This guest blog was authored by the Ibotta Security Team.

Earlier this year we launched Pay with Ibotta, our first-ever payments solution to provide customers with instant cash rewards at the point of purchase. Leading global brands including AMC Theaters, Banana Republic, GameStop, Peet’s Coffee, Sephora, and more rely on Ibotta to keep the payments of their end-users secure. And we take that responsibility seriously. 

Trust is at the core of our mission to create a more secure payments ecosystem where every purchase is rewarding. We’ve done a good job to date of building this, but recognize we can’t do it alone. So today, we’re excited to announce the extension of our private security bug bounty program to a paid, public bug bounty program with Bugcrowd.

Bugcrowd leverages the combined skills and creativity of a global team of security researchers to help companies discover and remediate vulnerabilities more efficiently than traditional methods and before they can be exploited by bad actors. The expansion of our program is a natural followup to the success we’ve seen on the program to date. 

Launched in 2015, we immediately saw return on investment through our private program with the Crowd surfacing P1 and P2s. We also highly regarded the smaller bugs that could have been exploited for larger impact. These often helped to educate our developers by providing a clearer understanding about assets that weren’t previously considered as attack vectors. To date, we’ve rewarded more than $30,000 to the Crowd, and are looking forward to doubling down on application security to support the launch of Pay with Ibotta. 

Our Ibotta customers, who we refer to as “savers,” rely on their balances accrued within the platform. From saving up for family vacations to helping tide them over between paychecks, savers rely on the money they’ve earned with us to help them drive what’s important. So we’re looking to the Crowd to help us better understand — Are we exposing data that we’re not trying to? Can you log in as another user? What systems should we prioritize? 

All domains and properties of Ibotta are in scope, and we continually push out new code on a daily and bi-weekly for our web and mobile interfaces. To show our appreciation for your time, skills, and efforts, we’re offering monetary rewards up to $5,000 for any valid, non-duplicate submissions. 

Our team is excited to kickstart this renewed approach to security, tapping the combined experience and breadth of a crowd of security researchers. If you’re interested in participating in the program, visit the page on Bugcrowd — we can’t wait to collaborate.


To learn more about Bugcrowd’s managed Bug Bounty programs, visit