Connect with us

Hi, what are you looking for?



Yelp’s New Bug Bounty Program Promises $15,000 Payouts

Yelp is looking to squash more of the bugs affecting its platform and applications, and it has just announced the launch of a public bug bounty program with payouts of up to $15,000.

Yelp is looking to squash more of the bugs affecting its platform and applications, and it has just announced the launch of a public bug bounty program with payouts of up to $15,000.

The popular restaurant review site has had a private bug bounty program up and running for the past two years, and is now offering more security researchers the opportunity to cash in on some of the vulnerabilities potentially impacting its websites and applications. Interested parties would be rewarded anywhere between $100 and $15,000, depending on the severity of the discovered bug.

The public bug-bounty program was launched together with HackerOne and covers only systems that are under Yelp’s control. Those systems that are managed externally are not within the scope of the bug bounty program, the company says.

Included, however, are many of the company’s websites and applications, starting with the consumer site, which is accessible at, and There are “millions of people using Yelp every day both on their desktops and mobile devices,” Yelp says, underlining that researchers should be seeking flaws that allow attackers to map user profiles to their respective email addresses.

“Other critical vulnerabilities in our consumer site would involve the ability of a malicious user to modify other users’ reviews, order food for free or gain access to another user’s payment details: e.g., reveal PANs. Look also for web vulnerabilities that result in sensitive data disclosure, data injection/exfiltration, insecure session management, etc,” the company explains.

The business owner’s site, which allows businesses to manage their Yelp presence and more, is also included in the bug bounty program. Vulnerabilities of interest include those resulting in authentication or authorization bypass, sensitive data exfiltration, data injection, or request forgery.

“We are especially interested in vulnerabilities that allow an attacker to impersonate a business owner, escalate account privileges within a business page (e.g., upgrade an employee account to an admin account), modify ad spending, obtain non-public or bulk data sets that ought to be restricted to the business owners, or obtain non-public or bulk information about Yelp users’ interactions with a particular business,” the company says.

Next on the list are the Yelp and Yelp for Business Owners mobile applications for Android and iOS devices. These programs might be plagued by mobile-specific bugs such as insecure storage of data, insecure WebView configs, insecure network connections, sensitive data disclosure via logs/errors, and privilege separation, but Yelp is also interested in flaws that allow tracking large number of users in real time.

Advertisement. Scroll to continue reading.

Yelp is also accepting vulnerabilities in Yelp Reservations (, Restaurant Manager iOS app), including web vulnerabilities such as XSS, CSRF, SQLi, etc., and any vulnerability in the mobile app. The Engineering Blog and The Yelp Blog (, were included in the program as well, with vulnerabilities that enable attackers to add, delete or modify content, flaws in the authentication component of the system, and bugs that could result in disclosure of sensitive information via path traversal.

Researchers are also invited to find vulnerabilities in Public API (, including authentication bypasses, rate limiting issues, the ability to obtain a large number of full-length reviews, and data injection attacks “that may alter the internal state of our data stores or leak sensitive information to malicious users,” the company says. Vulnerabilities that allow an unauthorized modification of content on Yelp Support ( are also accepted.

Related: Kaspersky in Search of Hackers for New Bug Bounty Program

Related: Microsoft Expands Bug Bounty Program

Related: MIT Launches Bug Bounty Program

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.