Takeaway.com Bug Bounty Terms and Conditions

Takeaway.com welcomes security researchers and whitehat hackers to review our public-facing defenses with an objective, professional eye. Earn rewards, bragging rights, and security exp to level up!

We do not want to hide our mistakes, but please allow us to take appropriate measures before disclosing any vulnerabilities to the outside world.

What are the rules?

Do not exploit or leverage any vulnerabilities discovered, for any reason. Demonstrating your discovery via exploitation or it’s impact is not required for any submissions. If you have inadvertently caused exposure, disruption, or any other damage then please contact us immediately via the form below.

Bad bounty hunting includes:

Publicly disclosing vulnerabilities
Copying, changing or deleting data or systems
Causing damage, abuse, spamming
Placing malware or backdoors
Using social engineering techniques
Using brute-force techniques
Exposing of sensitive or customer data
Causing interruption or impediment of Takeaway.com’s services and operation
Including third parties in your submissions
Contacting any Takeaway.com employee directly
Violating Takeaway.com’s policies (such as, but not limited to, Takeaway.com’s Terms of Use and Privacy Policy)

Due to the time investment of properly reviewing each submission, we cannot always guarantee a prompt response. Our goal is an acknowledgement within two weeks of submission, with regular updates once the vulnerability is verified. Together with you we will decide whether, when, and how to publicly disclose the vulnerability.

Submissions are scored on risk, likeliness to be exploited, and potential impact on our systems. Rewards are entirely at Takeaway.com’s discretion and subject to change without notice. Upon duplicate submissions from multiple researchers, Takeaway favors the first submitter and clearest report for the bug in question. Takeaway.com reserves the right to modify or terminate the Bug Bounty program at any time.

If you agree to these terms and conditions we will not take any legal action against you. However, please be aware that you are still subject to applicable laws and regulations, even if Takeaway.com takes no action in reporting you to the authorities.

We will treat your submission with confidence and will use your personal data only for taking action on your submission. We will not share personal data with other companies, unless we are legally required or a court order requires us to do so. We may have to engage other companies to further investigate your submission. We will make sure these companies will also keep your data confidential.

Scope

The program is only applicable to the latest, stable build of Takeaway.com mobile applications, Takeaway.com website, subdomains, and sister websites, specifically (but not limited to) the following domains:

*.lieferando.de
*.yourdelivery.de
*.takeaway.com
*.pizza.lu
*.pizza.fr
*.thuisbezorgd.nl
*.pyszne.pl
*.lieferando.ch
*.food-express.com
*.mylorry.de
*.scoober.com
*.citymeal.com

Denial of service, phishing, social engineering attacks and physical access testing are NOT INCLUDED AND SHOULD NOT BE PERFORMED under any circumstances.

We also discourage use of vulnerability testing tools which can generate significant server load, traffic, or risk of disruption of any kind.

For newly acquired companies by Takeaway.com, we do not approve rewards for any submissions within the first six months of acquisition while we improve and integrate the involved systems. However, you are welcome to submit alerts anyway.

We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law.

Focus Areas

We encourage researchers to focus their efforts in the following areas:

Cross Site Scripting (XSS) excluding self-XSS
Cross-Site Request Forgery (CSRF) in sensitive functions
SQL and Command Injection
Authentication Bypass
Exfiltration of Sensitive or Personal Data
Remote Code Execution
Business Logic Flaws
Vulnerabilites in the APIs

Excluded Submission Types

Vulnerability reports which do not contain careful reproducible manual validation are considered as Not Applicable. This includes reports based only on results from automated tools (including automated online tools) and scanners.

The following vulnerability classes (types) are explicitly excluded from the Takeaway.com Bug Bounty Program:

Cookie valid after logout
Cookie valid after password change/reset
Cookie expiration
Cookie migration/sharing
Software version disclosure
Same Site Scripting
Social Engineering
Self-XSS
Multiple recurrences of the same vulnerability on different domains
Cross-Site Request Forgery (CSRF) in non-sensitive function (like logout)
Phishing
Missing/misconfigured SPF/DMARC DNS-records
Denial of Service attacks
Resource Exhaustion attacks
Weak or misconfigured SSL/TLS parameters
Content Spoofing
Issues related to rate limiting in the authentication subsystem
Issues related to cross-domain policies for software such as Wordpress, silverlight, etc. without evidence of an exploitable vulnerability
Vulnerabilities that are limited to unsupported browsers will not be accepted (i.e. "this exploit only works in IE6/IE7")
Username / Email Enumeration and Passwrod Guessing in standard software (i.e. Wordpress)
Vulnerabilitie that require a large amount of user cooperation to perform, unlikely or unreasonable actions which would be more symptomatic of a social engineering or phishing attack and not an application vulnerability (e.g. disabling browser security features, sending the attacker critical information to complete the attack, etc.)

Rewards

We are pleased to thank every researcher who submits valid reports that help us improve the security of our platform. However, only those that meet the following eligibility requirements may receive a reward:

The vulnerability must be in scope (see Scope and Excluded submission types)
You may not publicly disclose the vulnerability prior to our resolution
Your vulnerability report conutains all the necassary data to reproduce the issue
The vulnerability is not known to us (you are the first one to report it)
We are legally allowed to reward you

We offer the following rewards for valid submissions:

Low-risk bugs earn a Takeaway t-shirt or other company swag
Medium-risk bugs earn a food voucher worth €125
High-risk bugs earn a food voucher or monetary reward worth €500
Critical-risk bugs earn a monetary reward worth €1500+

Note: Severity of vulnerabilities is rated by us considering the context of our platform and our business. Monetary rewards are at our discretion. All monetary rewards are paid via PayPal.

How to report?

Good report guidelines include clearly worded descriptions and steps, screenshots and/or video as necessary, provided in English if possible, and submitted via our submissions form shown below. Please make your submission as soon as possible after discovering the vulnerability, taking care to include details and necessary steps to repeat.

We review each submission carefully as we take security and privacy very seriously. Reviewing submissions, developing patches, and testing changes will usually take much longer than finding and submitting bugs, please allow for a reasonable amount of time between submission and response.

Note: The bug bounty program and its rewards are applicable only to security vulnerabilities. If you want to report a functionality bug please use one the following e-mail addresses according to your location: , , ,

When you have finished reading and accept the above policies and guidelines, please submit your bug report using the contact form on this page.