After two years of running a private bug bounty program that Security Engineer Martin Georgiev said had resulted in fixing more than 100 vulnerabilities, Yelp has teamed with HackerOne and taken the program public.
“Our vulnerability reward payouts will go up to $15,000 USD for the most impactful exploits,” Georgiev wrote in a blog post, describing the public program Yelp's “next step towards improving the security of [its] systems and services. The minimum bounty is $100.
In additional information provided on websites for consumers and business owners, Yelp said on the consumer side it is “interested in any vulnerabilities that allow the attacker to map user profiles to their respective email addresses.”
In addition, other critical vulnerabilities “ would involve the ability of a malicious user to modify other users' reviews, order food for free or gain access to another user's payment details: e.g., reveal PANs. Look also for web vulnerabilities that result in sensitive data disclosure, data injection/exfiltration, insecure session management, etc.”
Likewise on the business side, the company is seeking “web vulnerabilities that result in authentication or authorization bypass, sensitive data exfiltration, data injection, or request forgery.”
Of special interest are “vulnerabilities that allow an attacker to impersonate a business owner, escalate account privileges within a business page (e.g., upgrade an employee account to an admin account), modify ad spending, obtain non-public or bulk data sets that ought to be restricted to the business owners, or obtain non-public or bulk information about Yelp users' interactions with a particular business.”
“We'd love to have you muck around with our web apps, mobile apps, and infrastructure. Hit us with your best shot,” the company said, cautioning researchers to proceed with care. “We want you to bring out your big guns, but hold off on actually breaking anything.”
Yelp is the latest company to offer a public bug bounty program with Hackerone, joining the likes of Panasonic Avionics, Pornhub and Kaspersky Lab.