9575 policies in database
Link to program      
Yahoo! logo


50 $ 


Welcome to Yahoo

Oath, a subsidiary of Verizon, is a values-led company committed to building brands people love. We reach one billion people around the world with a dynamic house of media and technology brands, including Yahoo! A global leader in digital and mobile, Oath is shaping the future of media.

Our information security team is known as the Paranoids, and we’re committed to protecting our brands and our users. As part of this commitment, we invite security researchers to help protect Oath and its users by proactively identifying security vulnerabilities via our bug bounty program. Our program is inclusive of all Oath brands and offers competitive rewards for a wide array of vulnerabilities. We encourage security researchers looking to participate in our bug bounty program to review our policy to ensure compliance with our guidelines and also to help you safely verify any vulnerabilities you may uncover.

Table of Contents

  • Rules and Guidelines
  • Responsible Disclosure of Vulnerabilities
    1. Testing
    2. Crafting a Report
    3. Program Scope
  • Rewards
    1. Payout Table
    2. Valued Vulnerabilities
    3. Borderline Out-of-Scope, No Bounty
    4. Do Not Report
  • Legal

Rules and Guidelines

Please respect the following program rules:

  1. Test vulnerabilities only against accounts that you own or accounts that you have permission from the account holder to test against.
  2. Never use a finding to compromise/exfiltrate data or pivot to other systems. Use a proof of concept only to demonstrate an issue.
  3. If sensitive information--such as personal information, credentials, etc.--is accessed as part of a vulnerability, it must not be saved, stored, transferred, or otherwise accessed after initial discovery. All sensitive information must be returned to Oath and any copies of such information must not be retained.
  4. Do not perform social engineering, phishing, physical security and denial of service attacks against users, employees, or Oath as a whole.
  5. Abide by the program scope.
  6. This program does not allow for public disclosure of the vulnerability without the express written permission of Oath.

Violation of any of these rules can result in ineligibility for a bounty and/or removal from the program.

Responsible Disclosure of Vulnerabilities

We are continuously working to evolve our bug bounty program. Each brand that is part of Oath is represented in at least one of the programs listed here. Please review the program scope before submitting a report to one of our participating programs. We aim to respond to incoming submissions as quickly as possible and make every effort to have bugs fixed within 90 days of being triaged.

Private* | Public
Oath | Yahoo
Tumblr |
VDMS Uplynk |

Private programs are accessible to invited researchers only.


Web traffic to and from Oath properties produces petabytes of data every day. When testing, you can make it easier for us to identify your testing traffic against our normal data and the malicious actors out in the world. Please do one or both of the following when participating in one of the Oath bug bounty programs:

  • Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.
  • Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests. Report to us what header you set so we can identify it easily. For example:
    • A header that includes your username: X-Bug-Bounty:HackerOne-<username>
    • A header that includes a unique or identifiable flag X-Bug-Bounty:ID-<sha256-flag>

When testing for a bug, please also keep in mind:

  • Use test accounts so as not to inadvertently compromise the privacy of our users
  • When attempting to demonstrate root permissions with the following primitives in a vulnerable process please use the following commands:
    • Read : cat /proc/1/maps
    • Write : touch /root/<your H1 username>
    • Execute : id, hostname, pwd (though, technically cat and touch also prove execution)
  • Minimize the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools - these tools include payloads that could trigger state changes or damage production systems and/or data.
  • Before causing damage or potential damage: Stop, report what you've found and request additional testing permission.

Crafting a Report

If our security team cannot reproduce and verify an issue, a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:

  • Description of the vulnerability
  • Steps to reproduce the reported vulnerability
  • Proof of exploitability (e.g. screenshot, video)
  • Perceived impact to another user or the organization
  • Proposed CVSSv3 __Vector& Score ( without environmental and temporal modifiers)
  • List of URLs and affected parameters
  • Other vulnerable URLs, additional payloads, Proof-of-Concept code
  • Browser, OS and/or app version used during testing

Note: Failure to adhere to these minimum requirements may result in loss of reward.

Program Scope

Vulnerabilities on a specific brand or web property should be reported to the program to which it belongs. Please see our detailed scope list at the bottom of this page for a full list of assets that are out of scope. This list is subject to change without notice.
If you’ve found a vulnerability that affects an asset belonging to Oath, but is not included as in scope on any of the Oath programs, please report it to this program.


You will be eligible for a bounty only if you are the first person to disclose an unknown issue. Qualifying bugs will be rewarded based on severity, to be determined by the Oath security team. Rewards may range from HackerOne Reputation Points and swag to monetary rewards up to $15,000 USD. Awards are granted entirely at the discretion of Oath.

At Oath's discretion, providing more complete research, proof-of-concept code and detailed write-ups may increase the bounty awarded. Conversely, Oath may pay less for vulnerabilities that require complex or over-complicated interactions or for which the impact or security risk is negligible. Rewards may be reduced or declined if there is evidence of program policy violations.

In some cases, rewards may be consolidated into a single payout. For example, multiple reports of the same vulnerability across different parameters of a resource, or demonstrations of multiple attack vectors against a fundamental framework issue. We kindly ask you to consolidate reports rather than separate them.

