Yelp is looking to squash more of the bugs affecting its platform and applications, and it has just announced the launch of a public bug bounty program with payouts of up to $15,000.
The popular restaurant review site has had a private bug bounty program up and running for the past two years, and is now offering more security researchers the opportunity to cash in on some of the vulnerabilities potentially impacting its websites and applications. Interested parties would be rewarded anywhere between $100 and $15,000, depending on the severity of the discovered bug.
The public bug-bounty program was launched together with HackerOne and covers only systems that are under Yelp’s control. Those systems that are managed externally are not within the scope of the bug bounty program, the company says.
Included, however, are many of the company’s websites and applications, starting with the consumer site, which is accessible at www.yelp.com, and m.yelp.com. There are “millions of people using Yelp every day both on their desktops and mobile devices,” Yelp says, underlining that researchers should be seeking flaws that allow attackers to map user profiles to their respective email addresses.
“Other critical vulnerabilities in our consumer site would involve the ability of a malicious user to modify other users’ reviews, order food for free or gain access to another user’s payment details: e.g., reveal PANs. Look also for web vulnerabilities that result in sensitive data disclosure, data injection/exfiltration, insecure session management, etc,” the company explains.
The business owner’s site biz.yelp.com, which allows businesses to manage their Yelp presence and more, is also included in the bug bounty program. Vulnerabilities of interest include those resulting in authentication or authorization bypass, sensitive data exfiltration, data injection, or request forgery.
“We are especially interested in vulnerabilities that allow an attacker to impersonate a business owner, escalate account privileges within a business page (e.g., upgrade an employee account to an admin account), modify ad spending, obtain non-public or bulk data sets that ought to be restricted to the business owners, or obtain non-public or bulk information about Yelp users’ interactions with a particular business,” the company says.
Next on the list are the Yelp and Yelp for Business Owners mobile applications for Android and iOS devices. These programs might be plagued by mobile-specific bugs such as insecure storage of data, insecure WebView configs, insecure network connections, sensitive data disclosure via logs/errors, and privilege separation, but Yelp is also interested in flaws that allow tracking large number of users in real time.
Yelp is also accepting vulnerabilities in Yelp Reservations (www.yelpreservations.com, Restaurant Manager iOS app), including web vulnerabilities such as XSS, CSRF, SQLi, etc., and any vulnerability in the mobile app. The Engineering Blog and The Yelp Blog (engineeringblog.yelp.com, yelpblog.com) were included in the program as well, with vulnerabilities that enable attackers to add, delete or modify content, flaws in the authentication component of the system, and bugs that could result in disclosure of sensitive information via path traversal.
Researchers are also invited to find vulnerabilities in Public API (api.yelp.com), including authentication bypasses, rate limiting issues, the ability to obtain a large number of full-length reviews, and data injection attacks “that may alter the internal state of our data stores or leak sensitive information to malicious users,” the company says. Vulnerabilities that allow an unauthorized modification of content on Yelp Support (www.yelp-support.com) are also accepted.
Related: Microsoft Expands Bug Bounty Program
Related: MIT Launches Bug Bounty Program