Yelp lures researchers with $15k rewards in bug bounty program

The reviews website has launched a public bug bounty program with decent rewards for valid bug submissions.
Written by Charlie Osborne, Contributing Writer

Yelp has launched a public bug bounty program, promising researchers thousands of dollars in rewards for submitting security vulnerabilities.


On Tuesday, Martin Georgiev, security engineer for Yelp revealed in a blog post that a successful, two-year private bug bounty program, the reviews website was able to fix over a hundred security vulnerabilities and "dozens" of researchers have been rewarded for their efforts.

To keep up momentum and secure Yelp domains as much as possible, the company has now opened the doors of the bug bounty program and is inviting external security experts to join in.

"We've now opened the bug bounty up publicly to encourage researchers to test more areas of our site and apps," Georgiev said. "Many companies are doing private programs right now, but we're confident in our ability to engage with researchers and manage reports, so we wanted to open up a public program to encourage more participation."

The bug bounty program, hosted by HackerOne, will pay researchers up to $15,000 for each valid bug submitted, depending on the severity of the flaw and the potential impact exploiting the problem would have on the company's services. The minimum payout is $100.

Yelp has included consumer websites, business domains, mobile apps and blogs in the bug bounty scheme, including yelp.com, biz.yelp.com, the Yelp for Business Owners mobile app and yelp-support com. In addition, Yelp's recently-released Public API v3, hosted at api.yelp.com, is also included.

See also: Bug bounties: 'Buy what you want'

The company is interested in a range of vulnerabilities such as user data leaks, information disclosure flaws, review tampering, payment detail exposure and authentication bypass bugs.

Researchers interested in the mobile apps have been asked to focus on vulnerabilities including insecure data storage, weak WebView configuration, sensitive data disclosure and other high-severity problems such as user tracking exploits.

"We want you to bring out your big guns, but hold off on actually breaking anything," Yelp says. "Please avoid DDoS'ing us or breaking our systems and services while you are testing. If you are testing a feature that involves an email component, use a "@test.com" account, where possible, to make your tests easily filterable."

Yelp is the latest company turning towards crowd-based bug bounty programs to keep vulnerabilities and the risk of cyberattacks as low as possible. In recent months, Microsoft has expanded its bug bounty scheme, Apple has -- finally -- launched a program to give third-party researchers the chance to show off their expertise, and Panasonic has also begun offering researchers cash incentives in return for valid security flaws.

The 10 step guide to using Tor to protect your privacy

Editorial standards