Y Combinator considers the security of our systems and applications to be of the utmost importance.

Security Practices

Y Combinator uses a variety of tools and techniques to help protect our data and software. We employ on-prem and cloud services, both of which receive routine review for safety.

Reporting Security Vulnerabilities

Y Combinator welcomes input from the security research community. Through responsible disclosure we are hoping to advance the cause of improving the security of our applications and user data. To that end, we encourage security researchers to notify us of any potential vulnerabilities uncovered. Reports received through this channel should receive a prompt reply and if you do not receive a timely response we ask that you please attempt to contact us again. To protect our users we also request that you please refrain from sharing information about any potential vulnerabilities with anyone outside of YC. Once we have confirmed the vulnerability and mitigation we hope that you will join us in an announcement.

Disclosure Policy

• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
  • We are currently only providing disclosure credit on our website, no cash bounties are available.

Exclusions

While researching, we'd like to ask you to refrain from:

• Denial of service
• Spamming
• Social engineering (including phishing) of Y Combinator staff or contractors
• Any physical attempts against Y Combinator property or data centers

Thank you for helping keep Y Combinator and our users safe!