbucks $375 Open redirect / Reflected XSS payload in root that affects all your sites (store.starbucks.* / shop.starbucks.* /
Starbucks $250 SAP Server - default credentials enabled
Starbucks - Exposed Unencrypted Telnet Endpoint
Starbucks - Brute Force Attack against PIN on Card History Page Could Lead to Card Information Discovery / Fraud
Starbucks - Create New User Whilst Logged On
Starbucks - [] CRLF Injection, XSS
Starbucks - Creation of Google G Suite Account on Behalf of starbucks.
Starbucks $250 Reflected XSS on (Locale-Change)
Starbucks $500 Persistent XSS in
Starbucks $150 Dom Based Xss DIV.innerHTML parameters store.starbucks*
Starbucks $2,000 Subdomain takeover on due to non-used AWS S3 DNS record
Starbucks $100 Stored XSS in Adress Book (
Starbucks $375 CSRF exploit | Adding/Editing comment of wishlist items ( - Wishlist-Comments)
Starbucks $150 CSRF vulnerability in saving payment card on (COBilling -AddCreditCard)
Starbucks $375 Reflected XSS by exploiting CSRF vulnerability on wishlist comment module. (wishlist-comments)
Starbucks $250 CSRF: add item to victim's cart automatically ( - updatecart)
Starbucks $750 out of date disqus shortname usage in the web app source code
Starbucks $150 Improper Validation on Cancel Link Redirect
Starbucks - Java Deserialization RCE via JBoss JMXInvokerServlet/EJBInvokerServlet on
Starbucks $4,000 Parameter Manipulation allowed for editing the shipping address for other user’s subscriptions.
Starbucks $6,000 Parameter Manipulation allowed for viewing of other user’s orders
Starbucks $375 Reflected XSS via utm_source parameter