Public Starbucks bug reports.

Team Bounty Title
Starbucks $2,000 Possible subdomain takeover at openapi.starbucks.com
Starbucks - Unable to register in starbucks app
Starbucks - Full Api Access and Run All Functions via Starbucks App
Starbucks - Java Deserialization RCE via JBoss on card.starbucks.in
Starbucks $500 Stored XSS in comments on https://www.starbucks.co.uk/blog/*
Starbucks - [connect.teavana.com] Open Redirect and abuse of connect.teavana.com
Starbucks - Reflected XSS in openapi.starbucks.com /searchasyoutype/v1/search?x-api-key=
Starbucks - Unable to register in starbucks IN app
Starbucks $250 DOM XSS on teavana.com via "pr_zip_location" parameter
Starbucks $750 Persistent CSRF in /GiftCert-AddToBasket prevents purchases on eCommerce sites
Starbucks - Lack of Controls Allowing for Card and PIN Enumeration Leading to Fraud
Starbucks - csrf blogs.starbucks.com
Starbucks - Time-based Blind SQLi on news.starbucks.com
Starbucks - Starbucks.com is reachable via ip address thus possible to link any doamin to Starbucks.
Starbucks $375 Open redirect / Reflected XSS payload in root that affects all your sites (store.starbucks.* / shop.starbucks.* / teavana.com)
Starbucks $250 SAP Server - default credentials enabled
Starbucks - Exposed Unencrypted Telnet Endpoint
Starbucks - Brute Force Attack against PIN on Card History Page Could Lead to Card Information Discovery / Fraud
Starbucks - Create New User Whilst Logged On
Starbucks - [newscdn.starbucks.com] CRLF Injection, XSS
Starbucks - http://digital.starbucks.com/ Creation of Google G Suite Account on Behalf of starbucks.
Starbucks $250 Reflected XSS on teavana.com (Locale-Change)
Starbucks $500 Persistent XSS in www.starbucks.com
Starbucks $150 Dom Based Xss DIV.innerHTML parameters store.starbucks*
Starbucks $2,000 Subdomain takeover on happymondays.starbucks.com due to non-used AWS S3 DNS record
Starbucks $100 Stored XSS in Adress Book (starbucks.com/account/profile)
Starbucks $375 CSRF exploit | Adding/Editing comment of wishlist items (teavana.com - Wishlist-Comments)
Starbucks $150 CSRF vulnerability in saving payment card on store.starbucks.com (COBilling -AddCreditCard)
Starbucks $375 Reflected XSS by exploiting CSRF vulnerability on teavana.com wishlist comment module. (wishlist-comments)
Starbucks $250 CSRF: add item to victim's cart automatically (starbucks.com - updatecart)
Starbucks $750 out of date disqus shortname usage in the web app source code
Starbucks $150 Improper Validation on Cancel Link Redirect
Starbucks - Java Deserialization RCE via JBoss JMXInvokerServlet/EJBInvokerServlet on card.starbucks.in
Starbucks $4,000 Parameter Manipulation allowed for editing the shipping address for other user’s teavana.com subscriptions.
Starbucks $6,000 Parameter Manipulation allowed for viewing of other user’s teavana.com orders
Starbucks $375 www.starbucks.co.uk Reflected XSS via utm_source parameter