•
Eligibility requirements
To be eligible, you:
Must agree and adhere to the Program Rules and Legal terms as stated in this policy.
Must be the first to report the issue in order to be eligible for a bounty.
Must be available to supply additional information, as needed by our team, to reproduce and triage the issue.
You are not eligible if you are:
A resident of, or make your Submission from, a country against which the United States has issued export sanctions or other trade restrictions (e.g., Cuba, Iran, North Korea, Sudan and Syria).
In violation of any national, state, or local law or regulation.
Employed by Yellow Card Financial.
An immediate family member of a person employed by Yellow Card.
Program rules
Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.
Do not attempt to view, modify, or damage data belonging to others.
Do not disclose the reported vulnerability to others without explicit permission from us.
Do not attempt to gain access to another customer’s account or data.
Do not attempt non-technical attacks including any form of social engineering.
Eligible targets
Treasury portal
Testing is limited to the unauthenticated surface only (e.g., login page, password reset flow, public-facing HTTP endpoints, and TLS/header configuration). Researchers must halt immediately and report if they obtain or stumble into any authenticated session or business account data.
What we are interested in
Major exposures around customer data leaks
Issues that result in / lead to full compromise of a system
Bypassing of business logic resulting in / lead to significant financial or reputational impact
Bypassing of authentication and authorisation controls
Major operational failure (excluding Denial of Service related submissions)
Exclusions
The following vulnerabilities are not eligible for bounty:
Issues already known by us or previously reported to us by others
Issues that we have determined to be of acceptable risk
Reports resulting from automated scanning
Attacks dependent upon social engineering of employees or vendors or clients
Network level Denial of Service attacks
Denial of wallet attacks
Application Denial of Service by locking user accounts
Brute Force attacks on our signup, Login or Forgot Password pages
Enforcement policies for brute force, rate limiting, or account lockout
Missing HTTP security headers
Cookie Issues
SSL related Issues
SSL attacks such as BEAST, BREACH, Renegotiation attack.
Clickjacking, without additional details demonstrating a specific exploit.
Mail configuration issues including SPF, DKIM, DMARC settings.
Use of a known-vulnerable library
Vulnerabilities in 3rd party applications that do not directly affect our data or service
Vulnerabilities primarily caused by browser/plugin defects and not representative of defects in the security of Yellow Card Financial’s platform
Out-of-date browsers and plugins
Descriptive error messages or headers (e.g. Stack Traces, banner grabbing)
Disclosure of known public files or directories, (e.g. robots.txt)
Cookies that lack HTTP Only or Secure settings for non-sensitive data
Submissions containing issues related to the above list of exclusions will not be eligible for reward.
Reporting of vulnerabilities
Once your report is ready, please email it to [email protected]
Reproducibility
Make sure your report is clearly written and includes all the necessary information so we can quickly triage and reproduce the flaw.
Please include:
Your name and contact details
Discovery date and time
URL, where applicable
Vulnerability type and description
Step-by-step instructions to reproduce the issue, including any proof-of-concept or exploit code to reproduce
Screenshots and/or videos illustrating the vulnerability
Legitimate reports will be acknowledged with an email reply. We will make every effort to quickly evaluate each report to determine overall risk, and address the root cause where deemed necessary.
Rewards
Our rewards are flexible, with no set min or max amounts and are ultimately based on the severity of the identified vulnerability, classified as follow:
Level 0 | Information |
Level 1 | Low |
Level 2 | Medium |
Level 3 | High |
Level 4 | Critical |
Keep in mind:
Only one bounty will be awarded per vulnerability (including for chained vulnerabilities)
Where there are multiple reports for the same vulnerability, only the person offering the first clear report that allows us to reproduce the vulnerability will receive a reward.
Where the program guidelines have been ignored, Yellow Card reserves the right to refuse participants' bounty requests without having to provide additional information.
Confidentiality
Any information you receive or collect through the Bug Bounty Program must be kept confidential and only used in connection with the Bug Bounty Program.
You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching any of the Yellow Card business apps, be it in our out of program scope, without Yellow Card prior written consent.
Safe Harbour
Yellow Card Financial supports good-faith security research. If you conduct security research in accordance with this policy, we will not initiate legal action against you. This safe harbour does not apply to activities conducted outside the defined scope, or to researchers who violate any of the Program Rules.
Violation of Terms
By participating in Yellow Card Financial’s bug bounty program, you are agreeing to this policy.
Yellow Card Financial has the right to legal action against the person who violated the rules. That person will also be banned from all future participation in the Yellow Card bug bounty program.
