Vulnerability Disclosure Program (VDP)

VDPs are meant for responsibly reporting vulnerabilities you encounter — not for actively hunting for fame or reputation. Even if you're just starting out, consider focusing on rewarded bug bounty programs instead.

wonder-vdp

HackerOneView on HackerOne

RawAI Enhanced

In Scope

Out of Scope

In-Scope Assets (31)

Asset	Category	Bounty	Quick Links
*.grubhub.com	WILDCARD	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
*.jo30.com	WILDCARD	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
*.seamless.com	WILDCARD	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
*.tapingo.com	WILDCARD	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
*.tastemade.com	WILDCARD	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
302920553	IOS	No	-
971197898	IOS	No	-
976642810	IOS	No	-
api-merchant-gtm.grubhub.com	URL	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
auth.grubhub.com	URL	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
com.blueapron.blueapron.release	ANDROID	No	Play Store APKPure APKMirror
com.grubhub.android	ANDROID	No	Play Store APKPure APKMirror
com.tastemade.app	ANDROID	No	Play Store APKPure APKMirror
http://www.blueapron.com/api	URL	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
http://www.blueapron.com/graphql	URL	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
https://*.wonder.com	WILDCARD	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
https://blog.blueapron.com/	URL	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
https://core-api.production.claim.co	URL	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
https://core-api.staging.claim.co	URL	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
https://cs-dashboard.production.claim.co/graphql	URL	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
https://cs-dashboard.staging.claim.co/graphql	URL	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
https://order.wonder.com	URL	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
restaurant.grubhub.com	URL	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
sensor.grubhub.com	URL	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
tastemade.com	URL	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
www.blueapron.com	URL	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
www.grubhub.com	URL	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
www.jo30.com	URL	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
www.menupages.com	URL	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
www.seamless.com	URL	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
www.tapingo.com	URL	No	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa

Out-of-Scope Assets (4)

Asset	Category	Bounty
http://support.wonder.com	URL	No
support.blueapron.com	URL	No
support.grubhub.com	URL	No
support.seamless.com	URL	No

Scope Changes (103)

Mar 31, 2026

Change	Asset	Category	Scope	Time
Added	https://core-api.staging.claim.co	URL	In Scope	22:21
Added	https://core-api.production.claim.co	URL	In Scope	22:21
Added	https://cs-dashboard.production.claim.co/graphql	URL	In Scope	22:21
Added	https://cs-dashboard.staging.claim.co/graphql	URL	In Scope	22:21
Added	https://core-api.staging.claim.co	URL	In Scope	22:21
Added	https://core-api.production.claim.co	URL	In Scope	22:21
Added	https://cs-dashboard.staging.claim.co/graphql	URL	In Scope	22:21
Added	https://cs-dashboard.production.claim.co/graphql	URL	In Scope	22:21
Removed	976642810	IOS	In Scope	18:21
Removed	302920553	IOS	In Scope	18:21
Removed	com.blueapron.blueapron.release	ANDROID	In Scope	18:21
Removed	com.grubhub.android	ANDROID	In Scope	18:21
Added	com.tastemade.app	ANDROID	In Scope	18:21
Added	971197898	IOS	In Scope	18:21
Added	com.tastemade.app	ANDROID	In Scope	18:21
Added	971197898	IOS	In Scope	18:21

Feb 25, 2026

Change	Asset	Category	Scope	Time
Added	http://www.blueapron.com/graphql	URL	In Scope	19:12
Added	*.grubhub.com	WILDCARD	In Scope	19:12
Added	www.seamless.com	URL	In Scope	19:12
Added	support.grubhub.com	URL	Out of Scope	19:12
Added	api-merchant-gtm.grubhub.com	URL	In Scope	19:12
Added	tastemade.com	URL	In Scope	19:12
Added	support.blueapron.com	URL	Out of Scope	19:12
Added	support.seamless.com	URL	Out of Scope	19:12
Added	http://www.blueapron.com/api	URL	In Scope	19:12
Added	www.menupages.com	URL	In Scope	19:12
Added	https://order.wonder.com	URL	In Scope	19:12
Added	*.seamless.com	WILDCARD	In Scope	19:12
Added	com.grubhub.android	ANDROID	In Scope	19:12
Added	www.blueapron.com	URL	In Scope	19:12
Added	*.jo30.com	WILDCARD	In Scope	19:12
Added	sensor.grubhub.com	URL	In Scope	19:12
Added	com.blueapron.blueapron.release	ANDROID	In Scope	19:12
Added	*.tapingo.com	WILDCARD	In Scope	19:12
Added	www.tapingo.com	URL	In Scope	19:12
Added	976642810	IOS	In Scope	19:12
Added	auth.grubhub.com	URL	In Scope	19:12
Added	http://support.wonder.com	URL	Out of Scope	19:12
Added	*.wonder.com	WILDCARD	In Scope	19:12
Added	www.jo30.com	URL	In Scope	19:12
Added	*.tastemade.com	WILDCARD	In Scope	19:12
Added	https://blog.blueapron.com/	URL	In Scope	19:12
Added	www.grubhub.com	URL	In Scope	19:12
Added	restaurant.grubhub.com	URL	In Scope	19:12
Added	302920553	IOS	In Scope	19:12

