Shipt's security and engineering teams take security bugs in our software and applications very seriously. We appreciate your efforts to responsibly disclose your findings and will make every effort to acknowledge your contributions. We have a few options available to accept these reports:

• Our public bug bounty program at HackerOne - https://hackerone.com/Shipt (this is the preferred and most efficient method)

• Via email: Send an email to [email protected] with a detailed proof of concept (POC) and/or evidence clearly outlining the vulnerability. Please include the string "Shipt OSS Vulnerability - Osmosis" in the subject line.

With either method you choose above, Shipt's information security team will send a response outlining any next steps necessary in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and/or disclosure (if applicable) and may ask for additional information or guidance regarding the issue.

NOTE: Please report security bugs in third-party modules, libraries, and/or dependencies to the person, organization, or team that owns and/or supports those resources.