Rising quickly in the food app space, Just Eat Takeaway.com (JET) is an online food order and delivery platform operating across 16 countries. Seven years ago, they launched a Managed Bug Bounty Program with Bugcrowd. JET comprises a vast number of brands and technology platforms, which come with a broad attack surface to defend. They launched their program with Bugcrowd to maximize threat visibility and further enhance their defense-in-depth strategy, providing security assurance to their stakeholders. 

We spoke with Ivan Iushkevich, Lead Application Security Engineer at JET to learn more about the program. 

Q&A with Just Eat Takeaway.com

Tell us about your public bug bounty program and your experience working with hackers.

At JET, a critical part of our mission is to provide secure platforms for our customers, partners, and colleagues alike. That starts with ensuring we have full visibility into our attack surface across our technology estate. Our public bug bounty program enables us to identify critical risks across JET’s broad range of services, such as APIs, payment systems, and applications. 

We have many internal processes, tools, and strategies that work in parallel with our bug bounty program, which together act as one of the important guardrails of our overall strategy. Our bug bounty program helps us identify and fix issues early, and it gives researchers a way to report security weaknesses. 

We think very highly of the hackers we’ve worked with. Each researcher brings to the table a unique set of skills and ways of working. As such, we get a variety of talents who are submitting highly detailed reports based on their specialism. Thanks to Bugcrowd’s wide reach, we benefit from a huge pool of researchers who are diversely equipped to test the long list of technologies JET uses. 

What are the results of your bug bounty program with Bugcrowd?

The outputs of our bug bounty program have consistently contributed to the continuous improvement of JET products’ security posture. We receive a variety of submissions, and while not all of them offer the same security value, we are nevertheless guaranteed valuable insights into the ‘dark corners’ of our technology estate. We’ve gotten a variety of high-quality submissions that range from simple, low-hanging fruit to complex technical analyses. Even when we are not discovering critical vulnerabilities, we benefit from the increased perimeter visibility that our researchers enable. 

We also learn a lot from the community of security researchers, such as new approaches and viewpoints on how different parts of our system might be used by attackers. 

Two major wins for JET’s program this year are a 300% increase in program engagement and a 50% cut in the response time for submissions. The increase in program engagement demonstrates that JET is getting more hackers who are interested in our program. This translates into an even broader number of skills to leverage and submissions that will only increase in quality. The decrease in response time means that JET has achieved a frictionless experience with the hacker community. 

The JET team is the most proud of how in our bug bounty program, the gears are really turning seamlessly, from the very beginning of report submission all the way to the final verification of remediation. We are really proud of the cross-team collaboration we’ve been able to introduce alongside new processes for efficiently managing the life cycle of each report. We have made it easy for researchers to understand our platform perimeter so that they can focus their efforts on finding vulnerabilities.

Why did you choose to work with Bugcrowd over other solutions?

At JET, we’ve benefited from many of the features Bugcrowd has to offer, such as VDPs, as well as private and public programs. The flexible nature of the platform allows us to shape our strategy and continue to meet stakeholder expectations. We relish the opportunity to foster meaningful partnerships with our service providers, and our long relationship with Bugcrowd has enabled that. As the good old saying goes, ‘If it ain’t broke, don’t fix it!’. 

Why should hackers work on the JET program?

We put a lot of effort into making our program very community-friendly and ensuring that we treat everyone fairly. We are proud to say that we are a team that processes hacker findings quickly and efficiently to ensure that hackers aren’t waiting around for an outcome. We also try to drive promotions and better engagement with the community, like running giveaways to additionally reward hackers. 

Where to learn more

JET’s success is another incredible example of the power of bug bounty programs. If you’re a hacker interested in participating in their program, check out their engagement page. It’s a great place to view the targets, scope, and general guidelines to get started. For security professionals interested in learning more about a bug bounty program, request a demo