After two years of running a private bug-bounty program with Hackerone, Yelp has announced a public bug-bounty program. The program continues to run through Hackerone; however, the program is now open to anyone willing to research and report through the program (as opposed to the private program that was limited to a closed number of researchers). The program allows participants to report bugs within Yelp's desktop site, mobile apps, and public API.
"There's no such thing as a perfect technology...but here at Yelp we are committed to getting as close as we can," Yelp commented on it's Hackerone site. "It's a big world and we believe that working with skilled security researchers from all corners is the key to identifying the weaknesses in any technology."
The minimum reward for finding a bug is $100. The max is $15,000 and the larger rewards will be paid to those who find the most impactful exploits. While the program applies to most of Yelp's infrastructure, there are a number of exemptions to the program (e.g. certain acquired sites including eat24hours.com, yes-pos.com, Eat24 mobile apps, other Eat24 entities, and newly acquired sites and companies are subject to a 12 month blackout period). Further, Yelp is not interested in vulnerabilities found by scanners. The company states that they utilize scanners. They are looking for vulnerabilities discovered by individual users directly interacting with its many properties.
To pique the interests of potential researchers, Yelp has listed a number of its sites, apps, and APIs covered by the program in a blog post announcement. The post lists the purpose of the site or app, the programming language used to build the entity and the potential vulnerabilities to look for. Yelp has already paid out over $65,000 in bounties, with the average bounty of $500.
Yelp joins a growing number of companies starting bug-bounty programs. Twitter recently awarded $10,000 to a researcher who managed to download Vine's entire source code. Further, Apple and Kaspersky Labs announced new bounty programs at Black Hat hacker conference. Hackerone CTO, Alex Rice, mentioned that "Bug bounty programs are a sign that everything under it is mature and in shape."