Banner object (1)

Hack and Take the Cash !

846 bounties in database
  Back Link to program      
Yelp logo
Hall of Fame



There’s no such thing as a perfect technology — not since they put the finishing touches on the wheel — but here at Yelp we are committed to getting as close as we can. It’s a big world and we believe that working with skilled security researchers from all corners is the key to identifying the weaknesses in any technology. If you think you have found a security issue in our product, it could be your lucky day. Let us know via our bug-bounty program on HackerOne and we’ll work with you to fix it. Yes, there’s a reward in it for you, too.


We’d love to have you muck around with our web apps, mobile apps, and infrastructure. Hit us with your best shot. We also put together a bug-bounty map __to help you hit the ground running.


Our vulnerability-reward payouts will go up to $15,000 USD for the most impactful exploits.

We'll Be Nice To You

The security team at Yelp is all about keeping our users, our data, our employees, and our sites safe and sound. We are committed to working with security experts from all over the world to stay up-to-date with the latest security techniques. If you have found a security issue and you think we should know about it, we are ready to work with you. Let us know about it and we will make every effort to fix the issue.

We believe in recognizing everyone’s work. If your work helps us improve the security of our platform and services, we are happy to acknowledge your contribution. Rest assured, there are cash rewards, too.

Please Be Nice To Us

We want you to bring out your big guns, but hold off on actually breaking anything. Please avoid DDoS’ing us or breaking our systems and services while you are testing. If you are testing a feature that involves an email component, use an "" account, where possible, to make your tests easily filterable.


Issues related to software not under Yelp’s control are out of scope. If you have found a vulnerability in systems managed externally, we can’t make any guarantees about when we can fix those issues.

We don’t need help running automated vulnerability scanners. We’ve got those covered. We need your brainpower, not your processing power.

Nowait and Yelp WiFi (Turnstyle) are currently out of scope for the program. Bugs reported sooner are certainly appreciated but won't qualify for rewards. We will update this policy document once those properties are eligible for bounty.

Note : Eat24 is no longer owned by Yelp and not in the scope for this program.

Out-of-scope Bugs

  • Hypothetical issues that do not have any practical impact.
  • Vulnerabilities that require social engineering/phishing.
  • Attacks that require physical access to the user’s device.
  • User enumeration without any further impact.
  • Clickjacking that doesn't result in account compromise.
  • Open redirects that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).
  • Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).
  • Unvalidated vulnerabilities reported by automated tools/scanners.
  • Content Spoofing/Text Injection that cannot be leveraged for XSS or sensitive data disclosure.
  • Host header injection without a specific proof of concept.
  • Reflected File Download, consult this article __.
  • Self XSS or XSS that affects only out-of-date browsers.
  • Denial of Service Attacks.
  • IDN homograph attacks against one of our domains

This program crawled on the 2016-09-06 is sorted as bounty.

FireBounty © 2015-2019

Legal notices