Payout Table

Where monetary bounty is presented, eligible reports will be awarded based on CVSS-rated severities after identifying final impact to the business, property and consumer as determined by Oath. Separate reports for the same or similar payload/issue against multiple endpoints will be marked as duplicates and paid only once; please consolidate your reports.

Severity | CVSS Range | Payout Range
Critical | 9.0 - 10.0 | $10,000 - $15,000
High | 7.0 - 8.9 | $3,000 - $10,000
Medium | 4.0 - 6.9 | $500 - $3,000
Low | 0.1 - 3.9 | $0 - $500
None | 0.0 | $0

Valued Vulnerabilities

This table should serve as a general guide for how we classify vulnerabilities, ranked by severity from highest to lowest (within their severity class).

Note: Non-listed vulnerabilities may also be eligible. Some vulnerability types may fall under a variety of severity ratings determined by scope/scale of exploitation and impact.

Severity | Short Name | Full Name
Critical | RCE | Remote Code Execution
Critical | SQLi | SQL Injection
Critical | --- | Privilege Escalation to System Account
Critical | XXE | XML External Entity
Critical | XMLi | XML Injection
High | VPE | Vertical Privilege Escalation
High | IDOR | Indirect Object Reference
High | SSRF | Server-Side Request Forgery
High | --- | Authentication or Authorization Bypass
High | LFI | Local File Inclusion
High | ATO | Account Takeover
High | --- | S3 Bucket Upload
Medium | SSRF | Server-Side Request Forgery
Medium | XSS | Stored Cross-Site Scripting
Medium | UE | PII User Enumeration
Medium | CSRF | State Changing Cross-Site Request Forgery
Medium | --- | Privileged Account Credentials Identified
Medium | HPE | Horizontal Privilege Escalation
Medium | CRLFi | CRLF Injection
Medium | SDTO | Subdomain Takeover
Medium | --- | Sensitive Data Exposure
Low | gXSS | GET-based Reflected Cross-Site Scripting
Low | pXSS | POST-based Reflected Cross-Site scripting
Low | dXSS | DOM-based Cross-Site Scripting
Low | nCSRF | Non-State Changing Cross-Site Request Forgery
Low | --- | Dangling DNS Record
Low | --- | Cleartext Submission of Passwords
Low | fXSS | Flash-based Cross-Site Scripting
Low | --- | MySQL Information page with credentials
Low | --- | Open Redirect
Low | --- | Server Information Page (with credentials)
Low | --- | Server Information Page (without credentials)
Low | --- | Confidential Data Disclosure
None | --- | Non-Sensitive Data Disclosure

Borderline Out-of-Scope, No Bounty

These issues are eligible for submission, but not eligible for bounty or any award. Once triaged, they will be closed as Informative only if found to be valid and Spam if not valid. When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug.

Any non-Oath Applications | "Self" XSS
Missing Security Best Practices | HTTP Host Header XSS
Confidential Information Leakage | Clickjacking/UI Redressing
Use of known-vulnerable library (without proof of exploitability) | Open Redirects
Missing cookie flags | Reflected file download
SSL/TLS Best Practices | Incomplete/Missing SPF/DKIM
Physical attacks | Social Engineering attacks
Results of automated scanners | Login/Logout/Unauthenticated CSRF
Autocomplete attribute on web forms | Using unreported vulnerabilities
"Self" exploitation | Issues related to networking protocols
XSS in flash files not developed by Oath (e.g. Camtasia, JW Player, Flowplayer swf files) | Software Version Disclosure
Verbose error pages (without proof of exploitability) | Denial of Service attacks
Oath software that is End of Life or no longer supported | Account/email Enumeration
Missing Security HTTP Headers (without proof of exploitability) |
Internal pivoting, scanning, exploiting, or exfiltrating data |

Note: 0-day vulnerabilities may be reported 30 days after initial publication. We have a team dedicated to tracking these issues; hosts identified by this team and internally ticketed will not be eligible for bounty.

Do Not Report

The following issues are considered out of scope:

  • Those that resolve to third-party services
  • Issues that do not affect the latest version of modern browsers
  • Issues that we are already aware of or have been previously reported
  • Issues that require unlikely user interaction
  • Disclosure of information that does not present a significant risk
  • Cross-site Request Forgery with minimal security impact
  • CSV injection
  • Incomplete or missing SPF/DKIM
  • General best practice concerns


In connection with your participation in this program you agree to comply with all applicable local and national laws.

Oath reserves the right to change or modify the terms of this program at any time. You may not participate in this program if you are a resident or individual located within a country appearing on any U.S. sanctions lists (such as the lists administered by US Department of the Treasury’s OFAC).

Oath has never given permission/authorization (either implied or explicit) to an individual or group of individuals to extract personal information or content of Oath users and publicize this information on the open, public- facing internet without user consent, nor has Oath ever given permission for programs or data belonging to Oath to be modified or corrupted in order to extract and publicly disclose data belonging to Oath.

Oath employees and contingent workers, as well as their immediate family members and persons living in the same household, are not eligible to receive bounties or rewards of any kind under any Oath programs, whether hosted by Oath or any third party.

This program have been found on Hackerone on 2014-02-03.

FireBounty © 2015-2020

Legal notices