Start free trial
  • Product

    • Scheduling

      Assign shifts quickly and efficiently

    • Time Clocking

      Decrease labor costs with integrated, mobile time tracking

    • Tip Management

      Save time and increase accuracy with Tip Pooling and Payouts

    • Payroll

      Pay your staff, easily and on time

    • Team Engagement

      Keep staff engaged and reduce turnover

      Task Management

      Team Communication

      Manager Log Book

      Labor Compliance

      Document Storage

  • Pricing
  • Built for

      Bakeries

      Bars & Breweries

      Cafes & Coffee Shops

      Catering

      Juice Bars

      Pizzerias

      Pubs

      Full Service

      Quick Service

      Franchises

  • Integrations
  • Resources

    • Templates icon

      Templates and Tools

      Downloadable and interactive tools to help run your restaurant efficiently

    • Food Runner

      Food Runner

      Sign up for our monthly (unboring) newsletter

    • Restaurant data

      Restaurant Data

      Facts and figures on industry standards

    • customers

      Case Studies

      Get to know the restaurants we work with

    • Podcast

      Podcast

      Restaurant management tips from industry insiders

    • blog

      Blog

      Read about trends, challenges and solutions

    • support

      Support

      Your knowledge base for everything 7shifts

    • Academy

      Academy

      Gain certification with our free online courses

    Featured Reads

    • Data Study

      The Restaurant Labor Playbook

      Read more

    • Case Study

      Mandy's Salads Success Story

      Read more

    • Case Study

      How Little Italy Ristorante Turned Hours of Payroll Processing into Minutes

      Read more

  • Start free trial Login

Product

  • Scheduling

    Assign shifts quickly and efficiently

  • Time Clocking

    Decrease labor costs with integrated, mobile time tracking

  • Tip Management

    Save time and increase accuracy with Tip Pooling and Payouts

  • Payroll

    Pay your staff, easily and on time

  • Team Engagement

    Keep staff engaged and reduce turnover

    Task Management

    Team Communication

    Manager Log Book

    Labor Compliance

    Document Storage

Built for

    Bakeries

    Bars & Breweries

    Cafes & Coffee Shops

    Catering

    Juice Bars

    Pizzerias

    Pubs

    Full Service

    Quick Service

    Franchises

Resources

  • Templates icon

    Templates and Tools

    Downloadable and interactive tools to help run your restaurant efficiently

  • Food Runner

    Food Runner

    Sign up for our monthly (unboring) newsletter

  • Restaurant data

    Restaurant Data

    Facts and figures on industry standards

  • customers

    Case Studies

    Get to know the restaurants we work with

  • Podcast

    Podcast

    Restaurant management tips from industry insiders

  • blog

    Blog

    Read about trends, challenges and solutions

  • support

    Support

    Your knowledge base for everything 7shifts

  • Academy

    Academy

    Gain certification with our free online courses

Featured Reads

  • Data Study

    The Restaurant Labor Playbook

    Read more

  • Case Study

    Mandy's Salads Success Story

    Read more

  • Case Study

    How Little Italy Ristorante Turned Hours of Payroll Processing into Minutes

    Read more

7shifts

Products

  • Restaurant Scheduling
  • Mobile Scheduling
  • Team Communication
  • Manager Log Book
  • Time Clocking
  • Team Engagement
  • Task Management
  • Auto Scheduler
  • Labor Compliance
  • Operations Overview
  • Document Storage
  • Performance Management
  • Employee Onboarding
  • Hiring
  • Payroll
  • Tip Management
  • Tip Pooling

Company

  • About Us
  • Customers
  • Compare
  • Careers
  • Reviews
  • Become A Partner
  • Affiliates
  • Media Kit
  • Legal
  • Pricing
  • Sitemap

Resources

  • Blog
  • Resource Center
  • Restaurant Guides
  • Restaurant Data
  • Restaurant Podcast
  • Academy
  • Templates
  • Labor Savings
  • Integrations

Built For

  • Quick Service
  • Full Service
  • Cafes & Coffee Shops
  • Bars & Breweries
  • Pizzerias
  • Juice Bars
  • Pubs
  • Bakeries
  • Catering

Support

  • Help Center
  • Partner API
  • Contact Sales
Download on the App StoreGet it on Google Play
  • Facebook
  • X
  • Instagram
  • Linkedin
  • Spotify
  • Youtube

7shifts © 2025

Powering better restaurant teams

  • Terms of Use
  • Terms of Service
  • Privacy Policy
  • California Privacy Policy Information
  • Your Privacy Choices

Responsible Disclosure

Last updated: Oct 22nd, 2024

 

1. Policy

At 7shifts we believe in leveraging the skills of security researchers around the globe to identify weaknesses in our technology. If you believe you’ve found a security issue in our services, we encourage you to notify us.

Developing patches, upgrades, workarounds, and other mitigations to security vulnerabilities can be time consuming and complex. In order to participate in our responsible disclosure program, vulnerability finders and reporters must provide us a reasonable period of time to investigate and remediate a reported issue. To be certain that we can develop a fix before the vulnerability can be exploited and maintain the security of our service and our users’ data, you may not publicly disclose a vulnerability without our explicit consent.

We administer bounties through a private Inspectiv program.

2. Program Rules

Researchers that do not follow these rules will not be eligible for compensation for reported vulnerabilities.

