Yelp Launches Bug Bounty

Yelp Launches Bug Bounty

After running a private bug-bounty program for the last two years, that bane of restauranteurs’ existence, Yelp, is launching a public version.

The crowdsourced review site’s vulnerability reward payouts will go up to $15,000 for the most impactful exploits affecting its properties: the main consumer site; its site for business owners; its reservations, support and blog pages; mobile apps; and the public API for developers.

Built on Python, Java, C++, Pyramid, uWSGI, Jekyll, Ruby, PaaSTA (Engineering Blog); PHP, WordPress, Django (on the Web), Objective-C and Salesforce’s Service Cloud Platform, the various properties offer a trove of challenge for white hats.

For the main site, Yelp is interested in any vulnerabilities that allow the attacker to map user profiles to their respective email addresses. Other critical vulnerabilities would involve the ability of a malicious user to modify other users’ reviews, order food for free or gain access to another user’s payment details: e.g., reveal PANs. Web vulnerabilities that result in sensitive data disclosure, data injection/exfiltration, insecure session management and so on are also on the radar. The list is similar for the business owner site.

“With millions of people using Yelp every day both on their desktops and mobile devices, our consumer site is one of our major assets. Users come to our consumer site to search for and message local businesses, order food, review local establishments, engage with other local users, etc.,” said Martin Georgiev, a Yelp software engineer, in a blog. “Our biz site allows business owners to manage their Yelp presence, track visitor engagement, respond to customer inquiries and messages, reply to reviews with a private message or a public comment, subscribe to advertising programs and track ad spending.”

Meanwhile, in the most recent quarter, content (reviews and photos) on Yelp was predominantly generated on the mobile apps; searches on Yelp, by and large, came from mobile devices. In this category, the company is interested in mobile-specific vulnerabilities, like the insecure storage of data, insecure WebView configs, insecure network connections, sensitive data disclosure via logs/errors, privilege separation, etc. Vulnerabilities that allow tracking large numbers of users in real time are also considered high-severity issues.

“The security team at Yelp is committed to keeping our users, our data, and our platform and services safe and sound,” said Georgiev. “If you find a security issue in any of our systems, let us know immediately. We are ready to work with you and make every effort to address the identified vulnerability in a timely manner.”

The program is being administrated via HackerOne, which coordinates programs for everyone from Tor to the Pentagon.

Photo © IB Photography/

Source: Information Security Magazine