There’s no such thing as a perfect technology — not since they put the finishing touches on the wheel — but here at Yelp we are committed to getting as close as we can. It’s a big world and we believe that working with skilled security researchers from all corners is the key to identifying the weaknesses in any technology. If you think you have found a security issue in our product, it could be your lucky day. Let us know via our bug-bounty program on HackerOne and we’ll work with you to fix it. Yes, there’s a reward in it for you, too.

Scope

=====

We’d love to have you muck around with our web apps, mobile apps, and infrastructure. Hit us with your best shot. We also put together a bug-bounty map to help you hit the ground running.

Payouts

======

Our vulnerability-reward payouts will go up to $15,000 USD for the most impactful exploits.

We'll Be Nice To You

================

The security team at Yelp is all about keeping our users, our data, our employees, and our sites safe and sound. We are committed to working with security experts from all over the world to stay up-to-date with the latest security techniques. If you have found a security issue and you think we should know about it, we are ready to work with you. Let us know about it and we will make every effort to fix the issue.

We believe in recognizing everyone’s work. If your work helps us improve the security of our platform and services, we are happy to acknowledge your contribution. Rest assured, there are cash rewards, too.

Please Be Nice To Us

=================

We want you to bring out your big guns, but hold off on actually breaking anything. Please avoid DDoS’ing us or breaking our systems and services while you are testing. If you are testing a feature that involves an email component, use an @test.com account, where possible, to make your tests easily filterable.

Exclusions

========

Issues related to software not under Yelp’s control are out of scope. If you have found a vulnerability in systems managed externally, we can’t make any guarantees about when we can fix those issues.

We don’t need help running automated vulnerability scanners. We’ve got those covered. We need your brainpower, not your processing power.

Reporting unrestricted Github wikis, as we don't consider them to be a security concern.

Out-of-scope Bugs

==============

• Hypothetical issues that do not have any practical impact.

• Vulnerabilities that require social engineering/phishing.

• Attacks that require physical access to the user’s device.

• User enumeration without any further impact.

• Clickjacking that doesn't result in account compromise.

• Open redirects that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).

• Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).

• Unvalidated vulnerabilities reported by automated tools/scanners.

• Content Spoofing/Text Injection that cannot be leveraged for XSS or sensitive data disclosure.

• Host header injection without a specific proof of concept.

• Reflected File Download, consult this article.

• Self XSS or XSS that affects only out-of-date browsers.

• Denial of Service Attacks.

• IDN homograph attacks against one of our domains

• Issues related to mapping user profiles to their respective email addresses which do not bypass the 'Let others find my profile using my name or email address.' privacy setting.