Bug Bounty Program
Food Order and Delivery
2000
justeattakeaway.com
20K+
Amsterdam, Netherlands
Just Eat Takeaway.com (JET) is one of Europe's leading online food ordering and delivery platforms. Founded in 2000, the company serves millions of customers across seven countries through multiple brands, including Takeaway.com, Lieferando, Menulog, and SkipTheDishes. As a result, JET has a complex technology ecosystem and sizeable attack surface—spanning APIs, payment systems, mobile applications, and web platforms.
Securing this attack surface is a top priority for the company. "A critical part of our mission is to provide secure platforms for our customers, partners, and colleagues alike," says Ivan Iushkevich, Lead Application Security Engineer at JET. "That starts with ensuring we have full visibility of our attack surface across our technology estate."
JET had been operating for 18 years before launching a bug bounty program. The company already had many internal processes, tools, and strategies in place as part of its security approach. However, as they grew, they recognized that their testing methods couldn't provide complete visibility across their diverse, expanding technology surface. To properly safeguard their ecosystem, they needed to make sure they had additional eyes on their systems.
Additionally, they needed a solution that could scale up and down with their growth, while providing continuous reassurance to external stakeholders. That’s why they turned to crowdsourced security, specifically bug bounty programs. According to Ivan, "We decided to launch the bug bounty to maximize threat visibility and further enhance our defense in depth strategy, which also provides security assurances to our stakeholders."
In 2019, JET decided to partner with Bugcrowd to launch its first managed public bug bounty program. “The flexible nature of the Bugcrowd Platform allows us to shape our strategy and continue to meet stakeholder expectations,” Ivan explains. This flexibility also allowed JET to scale its security initiatives by spinning up additional programs, like vulnerability disclosure programs, through the Bugcrowd Platform and managing them all in one place.
When creating the bug bounty engagement, the team focused on making the relationship work for both hackers and internal stakeholders. “We are really proud of the cross-team collaboration we’ve fostered along with new processes for efficiently managing the lifecycle of each report,” Ivan explains. “When it comes to hackers, we have made it simple and clear for them to understand our platform perimeter so they can focus their efforts on finding vulnerabilities.”
This setup enabled JET to fully tap into Bugcrowd’s diverse global community of hackers, helping the team properly safeguard their attack surface. Each hacker brings different skills and specialisms, from payment system expertise to business logic analysis. “Thanks to Bugcrowd’s wide reach, we can access a huge pool of hackers who are equipped to test the long list of technologies JET uses,” Ivan affirms.
After six successful years of running the program, the team saw an opportunity to get even more value from it. In 2025, the team further improved collaboration by building a workflow for reports, with clearly defined expectations and daily reviews. “We’ve halved the response time for submissions, which helps us achieve a frictionless experience with our community, leaving no hacker waiting around!” says Ivan.
Looking back on their partnership, JET sees a system that really works. “The gears are really turning seamlessly, from report submission all the way to final verification of remediation,” says Ivan.
Working with the community gives us additional security opinions, different perspectives, and a broader view of our controls. It supports our defence-in-depth strategy and helps us keep up with fast-changing security threats.
IVAN IUSHKEVICH Lead Application Security Engineer, Just Eat Takeaway.com
Over the program’s lifetime, JET’s bug bounty program has evolved into a core component of the company’s defense strategy. The program has led to the discovery of almost 600 vulnerabilities over seven years, with almost $300,000 in bounties paid to hackers. According to Ivan, “We receive a variety of submissions, many of which give us valuable insights into the ‘dark corners’ of our technology estate.”
The program has also strengthened JET’s security culture by highlighting issues the team might otherwise miss. For example, hackers repeatedly identified takeovers of orphaned hosts and domains across the company’s many applications. In response, the team incorporated bug hunter techniques and added new guardrails to address the root cause.
But more than anything, working with the Bugcrowd hacker community has upskilled the team. “Working with the community gives us additional security opinions, different perspectives, and a broader view of our controls,” Ivan adds. “It supports our defence-in-depth strategy and helps us keep up with fast-changing security threats.”
Just Eat Takeaway.com is a Dutch multinational online food ordering and delivery company operating in twenty countries across Europe, Australia, and North America. Formed from the 2020 merger of Just Eat and Takeaway.com, the company serves millions of customers through brands including Takeaway.com, Lieferando, SkipTheDishes, Menulog, and 10bis.
Wise, a global technology company building the best ways to move money worldwide, has adapted its security processes from a...
Outreach is a leading sales engagement platform, that automates and prioritizes customer touch points throughout the customer lifecycle, resulting in...
TX Group AG is a media company headquartered in Switzerland. Through a portfolio of daily and weekly newspapers, magazines and...
A bug bounty is a monetary reward for security researchers who find legitimate security flaws in software. Payments are allocated for each vulnerability found, depending upon various factors including risk, impact, and exploitability of the vulnerability.