The Yelp Corporation has joined other tech giants like Apple and Google in offering security experts and developers a public bug bounty program.
Yelp Joins the Other Big Companies in the Bug Bounty Race
Yelp are no strangers to bug bounty programs, for two years now the company has participated with the HackerOne security platform in finding vulnerabilities in its services. This enabled the company to work with a selected number of researchers in amending the security issues.
Now Yelp launched its public bounty program which allows everyone to participate in the hunt. A number of areas where vulnerabilities may appear are available for reporting – the desktop version of the service, the public API, and the mobile applications.
The offered bounties will be between 100 and 15 000 US dollars depending on the severity of the issues. The most popular areas for bug reporting are the consumer site and the mobile apps. Yelp have stated that they are interested in any vulnerabilities that allow malicious users to map user accounts to their respective email addresses. Other critical issues would involve the ability to modify posted user content by criminals or accessing payment credentials.
As the mobile applications of Yelp are popular among the users of the service, as such security staff urge researchers to check for insecure configurations, network connections, and various other disclosures.
The business owner sites are also in the scope of the bounty program as corporate owners use Yelp to manage their accounts and check the analytics information provided by the service. Security problems that may occur include bypassing authentication measures and accessing data without the needed permissions.
The Yelp public API is used by developers to build applications that use data from the service. Problems that may occur include authentication bypasses and data injection attacks, as well as various other types of attacks.
The migration from a private to public bounty program means that that significant changes are taking place in the submission process. Yelp are implementing the different stages that a public bounty program offers – the triage phase, bug reports and reviews and proof-of-concept demonstrations.
The site is indexed with a rating of 165 by Alexa and it has about 150 million unique visitors per month.