  1. Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Reports should include, for example, screen captures, videos, proof-of-concept code, and/or reports or other output from security tools/utilities.
  2. Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.
  3. When duplicates occur, we award only the first report that was received in compliance with these rules (provided that it can be fully reproduced).
  4. Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  5. Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  6. Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
  7. You must immediately delete any data that you acquire. To the extent you access any sensitive data in the course of your research, you should do so and use such data only to the extent required to identify the vulnerability and then cease your access to the data. You may not disclose this data to any third party.
  8. You may not interact with accounts that you do not own or have explicit permission from the account holder to use.
  9. Try not to create multiple accounts, unless absolutely necessary, and limit up to two accounts total if multiple accounts are needed. For additional accounts, please contact us for permission first.

3. Disclosure Policy

  1. Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
  2. We will do our best to reply to your initial report within 48 hours and to update you on our progress at reasonable intervals thereafter. We ask that you provide us at least 60 days to investigate and remediate the issue before any disclosure to the public or a third-party. Notify us of your intended disclosure date.
  3. Once we decide that disclosure of a validated security vulnerability is appropriate, 7shifts will coordinate public disclosure with you. We generally prefer that our respective public disclosures be posted at the same time.

4. Scope

As part of our commitment to security and responsible disclosure, we encourage security researchers to participate in our bounty program. The following endpoints are considered in scope for security testing:

  1. Mobile Applications
    1. 7shifts Android App
    2. 7shifts iOS App
  2. API Endpoints
    1. https://oauth.7shifts.com
    2. https://login.7shifts.com/oauth2
    3. https://api.7shifts.com
    4. https://files.7shifts.com
    5. https://gql.7shifts.com
    6. https://app.7shifts.com/gql/v2
  3. Web Portal
    1. https://app.7shifts.com

We appreciate the efforts of security researchers and provide rewards for reports that disclose vulnerabilities affecting these endpoints. Please ensure compliance with our guidelines while conducting security tests.

5. Out of Scope & Exclusions

The following items are out-of-scope and are not covered under our bounty program:

  1. All other domains and subdomains not listed in scope above
  2. Cross-site-scripting (XSS) on “app.7shifts.com”
  3. Issues that require unlikely user interaction
  4. Public Zero-day vulnerabilities that have had an official patch for less than 1 month
  5. Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable versions behind the latest released stable version)
  6. Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  7. Previously known vulnerable libraries without a working Proof of Concept
  8. Testing using public sign-up accounts
  9. Attacks which require MITM or physical access to a user’s device
  10. Any 3rd party not within the domain spaces in scope, or findings from applications or systems not listed in the ‘In Scope’ section
  11. Arbitrary file upload without proof/evidence of the uploaded file
  12. Activity that could lead to the disruption of service (DoS / DDoS), including Rate Limiting
  13. Broken Link Hijacking
  14. Blind SSRF without negative impact
  15. Clickjacking and Tapjacking
  16. Common Vulnerabilities and Exposures “CVE”
  17. CORS misconfiguration on non-sensitive endpoints or without negative impact
  18. CSRF without negative impact, on forms that are available to anonymous users (e.g. the contact form), or on logout
  19. CSV Injection
  20. Disclosure of known public files or directories, (e.g. robots.txt)
  21. Metadata not stripped from images/files
  22. Functional, UI, UX bugs and spelling mistakes
  23. Google Maps API Key Exposure
  24. HTTP request smuggling without negative impact
  25. Host Header injection without negative impact
  26. Identification of outdated software
  27. IP Logger Vulnerabilities
  28. Lack of Secure and HTTP Only cookie flags
  29. Lack of Security Speed Bump when leaving the site
  30. Login or Forgot Password page brute force and account lockout not enforced
  31. Mail configuration issues including SPF, DKIM, DMARC settings
  32. Missing HTTP security headers
  33. OPTIONS / TRACE HTTP method enabled
  34. Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
  35. Pre-Auth account takeover – “OAuth squatting”
  36. Rate limiting or brute force issues
  37. Self-XSS that cannot be used against other users
  38. Sending vulnerability reports using automated tools without validation
  39. Session fixation
  40. Social engineering (e.g. phishing, vishing, smishing) is prohibited
  41. Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)
  42. SSL attacks such as BEAST, BREACH, or Renegotiation attack; SSL forward secrecy not enabled; SSL insecure cipher suites
  43. SSL certificate expired or misconfigured without negative impact
  44. Subdomain takeover
  45. Token expiration
  46. Tokens leaked to trusted third parties without negative impact
  47. Username/Email Enumeration
  48. Violation of Secure Design Principle
  49. Weak Captcha / Captcha Bypass
  50. WordPress XMLRPC issues

6. Bounty Payments

Security researchers who identify valid vulnerabilities may be eligible for a monetary bounty. To qualify for bounty payments, researchers must submit their findings through our official Bug Bounty program hosted by Inspectiv.

Submit a Bug Bounty Report via Inspectiv

Joining Inspectiv as a security researcher gives you access to faster payments, a responsive triage team, and participation in private programs.

7. Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep 7shifts and our users safe!

7. Reporting

We welcome and appreciate responsible disclosure of vulnerabilities through our Vulnerability Disclosure Program (VDP). However, please note that submissions made solely through the VDP are not eligible for bounty payments.

To qualify for a bounty, researchers must be signed up with Inspectiv and submit their findings through the Bug Bounty submission process.