Feb 22, 2026

Change	Asset	Category	Scope	Time
Added	auth.grubhub.com	URL	In Scope	01:12
Added	www.tapingo.com	URL	In Scope	01:12
Added	www.jo30.com	URL	In Scope	01:12
Added	restaurant.grubhub.com	URL	In Scope	01:12
Added	tastemade.com	URL	In Scope	01:12
Added	https://blog.blueapron.com/	URL	In Scope	00:43
Added	http://www.blueapron.com/graphql	URL	In Scope	00:43
Added	*.grubhub.com	WILDCARD	Out of Scope	00:43
Added	www.seamless.com	URL	In Scope	00:43
Added	976642810	IOS	In Scope	00:43
Added	sensor.grubhub.com	URL	In Scope	00:43
Added	com.blueapron.blueapron.release	ANDROID	In Scope	00:43
Added	http://www.blueapron.com/api	URL	In Scope	00:43
Added	*.tapingo.com	WILDCARD	In Scope	00:43
Added	support.blueapron.com	URL	Out of Scope	00:43
Added	support.grubhub.com	URL	Out of Scope	00:43
Added	api-merchant-gtm.grubhub.com	URL	In Scope	00:43
Added	www.grubhub.com	URL	In Scope	00:43
Added	www.menupages.com	URL	In Scope	00:43
Added	*.wonder.com	WILDCARD	Out of Scope	00:43
Added	support.seamless.com	URL	Out of Scope	00:43
Added	*.jo30.com	WILDCARD	In Scope	00:43
Added	*.seamless.com	WILDCARD	Out of Scope	00:43
Added	302920553	IOS	In Scope	00:43
Added	com.grubhub.android	ANDROID	In Scope	00:43
Added	*.tastemade.com	WILDCARD	In Scope	00:43
Added	www.blueapron.com	URL	In Scope	00:43
Added	https://order.wonder.com	URL	Out of Scope	00:43
Added	http://support.wonder.com	URL	Out of Scope	00:43

Feb 21, 2026

Change	Asset	Category	Scope	Time
Added	https://blog.blueapron.com/	URL	In Scope	19:12
Added	https://order.wonder.com	URL	In Scope	19:12
Added	*.wonder.com	WILDCARD	In Scope	19:12
Added	http://www.blueapron.com/graphql	URL	In Scope	19:12
Added	*.grubhub.com	WILDCARD	In Scope	19:12
Added	www.blueapron.com	URL	In Scope	19:12
Added	*.seamless.com	WILDCARD	In Scope	19:12
Added	www.grubhub.com	URL	In Scope	19:12
Added	www.menupages.com	URL	In Scope	19:12
Added	www.seamless.com	URL	In Scope	19:12
Added	*.tapingo.com	WILDCARD	In Scope	19:12
Added	www.tapingo.com	URL	In Scope	19:12
Added	www.jo30.com	URL	In Scope	19:12
Added	*.jo30.com	WILDCARD	In Scope	19:12
Added	restaurant.grubhub.com	URL	In Scope	19:12
Added	api-merchant-gtm.grubhub.com	URL	In Scope	19:12
Added	976642810	IOS	In Scope	19:12
Added	302920553	IOS	In Scope	19:12
Added	sensor.grubhub.com	URL	In Scope	19:12
Added	com.blueapron.blueapron.release	ANDROID	In Scope	19:12
Added	com.grubhub.android	ANDROID	In Scope	19:12
Added	http://www.blueapron.com/api	URL	In Scope	19:12
Added	auth.grubhub.com	URL	In Scope	19:12
Added	tastemade.com	URL	In Scope	19:12
Added	*.tastemade.com	WILDCARD	In Scope	19:12
Added	http://support.wonder.com	URL	Out of Scope	19:12
Added	support.blueapron.com	URL	Out of Scope	19:12
Added	support.grubhub.com	URL	Out of Scope	19:12
Added	support.seamless.com	URL	Out of Scope	19:12