Takeaway.com

  • $100 – $2,500 per vulnerability
  • Safe harbor
  • Managed by Bugcrowd

Program stats

141 vulnerabilities rewarded

Validation within 5 days
75% of submissions are accepted or rejected within 5 days

$281.25 average payout (last 3 months)

Latest hall of famers

Recently joined this program

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Takeaway.com welcomes security researchers to review our public-facing defenses with an objective, professional eye. Earn rewards, bragging rights, and security experience to level up!

We do not want to hide our mistakes, but please allow us to take appropriate measures before disclosing any vulnerabilities to the outside world.


Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. The main criteria here is the certain risks in the context of the Takeaway.com's platform and business. In some cases, we also consider the amount of effort required to identify a vulnerability (i.e., we typically don't appreciate submissions based solely on results of automated scans, if it didn't reveal something really interesting). In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Program Rules

Do not exploit or leverage any vulnerabilities discovered, for any reason. Demonstrating your discovery via exploitation or its impact is not required for any submissions. If you have inadvertently caused exposure, disruption, or any other damage then please contact us immediately.

Please restrict usage of automated tools to no more than 10 requests/second

The following activities are NOT ALLOWED:

  • Publicly disclosing vulnerabilities
  • Copying, changing or deleting data or systems
  • Causing damage, abuse, spamming
  • Placing malware or backdoors
  • Executing DoS or resource exhaustion attacks
  • Causing interruption or impediment of Takeaway.com’s services and operation
  • Using social engineering techniques
  • Brute-forcing credentials of Takeaway’.com's customers or partners
  • Exposing sensitive or customer data

Reward range

Last updated

Technical severity Reward range
p1 Critical $2,000 - $2,500
p2 Severe $1,200 - $1,500
p3 Moderate $200 - $200
p4 Low $100 - $100
P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name Type
*.lieferando.de Website Testing
*.yourdelivery.de Website Testing
*.takeaway.com Website Testing
*.thuisbezorgd.nl Website Testing
*.pyszne.pl Website Testing
*.lieferando.at Website Testing
*.scoober.com Website Testing
*.citymeal.com Website Testing
restaurant-api.takeaway.com API Testing
https://itunes.apple.com/us/app/lieferando-de/id419724490?l=es&mt=8 iOS
https://play.google.com/store/apps/details?id=com.yopeso.lieferando&hl=en_US Android
https://takeawaypay.azurefd.net/en/takeawaypay/ Website Testing
https://takeawaypayapi-ase.tenbis-ase.p.azurewebsites.net/api API Testing
https://takeawaypay-internal-api-ase.tenbis-ase.p.azurewebsites.net/ API Testing

Out of scope

Target name Type
http://logistikjobs.lieferando.de/ Website Testing

Testing is only authorized on the targets listed as In-Scope. Any domain/property of Takeaway not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to support@bugcrowd.com before submitting.

All main domains have the same codebase behind them and thus, identical vulnerabilities on different main domains and on their subdomains will be treated as duplicates.


There are 3 test restaurants dedicated to security assessments, which can be used to test ordering:

Please place test orders exclusively using these properly labelled test restaurants. Kindly note that the principal domains have the same codebase behind them and thus, identical vulnerabilities on different main domains and on their subdomains will be treated as duplicates.

Blackbox Targets

The below targets are part of business2business portal which allows companies to manage monthly and daily allowances paid by the company for their employees when those order food on our platform. Testing them is considered in scope but credentials will not be provided for these targets specifically.

  • https://takeawaypay.azurefd.net/en/takeawaypay/
  • https://takeawaypayapi-ase.tenbis-ase.p.azurewebsites.net/api
  • https://takeawaypay-internal-api-ase.tenbis-ase.p.azurewebsites.net

Credentials

Please provision your own accounts using your @bugcrowdninja.com e-mail address.

Focus Areas

We encourage researchers to focus their efforts in the following areas:

  • Business Logic Flaws
  • Exfiltration of Sensitive or Personal Data
  • Remote Code Execution
  • SQL and Command Injection
  • Authentication Bypass
  • Cross-Site Request Forgery (CSRF) in sensitive functions

Out of Scope

  • Support pages on any of the targets.
  • *.vietnammm.com
  • http://logistikjobs.lieferando.de

The following vulnerability classes (types) are explicitly excluded from the Takeaway.com Bug Bounty Program:

  • Session valid after logout and password change/reset
  • Cookie expiration
  • Software version disclosure
  • Same site scripting
  • Social engineering and phishing
  • Multiple recurrences of the same vulnerability on different domains
  • Cross-site request forgery (CSRF) in non-sensitive functions
  • Missing/misconfigured SPF/DMARC DNS-records
  • Denial of service or resource exhaustion attacks (but such vulnerabilities in proprietary applications should be reported)
  • Weak or misconfigured SSL/TLS parameters
  • Content spoofing
  • Issues related to rate limiting in the authentication subsystem
  • Issues related to cross-domain policies for software such as Wordpress, Silverlight, etc. without evidence of an exploitable vulnerability
  • Vulnerabilities that are limited to unsupported browsers will not be accepted (i.e. "this exploit only works in IE6/IE7")
  • Username / email enumeration, password guessing and exposed API interfaces (like xmlrpc.php) in standard software (i.e. Wordpress)
  • Vulnerabilities that require a large amount of user cooperation to perform, unlikely or unreasonable actions which would be more symptomatic of a social engineering or phishing attack and not an application vulnerability (e.g. disabling browser security features, sending the attacker critical information to complete the attack, etc.)

Safe Harbor:

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via support@bugcrowd.com before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.