There’s no such thing as a perfect technology — not since they put the finishing touches on the wheel — but here at Yelp we are committed to getting as close as we can. It’s a big world and we believe that working with skilled security researchers from all corners is the key to identifying the weaknesses in any technology. If you think you have found a security issue in our product, it could be your lucky day. Let us know via our bug-bounty program on HackerOne and we’ll work with you to fix it. Yes, there’s a reward in it for you, too.
We’d love to have you muck around with our web apps, mobile apps, and infrastructure. Hit us with your best shot. We also put together a bug-bounty map __to help you hit the ground running.
Our vulnerability-reward payouts will go up to $15,000 USD for the most impactful exploits.
The security team at Yelp is all about keeping our users, our data, our employees, and our sites safe and sound. We are committed to working with security experts from all over the world to stay up-to-date with the latest security techniques. If you have found a security issue and you think we should know about it, we are ready to work with you. Let us know about it and we will make every effort to fix the issue.
We believe in recognizing everyone’s work. If your work helps us improve the security of our platform and services, we are happy to acknowledge your contribution. Rest assured, there are cash rewards, too.
We want you to bring out your big guns, but hold off on actually breaking anything. Please avoid DDoS’ing us or breaking our systems and services while you are testing. If you are testing a feature that involves an email component, use an "@test.com" account, where possible, to make your tests easily filterable.
Issues related to software not under Yelp’s control are out of scope. If you have found a vulnerability in systems managed externally, we can’t make any guarantees about when we can fix those issues.
We don’t need help running automated vulnerability scanners. We’ve got those covered. We need your brainpower, not your processing power.
Nowait and Yelp WiFi (Turnstyle) are currently out of scope for the program. Bugs reported sooner are certainly appreciated but won't qualify for rewards. We will update this policy document once those properties are eligible for bounty.
Note : Eat24 is no longer owned by Yelp and not in the scope for this program.