Postmates

target_in_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
512393983 APPLE_STORE_APP_ID high high high critical
This is the primary iOS app for our customers/buyers to purchase goods, view their account information, add/edit card details, etc.
about.postmates.com URL low low low medium
This is the subdomain hosting some of our legal terms, some information about the company, and so on.
buyer-prod.postmates.com URL high high high critical
Main production backend for the mobile and web apps for our consumers/buyers.
com.postmates.android GOOGLE_PLAY_APP_ID high high high critical
This is the primary Android app for our customers/buyers to purchase goods, view their account information, add/edit card details, etc.
fleet.postmates.com URL high high high critical
This is the self serve dashboard and sign up location for our fleet. Couriers can manage their personal information, get past order history, check payment information, etc.
iOS/Android fleet apps OTHER high high high critical
You may download the fleet apps used by our couriers by visiting https://fleet.postmates.com/app. These apps are used for accepting and fulfilling any deliveries that come into our platform.
partner.postmates.com URL high high high critical
This is the self serve dashboard for our merchants. Merchants can change their API keys, review payment information, view past order and payout history, disable themselves from the platform, etc.
postmates.com URL high high high critical
This is the main website where customers can register, login, make orders, see order status, change credit card / name / phone number / delivery address / etc. This also includes ipa.postmates.com (the backend servicing the requests).
raster-static.postmates.com URL medium none medium critical
Image resizing and proxy service.
support.postmates.com URL none none low low
This is the self serve help center for our customers.

target_out_of_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
blog.postmates.com URL none
postmates.com/developer URL none
brand.postmates.com URL none
Brand.postmates.com is operated by a third-party vendor, not Postmates. Since it's owned by a different company, we would ask that researchers avoid interacting with it.
postmates.com/partner URL none