Takeaway giant welcomes security researchers to hunt for vulnerabilities

Deliveroo has opened its bug bounty program to the public.

The takeaway service is offering a top reward of $2,500 for security bugs that fit its criteria, after paying out more than $30,000 on previously reported flaws.

Earlier payments came from a closed bounty program, which paid for 46 disclosed vulnerabilities in total.

Deliveroo didn’t specify which bugs it was looking for, but noted that qualifying vulnerabilities include remote code execution (RCE), SQL injections, cross-site scripting (XSS), and authentication bypass.

As per usual, the vulnerabilities must fit Deliveroo’s rules and must be original.

The company also noted that reports will be reviewed on a case-by-case basis to determine whether they qualify for the program.

It comes after a 2013 incident saw customers’ accounts compromised, as some were billed hundreds of pounds for food they didn’t order.

Deliveroo insisted that no financial information had been stolen, and it later surfaced that scammers were using passwords leaked from data breaches at other companies.

But the company was still urged to improve its security following the BBC Watchdog investigation.

Earlier this week, The Black Report also detailed how the food and beverage industry has become an easy target for attackers.

Deliveroo has become another in a long line of popular services to launch a public bounty scheme.

Last month, streaming service Netflix also opened its doors to researchers.

It offered to pay up to $15,000 for vulnerability reports related to its API, main web domain, help center, and mobile applications for both iOS and Android.