Vulnerability Disclosure Policy

The safety and security of our customers’ data and the reliability of our products and services are of the utmost importance to YesWeHack.

YesWeHack highly appreciates the efforts made by the reporting party and acknowledges the value of contributions from the security researcher community in identifying vulnerabilities or errors.

This policy describes YesWeHack’s approach to requesting and receiving reports related to potential vulnerabilities and errors in its products and services.

Scope

This VDP accepts reports on any YesWeHack’s products and public-facing services.

How to report Vulnerabilities

The preferred method for contacting YesWeHack regarding such vulnerabilities and errors is by using the form on this page.

Supplying your contact information with your report is entirely voluntary and at your discretion. YesWeHack will make use of all reports that are submitted; both those submitted anonymously and those with contact information.

If you do submit your contact information, YesWeHack will only use such information to get in touch with you to clarify the details of your report. Please visit YesWeHack’s privacy policy to see how we respect the privacy of your personal data: <https://www.yeswehack.com/data-protection-policy/>

By making a report to YesWeHack using the form on this page, or otherwise communicating a report to YesWeHack, regarding vulnerabilities and errors, you agree to the following terms:

YesWeHack may use your report for any purpose deemed relevant, including without limitation, for the purpose of correcting any vulnerabilities and errors that are reported and that YesWeHack deems to exist and to require correction. To the extent that you propose any changes and/or improvements to a YesWeHack product or service in your report, you assign to YesWeHack all use and ownership rights to such proposals.

Your Commitment

You confirm to YesWeHack that:

• You have not exploited or used in any manner, and will not exploit or use in any manner (other than for the purposes of reporting to YesWeHack), the discovered vulnerabilities and/or errors;
• You have not engaged, and will not engage, in testing/research of systems with the intention of harming YesWeHack, its customers, employees, partners or suppliers;
• You have not used, misused, deleted, altered or destroyed, and will not use, misuse, delete, alter or destroy, any data that you have accessed or may be able to access in relation to the vulnerability and/or error discovered;
• You have not conducted, and will not conduct, social engineering, spamming, phishing, denial-of-service or resource-exhaustion attacks;
• You have not tested, and will not test, the physical security of any property and building of YesWeHack;
• You have not breached, and will not breach, any applicable laws in connection with your report and your interaction with YesWeHack product or service that lead to your report;
• You agree not to disclose to any third party any information related to your report, the vulnerabilities and/or errors reported, nor the fact that a vulnerabilities and/or errors has been reported to YesWeHack;
• You agree that you are making your report without any expectation or requirement of reward or other benefit, financial or otherwise, for making such report, and without any expectation or requirement that the vulnerabilities and/or errors reported are corrected by YesWeHack.