Bug Bounties

Urban Company

Powered by: 

Allows bounty splitting: 

Average time to first program response: 19

Average time to bounty awarded null: 161

Average time to report resolved: 634

Handle urbancompany

Managed program: false

Name: Urban Company

Offers bounties: true

Offers swag: true

Response efficiency percentage: 90

Submission state: open

Url: https://hackerone.com/urbancompany

Website: https://www.urbancompany.com

In scope:

  • Asset identifier: 1032480595
  • Asset type: APPLE_STORE_APP_ID
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: This is our customer iOS apps
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: 982922982
  • Asset type: APPLE_STORE_APP_ID
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: This is our professional ios app.
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: com.urbanclap.provider
  • Asset type: GOOGLE_PLAY_APP_ID
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: This is our partner android app.
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: com.urbanclap.urbanclap
  • Asset type: GOOGLE_PLAY_APP_ID
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: This is our customer app.
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: www.urbanclap.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: www.urbanclap.com is also our root and critical domain. Most of our traffic routes through it.
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: www.urbancompany.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: www.urbancompany.com is our main and critical domain. Most of our traffic routes through urbanclap.com. Other subdomains mentioned in scope are for internal purpose and either are password protected or Google auth protected. We do not wish anyone to login to mentioned domains and hence they are critical for us to find vulnerabilities in. **partner.urbancompany.com is one of the critical subdomains within this asset.** Testing Directions: * A user can Sign Up using his phone number and email ID from the website home page or app. Do ensure that you are reachable on the mobile number that you shall use to register with us. While creating account reporters should use their own HackerOne email address like [handle]@wearehackerone.com
  • Integrity requirements: 
  • Max severity: critical