• $100 – $2,500 per vulnerability
  • Safe harbor
  • Managed by Bugcrowd

Program stats

176 vulnerabilities rewarded

Validation within 1 day
75% of submissions are accepted or rejected within 1 day

$407.72 average payout (last 3 months)

Latest hall of famers

Recently joined this program


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Takeaway.com welcomes security researchers to review our public-facing defenses with an objective, professional eye. Earn rewards, bragging rights, and security experience to level up!

We do not want to hide our mistakes, but please allow us to take appropriate measures before disclosing any vulnerabilities to the outside world.


For the initial prioritization/rating of findings, this program will use the Bugcrowd
Vulnerability Rating Taxonomy. However, it is important to note that in some cases a
vulnerability priority will be modified by us due to its likelihood or impact. The main
criteria here are certain risks with regard to Takeaway.com's platform and business. In
some cases, we also consider the amount of effort required to identify a vulnerability
(i.e., we typically do not appreciate submissions based solely on the results of
automated scans, unless it reveals something really interesting). In instances where an
issue is downgraded, a full, detailed explanation will be provided to the researcher,
along with the opportunity to appeal and make a case for a higher priority. Rewards for
this program are currently split into 2 groups in terms of scope, to help the
researchers focus more on the important parts for our business flow. You can find the
respective ranges for each group below.

Program Rules

Do not exploit or leverage any discovered vulnerabilities, for any reason. Demonstrating
your discovery via exploitation or its impact is not required for submissions unless it is
explicitly requested by us. If you have inadvertently caused exposure, disruption, or any
other damage then please contact us immediately

Please restrict usage of automated tools to no more than 10 requests/second

The following activities are NOT ALLOWED:

  • Publicly disclosing vulnerabilities
  • Copying, changing or deleting data or systems
  • Causing damage, abuse, spamming
  • Placing malware or backdoors
  • Executing DoS or resource exhaustion attacks
  • Causing interruption or impediment of Takeaway.com’s services and operation
  • Using social engineering techniques
  • Brute-forcing credentials of Takeaway’.com's customers or partners
  • Exposing sensitive or customer data

Reward range

Last updated

Technical severity Reward range
p1 Critical $2,000 - $2,500
p2 Severe $1,200 - $1,500
p3 Moderate $200 - $200
p4 Low $100 - $100
P5 submissions do not receive any rewards for this program.


In scope

Target name Type Tags
*.lieferando.de Website Testing
  • Website Testing
  • PHP
  • Moment.js
  • jQuery
*.yourdelivery.de Website Testing
  • Website Testing
*.takeaway.com Website Testing
  • Website Testing
  • PHP
  • Bootstrap
  • Cloudflare CDN
*.thuisbezorgd.nl Website Testing
  • Website Testing
  • PHP
*.lieferando.at Website Testing
*.scoober.com Website Testing
  • Website Testing
  • PHP
  • Wordpress
  • Cloudflare CDN
*.citymeal.com Website Testing
  • Cloudflare CDN
  • Website Testing
  • PHP
  • Wordpress
restaurant-api.takeaway.com API Testing
  • API Testing
  • HTTP
https://itunes.apple.com/us/app/lieferando-de/id419724490?l=es&mt=8 iOS
  • Mobile Application Testing
  • iOS
  • Objective-C
  • Swift
  • SwiftUI
https://play.google.com/store/apps/details?id=com.yopeso.lieferando&hl=en_US Android
  • Mobile Application Testing
  • Android
  • Java
  • Kotlin
https://takeawaypay.azurefd.net/en/takeawaypay/ Website Testing
  • Website Testing
https://takeawaypayapi-ase.tenbis-ase.p.azurewebsites.net/api API Testing
  • API Testing
https://takeawaypay-internal-api-ase.tenbis-ase.p.azurewebsites.net/ API Testing
  • API Testing

Out of scope

Testing is only authorized on the targets listed as In-Scope. Any domain/property of Takeaway not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to support@bugcrowd.com before submitting.

All main domains have the same codebase behind them and thus, identical vulnerabilities on different main domains and on their subdomains will be treated as duplicates.

Reward Ranges by Target Groups

Technical Severity Group 1 Group 2
P1 $2,000 - $2,500 $500-$1000
P2 $1,200 - $1,500 $250-$400
P3 $200 - $200 $50-$150
P4 $100 - $100 Points
Group 1 Targets
https://itunes.apple.com/us/app/lieferando-de/id419724490?l=es&mt=8 iOS
https://takeawaypay.azurefd.net/en/takeawaypay/ Website Testing
https://takeawaypayapi-ase.tenbis-ase.p.azurewebsites.net/api API Testing
Group 2 Targets

There are 3 test restaurants dedicated to security assessments, which can be used to test ordering:

Please place test orders exclusively using these properly labelled test restaurants. Kindly note that the principal domains have the same codebase behind them and thus, identical vulnerabilities on different main domains and on their subdomains will be treated as duplicates.

Blackbox Targets

The below targets are part of business2business portal which allows companies to manage monthly and daily allowances paid by the company for their employees when those order food on our platform. Testing them is considered in scope but credentials will not be provided for these targets specifically.

  • https://takeawaypay.azurefd.net/en/takeawaypay/
  • https://takeawaypayapi-ase.tenbis-ase.p.azurewebsites.net/api
  • https://takeawaypay-internal-api-ase.tenbis-ase.p.azurewebsites.net


Please provision your own accounts using your @bugcrowdninja.com e-mail address.

Focus Areas

We encourage researchers to focus their efforts in the following areas:

  • Business Logic Flaws
  • Exfiltration of Sensitive or Personal Data
  • Remote Code Execution
  • SQL and Command Injection
  • Authentication Bypass
  • Cross-Site Request Forgery (CSRF) in sensitive functions

Out of Scope

  • Support pages on any of the targets.
  • *.vietnammm.com
  • http://logistikjobs.lieferando.de

The following vulnerability classes (types) are explicitly excluded from the Takeaway.com Bug Bounty Program:

  • Session valid after logout and password change/reset
  • Cookie expiration
  • Software version disclosure
  • Same site scripting
  • Social engineering and phishing
  • Multiple recurrences of the same vulnerability on different domains
  • Cross-site request forgery (CSRF) in non-sensitive functions
  • Missing/misconfigured SPF/DMARC DNS-records
  • Denial of service or resource exhaustion attacks (but such vulnerabilities in proprietary applications should be reported)
  • Weak or misconfigured SSL/TLS parameters
  • Content spoofing
  • Issues related to rate limiting in the authentication subsystem
  • Issues related to cross-domain policies for software such as Wordpress, Silverlight, etc. without evidence of an exploitable vulnerability
  • Vulnerabilities that are limited to unsupported browsers will not be accepted (i.e. "this exploit only works in IE6/IE7")
  • Username / email enumeration, password guessing and exposed API interfaces (like xmlrpc.php) in standard software (i.e. Wordpress)
  • Vulnerabilities that require a large amount of user cooperation to perform, unlikely or unreasonable actions which would be more symptomatic of a social engineering or phishing attack and not an application vulnerability (e.g. disabling browser security features, sending the attacker critical information to complete the attack, etc.)

Safe Harbor:

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via support@bugcrowd.com before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.