Details

grubHub is as committed to keeping our data safe as we are to getting you lined up with the best take out places in the world. To that end, we welcome the contribution of external security researchers and constantly try to keep up on the latest threats. The following program rules (the “Rules”) outline eligibility, the scope, how to report vulnerabilities, and other important terms. Please read them carefully. By participating in this vulnerability research program (the “Program”), you agree to be bound by these Rules.   Eligibility Your participation in the Program is subject to all applicable federal, state and local laws and regulations. Note that this is not a contest or competition, and grubHub may cancel this Program at any time. We may also modify the Program Rules at any time, but we won’t apply any changes we make to these Program Rules retroactively.   Participation To participate in the Program, you must (1) provide complete, accurate information about yourself; (2) adhere to the “Responsible Disclosure” terms set forth below; and (3) report all vulnerabilities (each a “Report”) through the described channel.   Report If your are a security researcher and have found a security vulnerability in any of the in scope platforms described below, please reach out to [email protected] with as much information as possible. This will help us in triaging the issue much faster.   Scope At this time, our focus is on guaranteeing our next generation platforms are equipped with the highest standard of security. As such, the following sites and applications are in scope for this Program:

Non-Qualifying Vulnerabilities All Reports are carefully reviewed and any Eligible Reporter that impacts a change will receive a Hall of Fame recognition. The following issues (illustrative and not limiting) are outside the scope of our Program

Subdomain takeovers due to Fastly
Issues related to software outside Grubhub control;
Attacks requiring physical access to a user's device;
Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability);
Login/logout CSRF;
Missing security headers which do not lead directly to a vulnerability;
Clickjacking on static websites;
Content spoofing / text injection;
Use of a known-vulnerable library (without evidence of exploitability);
Reports from automated tools or scans (without validation of vulnerability);
Vulnerabilities affecting users of outdated or unpatched browsers and platforms;
Social engineering (like phishing) of Grubhub staff or contractors;
Any physical attempts against Grubhub property or data centers; and/or
Single-user vulnerabilities that require jailbroken or otherwise non-standard hardware;
Denial of Service vulnerabilities (DOS);
Password Complexity Requirements;
Mixed Content Scripts;
Banner disclosure on common/public services;
Disclosure of known public files or directories, (e.g. robots.txt);
Spamming;
Self Cross Site Scripting (Self-XSS).

Responsible Disclosure You are responsible for complying with any and all applicable laws, and you should only use your own accounts or test accounts for reporting vulnerabilities. If you are researching security issues, especially those which may compromise the privacy of others, please use test accounts in order to respect our users’ privacy. To promote the discovery and reporting of vulnerabilities and increase user safety, we ask that you: Share the security issue with us in detail; Give us a reasonable time to respond to the issue before making any information about it public; Not access,modify or delete user data without permission of the account owner; Not exploit financial vulnerabilities beyond what is required to prove its existence; and Act in good faith not to degrade the performance of our services (including denial of service). Public disclosure of the vulnerability prior to resolution and any publicly-made disparaging remarks with regard to grubHub will result in disqualification from the Program.

GrubHub

GrubHub

Details