Just Eat Takeaway.com

Effective immediately, the following items are now out of scope:

Google Maps API keys

• Session valid after logout and password change/reset
• Cookie expiration
• Software version disclosure
• Same site scripting
• Social engineering and phishing
• Multiple recurrences of the same vulnerability on different domains
• Cross-site request forgery (CSRF) in non-sensitive functions
• Missing/misconfigured SPF/DMARC DNS-records
• Denial of service or resource exhaustion attacks (but such vulnerabilities in proprietary applications should be reported)
• Weak or misconfigured SSL/TLS parameters
• Content spoofing
• Issues related to rate limiting in the authentication subsystem
• Issues related to cross-domain policies for software such as Wordpress, Silverlight, etc. without evidence of an exploitable vulnerability
• Vulnerabilities that are limited to unsupported browsers will not be accepted (i.e. "this exploit only works in IE6/IE7")
• Username / email enumeration, password guessing and exposed API interfaces (like xmlrpc.php) in standard software (i.e. Wordpress)
• Vulnerabilities that require a large amount of user cooperation to perform, unlikely or unreasonable actions which would be more symptomatic of a social engineering or phishing attack and not an application vulnerability (e.g. disabling browser security features, sending the attacker critical information to complete the attack, etc.)

Please re-review the bounty brief in detail and adjust your testing, and all scanners accordingly to make sure you are only testing and submitting in-scope bugs.

Any pending submissions submitted before the out of scope changes will be reviewed and processed accordingly.

If you have any questions on the change in the scope, please reach out to support@bugcrowd.com.