IMPORTANT Please note, the following URL https://www.yotisign.com/app/free-trial/ offers a free trial service (for the Yoti Sign application). Please DO NOT test the rate limiting or anti-automation capability of this endpoint at this time, as we are well aware of this issue (thanks to Hackerone users!) and are working to resolve the issue. Please DO NOT automate requests against this endpoint. Thank you!

IMPORTANT Please DO NOT test this domain: DEVELOPERS.YOTI.COM - it is a third party hosted documentation site for developers, and not of concern to us. The third-party service DO NOT want this site tested under ANY circumstances. Thank you!

Please note: SPF/DKIM/DMARC are considered optional security mail features. Whilst we endeavour to implement them where possible, we do not consider this within the scope of our program. We appreciate the reports, however, will not be looking to action or reward reports based on these finds as they are well known about at this point in time. This includes the frankd domain.

Yoti looks forward to working with the security community to find security vulnerabilities in order to keep our business and customers safe. Yoti will make a best effort to respond to incoming reports within 3 business days and make a bounty determination after validating a legitimate security issue within 10 business days. We’ll try to keep you informed about our progress throughout the process.

The Yoti product is primarily a mobile app - both Android and iOS - with hosted backend services. Yoti is available completely free of charge to personal users, and can be used in many different situations: at nightclubs to prove your age, to share ID details with companies and when meeting new people.

Anyone can download the app and create their Yoti. You can then use your Yoti for your research.

We also offer an e-signing platform, Yoti Sign, which uses Yoti's ID platform to bring biometric authentication to the process of signing electronic documents.

Eligibility & Disclosure Policy

Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.

Follow HackerOne's disclose guidelines.

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

Program Rules

Social engineering (e.g. phishing, vishing, smishing) is prohibited.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Provide us a reasonable amount of time - 90 days - to resolve the issue before any disclosure to the public or a third-party.

Scope

For now, the Yoti iOS and Android applications, the backend services, and the Yoti web site are in scope.

A list of assets is included in the Structured Scope Section below.

Rewards

Yoti, at its discretion, may provide rewards to vulnerability reporters. Reward amounts may vary depending upon the severity of the vulnerability reported and quality of the report. Keep in mind that this is not a contest or competition. Our rewards are based on the severity of a vulnerability. Please note that reward decisions are up to the discretion of Yoti. These values are indicative and we reserve the right to determine amount or even whether a reward should be granted. We typically reward lower amounts for vulnerabilities that require significant user interaction, but might pay higher rewards for clever or severe vulnerabilities.

We are particularly concerned with the security of the mobile apps which are at the heart of the Yoti user experience, so will consider paying higher rewards for vulnerabilities in the iOS or Android apps.

Critical severity bugs

Examples of issues that Yoti may consider critical impact include:

• Remote code execution on production systems housing sensitive data or functionality

• Arbitrary access to any user’s profile or sensitive data

High severity bugs

Examples of issues that Yoti may consider high impact include:

• Remote code execute on a non-critical system

• Arbitrary access to a single user’s profile or sensitive data

• Remote code execution in mobile client (Android, iOS)

Medium severity bugs

Examples of issues that Yoti may consider medium impact include:

• Significant authentication or authorisation bypass

• Cross Site Scripting on www.yoti.com working on all browsers

• Cross Site Request Forgery on critical actions

• Leakage of personally-identifiable information

• Insecure data storage

Low severity bugs

Examples of issues that Yoti may consider low impact include:

• Leakage of technical information that has a demonstrable impact

• Debug functionality

Qualifying Vulnerabilities

Any design or implementation issue that is reproducible and substantially affects the security of Yoti users is likely to be in scope for the program. When in doubt, consider what an attack scenario would look like. How would the attacker benefit? What would be the consequence to the victim? The Google Bug Hunters University guide may be useful in considering whether something has impact.

Exclusions

• The website www.yoti.com is currently out of scope. This may seem like a strange omission, but this is a marketing tool that forms no part of Yoti's identity platform and is built and hosted by a third-party supplier; Yoti doesn't control the code or the underlying platform, so we can't respond to bugs found with the site at the moment. We hope to be able to bring this back in-house soon.

• The website yoti.flywheelstaging.com is also out of scope - this is not hosted by Yoti.

• Yoti's password manager, YPM. This is no longer in scope for the programme as the product has been put on hold by the business, and bugs are not being fixed.

• Clickjacking on pages with no sensitive actions.

• Unauthenticated/logout/login CSRF.

• Attacks requiring MITM or physical access to a user's device.

• Previously known vulnerable libraries without a working Proof of Concept.

• Comma Separated Values (CSV) injection without demonstrating a vulnerability.

• Missing best practices in SSL/TLS configuration.

• Any activity that could lead to the disruption of our service (DoS, or other high-rate attacks)

• Resource exhaustion type attacks.

• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

• Spamming, email spoofing, or phishing attacks

• Social engineering of Yoti staff or customers

• Any physical attempts against Yoti property or data centers

• Rooted mobile devices are not in scope

• Self-XSS (tricking someone to running scripts in their console)

• Bugs that cause the application to not function, but that are not security-related. For instance, modifying the data sent to our servers and causing your account to get into an unusable state might be possible but is not in scope

• Web bugs that only affect outdated versions of Chrome, Firefox, Safari, IE10 or Edge

• CORS and CSRF for https://www.yoti.com/contact-us/contact

Email DMARC

Please note, missing DMARC records are not considered a vulnerability at this point in time, it is simply a feature of Email security. We have received multiple reports around this issue.

Known Issues

The following issues are known about and are not eligible for bounties:

• Insufficient authentication for dashboard connect gateway on some endpoints

Yotisign Witness feature (March 2021)

• IP address signing is currently performed on the FE and subject to spoofing.

• multiple { AddWitness } requests will result in a blank page, rather than an error page.

13/07/22 - A reflected error response has been identified in identity.yoti.com internally - we're currently working on a fix (https://identity.yoti.com/iam/error?error=please%20visit%20www.evilsite.com). This has not yet been reported on H1, but will not be eligible for reward (as identified internally)

Data security is everything for us. Our users' personal data is precious and must be protected at all times. We would not release products if we didn’t believe our platform was safe to use. However, everyone makes mistakes occasionally, so we would like to invite researchers to put Yoti to the test.

Thank you for helping keep Yoti and our users safe!