Takeaway.com welcomes security researchers and whitehat hackers to review our public-facing defenses with an objective, professional eye. Earn rewards, bragging rights, and security exp to level up!
We do not want to hide our mistakes, but please allow us to take appropriate measures before disclosing any vulnerabilities to the outside world.
Do not exploit or leverage any vulnerabilities discovered, for any reason. Demonstrating your discovery via exploitation or it’s impact is not required for any submissions. If you have inadvertently caused exposure, disruption, or any other damage then please contact us immediately via the form below.
Bad bounty hunting includes:
Due to the time investment of properly reviewing each submission, we cannot always guarantee a prompt response. Our goal is an acknowledgement within two weeks of submission, with regular updates once the vulnerability is verified. Together with you we will decide whether, when, and how to publicly disclose the vulnerability.
Submissions are scored on risk, likeliness to be exploited, and potential impact on our systems. Rewards are entirely at Takeaway.com’s discretion and subject to change without notice. Upon duplicate submissions from multiple researchers, Takeaway favors the first submitter and clearest report for the bug in question. Takeaway.com reserves the right to modify or terminate the Bug Bounty program at any time.
If you agree to these terms and conditions we will not take any legal action against you. However, please be aware that you are still subject to applicable laws and regulations, even if Takeaway.com takes no action in reporting you to the authorities.
We will treat your submission with confidence and will use your personal data only for taking action on your submission. We will not share personal data with other companies, unless we are legally required or a court order requires us to do so. We may have to engage other companies to further investigate your submission. We will make sure these companies will also keep your data confidential.
The program is only applicable to the latest, stable build of Takeaway.com mobile applications, Takeaway.com website, subdomains, and sister websites, specifically (but not limited to) the following domains:
Denial of service, phishing, credentials bruteforcing, social engineering attacks and physical access testing are NOT INCLUDED AND SHOULD NOT BE PERFORMED under any circumstances.
We also discourage use of vulnerability testing tools which can generate significant server load, traffic, or risk of disruption of any kind.
For newly acquired companies by Takeaway.com, we do not approve rewards for any submissions within the first six months of acquisition while we improve and integrate the involved systems. However, you are welcome to submit alerts anyway.
We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law.
We encourage researchers to focus their efforts in the following areas:
Vulnerability reports which do not contain careful reproducible manual validation are considered as Not Applicable. This includes reports based only on results from automated tools (including automated online tools) and scanners.
The following vulnerability classes (types) are explicitly excluded from the Takeaway.com Bug Bounty Program:
We are pleased to thank every researcher who submits valid reports that help us improve the security of our platform. However, only those that meet the following eligibility requirements may receive a reward:
We offer the following rewards for valid submissions:
Note: Severity of vulnerabilities is rated by us considering the context of our platform and our business. Monetary rewards are at our discretion. All monetary rewards are paid via PayPal.
Good report guidelines include clearly worded descriptions and necessary steps to reproduce (provided in English if possible). If it is necessary to also provide screenshots or video files to demonstrate the vulnerability, please mention this in the vulnerability description and you will be asked to send them later via email. Please make your submission as soon as possible after discovering the vulnerability, taking care to provide the full details.
We review each submission carefully as we take security and privacy very seriously. Reviewing submissions, developing patches, and testing changes will usually take much longer than finding and submitting bugs, please allow for a reasonable amount of time between submission and response.
Note: The bug bounty program and its rewards are applicable only to security vulnerabilities. If you want to report a functionality bug please use one the following e-mail addresses according to your location: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com
When you have finished reading and accept the above policies and guidelines, please submit your vulnerability report using this form