Takeaway.com welcomes security researchers and white hat hackers to review our public-facing defenses with an objective, professional eye. Earn rewards, bragging rights, and security exp to level up!
We do not want to hide our mistakes, but please allow us to take appropriate measures before disclosing any vulnerabilities to the outside world.
By participating in our Bug Bounty Program, you accept our terms and conditions. Please note that you may still be subject to applicable laws and regulations. We can modify or terminate this Bug Bounty Program at any time.
Please don’t disclose (to anybody), exploit or leverage any vulnerabilities you have discovered for any reason. Demonstrating your discovery via exploitation or showing its impact is not required for any submission. If you have inadvertently caused exposure, disruption, or any other damage then please contact us immediately via the form below.
Denial of service, phishing, credentials bruteforcing, social engineering attacks and physical access testing are not included in this bug bounty program and should not be performed under any circumstances. We also discourage the use of vulnerability testing tools which can generate significant server load, traffic, or risk of disruption of any kind.
After submitting your report (and possible communication with us afterwards), please securely delete all your (temporary and permanent) research and report data, except if we specifically ask you otherwise, for example to provide more information on your report. We may require you to send evidence that you have securely deleted all (copies) of the data.
To provide you with a little more guidance on finding bugs, please find some examples of good bounty hunting below:
Examples of bad bounty hunting include, but are not limited to:
Please submit your submission using the form on this page. Make sure to include clearly worded descriptions and necessary steps to reproduce (in English). If it is necessary to also provide screenshots or video files to demonstrate the vulnerability, please mention this in the vulnerability description, as we may ask you to provide this later via email. It is important to submit your findings as soon as possible after discovery of the vulnerability, while taking care to provide all details.
We review each submission carefully as we take security and privacy very seriously. Reviewing submissions, developing patches, and testing changes will usually take much longer than finding and submitting bugs, so please allow us to use a reasonable amount of time between submission and response.
Our goal is an acknowledgement within two weeks of submission, with regular updates once the vulnerability is verified. Together with you we will decide whether, when, and how to publicly disclose the vulnerability.
Submissions are scored based on on risk, likeliness of exploitation and potential impact on our systems. Rewards are entirely at our discretion and subject to change without prior notice. In case we receive duplicate submissions from multiple researchers, we favor the first submitter and clearest report for the vulnerability in question.
We treat your submission as highly confidential and will only use your personal data to follow up on your submission. We will not share your personal data with others, unless we are legally required or a court order requires us to do so. We may have to engage other companies to further investigate your submission, in which case we will ensure that these companies also keep your data confidential.
This Bug Bounty Program and its rewards are only applicable to security vulnerabilities. If you want to report a functionality bug please use firstname.lastname@example.org or your local Takeaway.com location.
The Bug Bounty Program is only applicable to the latest, stable build of our mobile applications, websites, subdomains, and sister websites, specifically (but not limited to) the following domains:
For newly acquired companies, we do not approve rewards for any submissions within the first six months of acquisition, while we are improving and integrating the involved systems. However, you are welcome to submit reports anyway.
We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries that are on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending on local rules and regulations.
We encourage researchers to focus their efforts in the following areas:
Vulnerability reports which do not contain careful reproducible manual validation are considered as Not Applicable. This includes reports based only on results from automated tools (including automated online tools) and scanners.
The following vulnerability classes (types) are explicitly excluded from our Bug Bounty Program:
We are pleased to thank every researcher who submits valid reports helping us to improve the security of our services. However, only those that meet the following eligibility requirements may receive a reward:
We offer the following rewards for valid submissions:
Note: Severity of vulnerabilities is assessed by Takeaway.com considering the context of our platform and our business. Monetary rewards are at our discretion. All monetary rewards are paid via PayPal.
When you have finished reading and accepted these terms, please submit your bug report using the contact form on this page.