Responsible Disclosure Policy - Favor

Responsible Disclosure Policy

Effective January 2018

Favor takes protection of our users’ data seriously – for details please see our Privacy Policy and Terms of Service.

To that end, Favor welcomes responsible disclosure of vulnerabilities by researchers. We do NOT have a bug bounty program, and do NOT pay for vulnerability information. To contact Favor, please reach out to us at Our PGP key can be found at

Favor will not take legal action against individuals who report vulnerabilities in accordance with the policy as outlined below.

Out-of-scope areas:

  • 3rd party applications and services in use by Favor
  • Favor’s corporate networks

Out of scope vulnerabilities and reports include:

  • Social engineering
  • Denial of service
  • Brute forcing
  • Weak passwords
  • Lack of headers
  • SSL vulnerabilities
  • Reports from automated scanning tools
  • Destruction of data
  • Changing passwords and account information for accounts that do not belong to you
  • Abusing vulnerabilities to steal from Favor by receiving unearned Runner payment or free/ discounted deliveries
  • Theft of data
  • Publishing of private or company information

In order to ensure compliance with this policy, individuals should stop testing after discovering a vulnerability and not attempt to escalate. Feel free to include suspected lateral or escalation paths in your report. Additionally, in order to avoid stealing or damaging other’s data, researchers should focus testing on accounts and information that they have created and control.

Researchers are welcome to publicly disclose their findings 30 days after Favor informs the researcher that the vulnerability has been closed. Please contact the Favor security team at with any questions.

Favor reserves the right to modify, suspend, or remove this policy at any time without notice. Favor will have no liability with regards to the actions of any researcher. Researchers are responsible for following all applicable laws.