Yellow Card bug bounty program

We invite highly skilled security researchers to participate in our Bug Bounty Program as long as you are eligible and follow the guidelines below.

Yellow Card bug bounty program

On this page

Eligibility requirements

To be eligible, you:

  • Must agree and adhere to the Program Rules and Legal terms as stated in this policy.
  • Must be the first to report the issue in order to be eligible for a bounty.
  • Must be available to supply additional information, as needed by our team, to reproduce and triage the issue.

You are not eligible if you are:

  • A resident of, or make your Submission from, a country against which the United States has issued export sanctions or other trade restrictions (e.g., Cuba, Iran, North Korea, Sudan, and Syria).
  • In violation of any national, state, or local law or regulation.
  • Employed by Yellow Card Financial.
  • An immediate family member of a person employed by Yellow Card.

Program rules

  • Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.
  • Do not attempt to view, modify, or damage data belonging to others.
  • Do not disclose the reported vulnerability to others without explicit permission from us.
  • Do not attempt to gain access to another customer’s account or data.
  • Do not attempt non-technical attacks including any form of social engineering.

When methods are used that do not comply with your local law and/or the above-mentioned program rules, enforcement authorities will be notified.

Eligible targets

Testing is only authorised on the following targets:

Any other domains and subdomains are strictly out of scope.

What we are interested in

  • Major exposures around customer data leaks
  • Issues that result in / lead to full compromise of a system 
  • Bypassing of business logic resulting in / lead to significant financial or reputational impact
  • Bypassing of authentication and authorisation controls
  • Major operational failure (excluding Denial of Service related submissions)

Exclusions

The following vulnerabilities are not eligible for bounty:

  • Issues already known by us or previously reported to us by others
  • Issues that we have determined to be of acceptable risk
  • Reports resulting from automated scanning
  • Attacks dependent upon social engineering of employees or vendors or clients
  • Network-level Denial of Service attacks
  • Denial of wallet attacks
  • Application Denial of Service by locking user accounts
  • Brute Force attacks on our signup, Login, or Forgot Password pages
  • Enforcement policies for brute force, rate limiting, or account lockout
  • Missing HTTP security headers
  • Cookie Issues
  • SSL related Issues
  • SSL attacks such as BEAST, BREACH, Renegotiation attack.
  • Clickjacking, without additional details demonstrating a specific exploit.
  • Mail configuration issues including SPF, DKIM, and DMARC settings.
  • Use of a known-vulnerable library
  • Vulnerabilities in 3rd party applications that do not directly affect our data or service
  • Vulnerabilities primarily caused by browser/plugin defects and not representative of defects in the security of Yellow Card Financial’s platform
  • Out-of-date browsers and plugins
  • Descriptive error messages or headers (e.g. Stack Traces, banner grabbing)
  • Disclosure of known public files or directories, (e.g. robots.txt)
  • Cookies that lack HTTP Only or Secure settings for non-sensitive data

Submissions containing issues related to the above list of exclusions will not be eligible for reward.

Reporting of vulnerabilities

Once your report is ready, please email it to [email protected]

Reproducibility

Make sure your report is clearly written and includes all the necessary information so we can quickly triage and reproduce the flaw.

Please include:

  • Your name and contact details
  • Discovery date and time
  • URL, where applicable
  • Vulnerability type and description
  • Step-by-step instructions to reproduce the issue, including any proof-of-concept or exploit code to reproduce
  • Screenshots and/or videos illustrating the vulnerability

Legitimate reports will be acknowledged with an email reply. We will make every effort to quickly evaluate each report to determine overall risk, and address the root cause where deemed necessary.

Rewards

Our rewards are flexible, with no set min or max amounts, and are ultimately based on the severity of the identified vulnerability, classified as follow:

Level

Severity

Level 0

Information

Level 1

Low

Level 2

medium

Level 3

High

Level 4

Critical

Keep in mind:

  • Only one bounty will be awarded per vulnerability (including for chained vulnerabilities)
  • Where there are multiple reports for the same vulnerability, only the person offering the first clear report that allows us to reproduce the vulnerability will receive a reward. 
  • Where the program guidelines have been ignored, Yellow Card reserves the right to refuse participants' bounty requests without having to provide additional information.

Confidentiality

Any information you receive or collect through the Bug Bounty Program must be kept confidential and only used in connection with the Bug Bounty Program.

You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching any of the Yellow Card business apps, be it in our out-of-program scope, without Yellow Card prior written consent.

Violation of Terms

By participating in Yellow Card Financial’s bug bounty program, you are agreeing to this policy.

Yellow Card Financial has the right to legal action against the person who violated the rules. That person will also be banned from all future participation in the Yellow Card bug bounty program.