Last Updated: January 16, 2026
At City Hive, we're building the future of alcoholic beverage delivery with cutting-edge technology including our AI-powered Tipsy Bot. We embrace the ethos of moving fast and breaking things - which means we value security researchers who help us identify and fix vulnerabilities quickly as we innovate.
We take the security of our platform and our customers' data seriously. We welcome the security research community's help in identifying vulnerabilities and appreciate researchers who follow responsible disclosure practices.
Program Overview
We offer a recognition-based security research program for researchers who responsibly report valid security vulnerabilities. Our rewards include:
- Public acknowledgment on our security hall of fame (with your permission)
- Direct communication with our security team
- Detailed feedback on your submission
- Symbolic rewards for high-impact findings (company merchandise, gift cards)
- In exceptional cases: Monetary bounties for critical vulnerabilities
- For outstanding contributors: Opportunity to join our engineering team
Scope
In-scope systems:
- cityhive.net and related web applications
- City Hive mobile applications (iOS/Android)
- API endpoints serving our platform
- Tipsy Bot AI recommendation system
Eligible Vulnerabilities
We're particularly interested in:
- Authentication and authorization flaws
- SQL injection, XSS, and code injection vulnerabilities
- Security misconfigurations leading to data exposure
- Business logic flaws with security implications
- Payment processing vulnerabilities
- AI/ML model vulnerabilities or prompt injection attacks
Out of Scope
- Third-party services and infrastructure not controlled by City Hive
- Social engineering attacks against employees or users
- Denial of Service (DoS/DDoS) attacks
- Physical security testing
- Issues requiring physical access to user devices
Responsible Disclosure Guidelines
To qualify for recognition:
- Report vulnerabilities promptly and privately to security@cityhive.net
- Provide detailed reproduction steps
- Allow reasonable time for remediation before public disclosure (90 days)
- Avoid accessing, modifying, or deleting user data
- Do not exploit the vulnerability beyond what's necessary to demonstrate it
- Do not perform testing that could degrade service quality or user experience
Safe Harbor
We commit to not pursuing legal action against researchers who follow these guidelines, act in good faith, and report findings responsibly.
How to Report
Email: security@cityhive.net
Please include:
- Vulnerability description and potential impact
- Step-by-step reproduction instructions
- Proof-of-concept (if applicable)
- Your name (if you'd like recognition)
We aim to acknowledge receipt within 48 business hours and provide updates on remediation progress.