Takeaway.com welcomes security researchers to review our public-facing defenses with an objective, professional eye. Earn rewards, bragging rights, and security experience to level up!
We do not want to hide our mistakes, but please allow us to take appropriate measures before disclosing any vulnerabilities to the outside world.
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. The main criteria here is the certain risks in the context of the Takeaway.com's platform and business. In some cases, we also consider the amount of effort required to identify a vulnerability (i.e., we typically don't appreciate submissions based solely on results of automated scans, if it didn't reveal something really interesting). In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
Do not exploit or leverage any vulnerabilities discovered, for any reason. Demonstrating your discovery via exploitation or its impact is not required for any submissions. If you have inadvertently caused exposure, disruption, or any other damage then please contact us immediately.
Please restrict usage of automated tools to no more than 10 requests/second
The following activities are NOT ALLOWED:
- Publicly disclosing vulnerabilities
- Copying, changing or deleting data or systems
- Causing damage, abuse, spamming
- Placing malware or backdoors
- Executing DoS or resource exhaustion attacks
- Causing interruption or impediment of Takeaway.com’s services and operation
- Using social engineering techniques
- Brute-forcing credentials of Takeaway’.com's customers or partners
- Exposing sensitive or customer data
|Technical severity||Reward range|
|p1 Critical||$2,000 - $2,500|
|p2 Severe||$1,200 - $1,500|
|p3 Moderate||$200 - $200|
|p4 Low||$100 - $100|
Out of scope
Testing is only authorized on the targets listed as In-Scope. Any domain/property of Takeaway not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to firstname.lastname@example.org before submitting.
All main domains have the same codebase behind them and thus, identical vulnerabilities on different main domains and on their subdomains will be treated as duplicates.
There are 3 test restaurants dedicated to security assessments, which can be used to test ordering:
- BugCrowd NL in the zip area 8888
- BugCrowd DE in the zip area 88888
- BugCrowd PL in the zip area 88-888
Please place test orders exclusively using these properly labelled test restaurants. Kindly note that the principal domains have the same codebase behind them and thus, identical vulnerabilities on different main domains and on their subdomains will be treated as duplicates.
The below targets are part of business2business portal which allows companies to manage monthly and daily allowances paid by the company for their employees when those order food on our platform. Testing them is considered in scope but credentials will not be provided for these targets specifically.
Please provision your own accounts using your @bugcrowdninja.com e-mail address.
We encourage researchers to focus their efforts in the following areas:
- Business Logic Flaws
- Exfiltration of Sensitive or Personal Data
- Remote Code Execution
- SQL and Command Injection
- Authentication Bypass
- Cross-Site Request Forgery (CSRF) in sensitive functions
Out of Scope
- Support pages on any of the targets.
The following vulnerability classes (types) are explicitly excluded from the Takeaway.com Bug Bounty Program:
- Session valid after logout and password change/reset
- Cookie expiration
- Software version disclosure
- Same site scripting
- Social engineering and phishing
- Multiple recurrences of the same vulnerability on different domains
- Cross-site request forgery (CSRF) in non-sensitive functions
- Missing/misconfigured SPF/DMARC DNS-records
- Denial of service or resource exhaustion attacks (but such vulnerabilities in proprietary applications should be reported)
- Weak or misconfigured SSL/TLS parameters
- Content spoofing
- Issues related to rate limiting in the authentication subsystem
- Issues related to cross-domain policies for software such as Wordpress, Silverlight, etc. without evidence of an exploitable vulnerability
- Vulnerabilities that are limited to unsupported browsers will not be accepted (i.e. "this exploit only works in IE6/IE7")
- Username / email enumeration, password guessing and exposed API interfaces (like xmlrpc.php) in standard software (i.e. Wordpress)
- Vulnerabilities that require a large amount of user cooperation to perform, unlikely or unreasonable actions which would be more symptomatic of a social engineering or phishing attack and not an application vulnerability (e.g. disabling browser security features, sending the attacker critical information to complete the attack, etc.)
When conducting vulnerability research according to this policy, we consider this research to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
- You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via email@example.com before going any further.