Bug Bounty Channel

yelp



 

There’s no such thing as a perfect technology — not since they put the finishing touches on the wheel — but here at Yelp we are committed to getting as close as we can. It’s a big world and we believe that working with skilled security researchers from all corners is the key to identifying the weaknesses in any technology. If you think you have found a security issue in our product, it could be your lucky day. Let us know via our bug-bounty program on HackerOne and we’ll work with you to fix it. Yes, there’s a reward in it for you, too. 

Scope

We’d love to have you muck around with our web apps, mobile apps, and infrastructure. Hit us with your best shot. We also put together a bug-bounty map (https://engineeringblog.yelp.com/2016/09/yelp-public-bug-bounty-map.html) to help you hit the ground running.

Payouts

Our vulnerability-reward payouts will go up to $15,000 USD for the most impactful exploits. If we accept your report, our minimum bounty is $100.

We'll Be Nice To You

The security team at Yelp is all about keeping our users, our data, our employees, and our sites safe and sound. We are committed to working with security experts from all over the world to stay up-to-date with the latest security techniques. If you have found a security issue and you think we should know about it, we are ready to work with you. Let us know about it and we will make every effort to fix the issue. 

We believe in recognizing everyone’s work. If your work helps us improve the security of our platform and services, we are happy to acknowledge your contribution. Rest assured, there are cash rewards, too. 

Please Be Nice To Us

We want you to bring out your big guns, but hold off on actually breaking anything. Please avoid DDoS’ing us or breaking our systems and services while you are testing.

Exclusions

Issues related to software not under Yelp’s control are out of scope. If you have found a vulnerability in systems managed externally, we can’t make any guarantees about when we can fix those issues.

We don’t need help running automated vulnerability scanners. We’ve got those covered. We need your brainpower, not your processing power.

Newly acquired sites and companies are subject to a twelve-month blackout period. Bugs reported sooner are certainly appreciated but won't qualify for rewards.

Note eat24hours.com, eat24.com, yes-pos.com, Eat24 mobile apps, and other Eat24 properties are not in the scope of this program.



https://hackerone.com/yelp