Vulnerability hunter Vinoth Kumar found the key in a public GitHub repository and disclosed it responsibly through the HackerOne vulnerability coordination and bug bounty platform. Starbucks paid Kumar a $4,000 bounty for the disclosure, which is the maximum reward for critical vulnerabilities. The company took longer to respond because they needed to “to make sure we understand the severity of the issue
Source: security