Missing Referrer header. The Referrer header is required to ensure this is an approved domain for submitting vulnerabilities.

Just Eat Takeaway's Responsible Disclosure Program

At Just Eat Takeaway, we believe that effective disclosure of security vulnerabilities relies on mutual trust, respect, transparency, and a shared commitment to the common good between Just Eat Takeaway and security researchers.

We take security extremely seriously. To demonstrate this, we've established our Responsible Disclosure Program. It provides independent security researchers with an opportunity to engage with us and notify us of potential security threats that could impact the safety of our customers' data.

If you believe you've discovered a potential vulnerability affecting our services, please let us know. We encourage you to report any security vulnerabilities you notice during your interactions with our websites by using this page. Your report will be promptly acknowledged and verified.

Please note, that monetary rewards are only applicable for our public bug bounty program which is managed through Bugcrowd. If you've found a vulnerability and are looking for a financial reward for your efforts, please refer to the specific scope and rules of our Bug Bounty Program on Bugcrowd. If you've discovered a vulnerability and want to responsibly disclose it to us without seeking a monetary reward (or maybe out of scope of the Bug Bounty program), our Vulnerability Disclosure Program is the appropriate channel, ensuring your findings are acknowledged and addressed.

Scope

This policy applies to any digital assets owned, operated, or maintained by Just Eat Takeaway, including, but is not limited to, website domains, mobile applications and publicly accessible APIs.

Guidelines

To help us resolve issues as quickly as possible, please provide sufficient information to reproduce the problem. Kindly complete the form at the bottom of this page so we can process and review your submission efficiently. The Just Eat Takeaway Security team will acknowledge receipt of each vulnerability report, conduct a thorough investigation, and then take appropriate action for resolution.
Any behaviour that compromises the stability and integrity of our production environment is out of scope. For example, do not:

Target other users' data (instead, use your own sets of credentials).
Delete, remove, or edit parts of the site.
Engage in any form of Denial-of-Service (DoS) attack.
Compromise any target's ability to function for other users.

Please note that the purchasing of goods on the platform will be at your own risk and cost.

Our Commitment to Researchers

Trust. We maintain trust and confidentiality in our professional exchanges with security researchers.
Respect. We treat all researchers with respect and recognize your contribution for keeping our customers safe and secure.
Transparency. We will work with you to validate and remediate reported vulnerabilities in accordance with our commitment to security and privacy.
Common Good. We investigate and remediate issues in a manner consistent with protecting the safety and security of those potentially affected by a reported vulnerability.

What We Ask of Researchers

Trust. We request that you communicate about potential vulnerabilities in a responsible manner, providing sufficient time and information for our team to validate and address potential issues.
Respect. We request that researchers make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
Transparency. We request that researchers provide the technical details and background necessary for our team to identify and validate reported issues, using the form below.
Common Good. We request that researchers act for the common good, protecting user privacy and security by refraining from publicly disclosing unverified vulnerabilities until our team has had time to validate and address reported issues.

Thank You