Takeaway welcomes security researchers and whitehat hackers to review our public-facing defenses with an objective, professional eye. Earn rewards, bragging rights, and security exp to level up!
We do not want to hide our mistakes, but please allow us to take appropriate measures before disclosing any vulnerabilities to the outside world.
Good report guidelines include clearly worded descriptions and steps, screenshots and/or video as necessary, provided in English if possible, and submitted via our submissions form shown below. Please make your submission as soon as possible after discovering the vulnerability, taking care to include details and necessary steps to repeat.
We review each submission carefully as we take security and privacy very seriously. Reviewing submissions, developing patches, and testing changes will usually take much longer than finding and submitting bugs, please allow for a reasonable amount of time between submission and response.
Do not exploit or leverage any vulnerabilities discovered, for any reason. Demonstrating your discovery via exploitation or it’s impact is not required for any submissions. If you have inadvertently caused exposure, disruption, or any other damage then please contact us immediately via the form below.
Bad report guidelines include:
Due to the time investment of properly reviewing each submission, we cannot always guarantee a prompt response. Our goal is an acknowledgement within two weeks of submission, with regular updates once the vulnerability is verified. Together with you we will decide whether, when, and how to publicly disclose the vulnerability.
Submissions are scored on risk, likeliness to be exploited, and potential impact. Rewards are entirely at Takeaway’s discretion and subject to change without notice. Upon duplicate submissions from multiple researchers, Takeaway favors the first submitter and clearest report for the bug in question. Takeaway reserves the right to modify or terminate the Bug Bounty program at any time.
If you agree to these terms and conditions we will not take any legal action against you. However, please be aware that you are still subject to applicable laws and regulations, even if Takeaway takes no action in reporting you to the authorities.
We will treat your submission with confidence and will use your personal data only for taking action on your submission. We will not share personal data with other companies, unless we are legally required or a court order requires us to do so. We may have to engage other companies to further investigate your submission. We will make sure these companies will also keep your data confidential.
The program is only applicable to the latest, stable build of Takeaway mobile applications, Takeaway.com website, subdomains, and sister websites (i.e. *.lieferando.de, *.yourdelivery.de, *.takeaway.com, *.pizza.lu, *.pizza.fr, *.thuisbezorgd.nl, *.pyszne.pl, *.lieferando.ch, *.food-express.com, *.mylorry.de).
Denial of service, phishing, and social engineering attacks are not included and should not be included in your tests, under any circumstances.
We discourage use of vulnerability testing tools which can generate significant server load, traffic, or risk of disruption of any kind.
For newly acquired companies by Takeaway, we do not approve rewards for any submissions within the first six months of acquisition while we improve and integrate the involved systems. However, you are welcome to submit alerts anyway.
We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law.
Note: Alternative monetary rewards are at our discretion and only for distinctly creative or severe bugs
When you have finished reading and accept the above policies and guidelines, please submit your bug report using the contact form on this page.