Crowd-sourced review service Yelp says it will award researchers up to 15,000 USD for reporting exploits as part of its newly public bug bounty program. The company successfully ran a private bug-bounty program for the past two years, during which it worked with private researchers and bug bounty hunters to fix as many as 100 vulnerabilities. But to adequately defend against all the digital threats confronting businesses today, Yelp feels it's imperative it opens the program to as many people as possible. As the company explains on its bug bounty home page, which is hosted by HackerOne:
"There’s no such thing as a perfect technology — not since they put the finishing touches on the wheel — but here at Yelp we are committed to getting as close as we can. It’s a big world and we believe that working with skilled security researchers from all corners is the key to identifying the weaknesses in any technology."
Researchers can expect to make at least 100 USD and as much as 15,000 USD for reporting a vulnerability discovered in Yelp's infrastructure. To assist bug bounty hunters in the efforts, Yelp software engineer Martin Georgiev identified what types of exploits the company is most interested in finding. For instance, regarding Yelp's consumer website:
"We are interested in any vulnerabilities that allow the attacker to map user profiles to their respective email addresses. Other critical vulnerabilities in our consumer site would involve the ability of a malicious user to modify other users’ reviews, order food for free or gain access to another user’s payment details: e.g., reveal PANs. Look also for web vulnerabilities that result in sensitive data disclosure, data injection/exfiltration, insecure session management, etc."
The company is looking for similar exploits in its business owner's site, whereas for its engineering blog, it's intent on finding vulnerabilities that primarily allow an attacker to add, delete, or modify content. For a complete breakdown of Yelp's public bug bounty program, which launched on 6 September, please see Georgiev's statement here. News of this program comes approximately one month after Apple announced the creation of its own bug bounty program. For a list of other essential bug bounty frameworks in the infosec community, click here.
