Bug bounty policy
Last revised on June 30, 2022
Yield App has engaged security experts across the globe to stay up-to-date with the latest security techniques and technological developments. If you've discovered a security issue that you believe we should know about, we'd love to hear from you. Our bug bounty program provides a monetary reward for these efforts.
The Yield App Bug Bounty Policy applies to security vulnerabilities found within the public-facing online environment of Yield App and its mobile applications. This includes, but is not limited to, the Yield App website, exposed APIs, mobile applications, and devices. For the protection of our customers, we do not disclose, discuss or confirm security matters until comprehensively investigating, diagnosing and fixing any known issues.
2. How to make a Report?
Yield App has put in place a Bug Bounty Program that you can participate in provided you submit a Report in accordance with the Terms of this Policy and the Terms and Conditions listed on our website (the “Program”).
If you believe you have found a vulnerability or issue and would like to participate in our Program, we ask that you submit a detailed description of the issue to us, including the steps that we can take to reproduce the issue and/or a proof-of-concept ("Report").
When submitting a Report make sure you have included at least the following:
- A description of the vulnerability including the exploitability and impact if not a common attack type;
- Steps required to exploit the vulnerability including: URL(s)/application(s) affected;
- Prior conditions required (for example, logged in, not logged in, previous actions ) and how to demonstrate the problem;
- IPs used when the vulnerability was discovered;
- If post authentication, the user ID used when the vulnerability was discovered;
- A Proof of Concept;
- Names of any files uploaded to our systems.
Reports must be submitted via [email protected]. Please use the following text in the subject line of the email: BUG BOUNTY REPORT.
We will investigate legitimate reports and make every effort to correct any vulnerability as quickly as possible. A well written Report will allow us to filter through your submission as efficiently as possible.
To ensure correct and complete review of a Report you must make yourself available to answer any questions Yield App may have with regards to the Report submitted, issue presented or your methods.
3. Bounty eligibility
The Program is open to individuals who are 18 years of age or older (or the age of majority in their jurisdiction of residence, whichever is older), with the exemption of users who access our Platform from any country against which the there are local and international sanctions or other trade restrictions in place that Yield App is obligated to observe and adhere to that are not eligible to participate in the Program. The Program is void wherever prohibited or restricted, and is subject to all Applicable Legislation. You must comply with all applicable laws during your participation in the Program, including but not limited to those regarding the transmission of data exported from Estonia and the EU or the country from which you access our Platform. Yield App shall have the right at any time to change or discontinue any aspect or feature of the Program.
4. Ownership and Rewards
Any Report that you submit to us will become Yield App property. Yield App is under no obligation to act on a Report. However, if we do act on a Report, we may in our sole discretion extend monetary rewards ("Reward") to you as a gesture of our appreciation for raising the respective issue with Yield App and support Yield App in improving its customer and community experience. You will be responsible for any taxes and any expenses, costs, or fees associated with your participation in the Program and any Reward paid to you by Yield App as a result.
5. Program Rules
|Acceptable Behaviour||Unacceptable Behaviour|
Information relating to our technology and information security arrangements is confidential. Any information you receive or collect about Yield App or any of its users as part of your research prior to making a Report as detailed in this Policy and these Terms must therefore be kept confidential and only used in connection with the Yield App.
You may be eligible to receive a Reward if:
All Rewards will be determined at the discretion of the Yield App. Each Report will be evaluated for severity, impact, and quality. Rewards amounts vary depending upon the severity of the vulnerability reported. There could be submissions that we determine have an acceptable level of risk therefore no adjustments will be made and no Rewards will be paid.
You understand that Yield App retains the right to determine if the Report submitted is eligible. All determinations as to the amount of a Reward made by Yield App are final.
All Rewards payments will be made in YLD to a wallet address indicated in writing by the person submitting the Report. You must ensure the wallet address communicated by you is correct. Yield App takes no responsibility for payments made to wrong wallet addresses that are not in your possession or control.
All Reports submissions are subject to the following Terms.
There are constraints on who may participate in the Smartling Bug Bounty Program (the "Program"). In addition, there may be additional restrictions depending upon applicable local laws.
The parties to this agreement are you and Yield App as defined in the Terms and Conditions and the Yield App Operators.
You understand all your actions, findings and Report must be lawful in accordance with Applicable Law.
Yield App employees, contractors, and their families are not eligible for rewards.
By submitting a Report, you undertake not to disclose and agree that you will not disclose the issue/bug or the details of your Report to anyone other than Yield App in accordance with this Policy and its Terms.
By submitting information about a potential vulnerability, you are agreeing to these Terms and conditions and grant Yield App a worldwide, royalty-free, non-exclusive license to use your Report for the purpose of addressing and correcting vulnerabilities identified. Only the first report of a given issue is eligible. In the event of a duplicate submission, the earliest received report is considered for Rewards.
Eligibility for rewards and determining who and the amount of Rewards payable is discretionary to Yield App.
The Program is focused predominantly on: the Yield App website executing on internet domains that provide significant business value, and are supported directly by Yield App and its suppliers; Yield App-branded mobile applications; devices; and the Platform. Vulnerabilities submitted outside this scope are generally less likely to receive recognition or rewards under this Policy. These will be treated with utmost seriousness and depending on the matter raised,will be considered for Rewards.
In instances where your contact details have changed, you are responsible for notifying Yield App. Such details include your email address. Failure to do so may lead to the forfeiture of Rewards.
Yield App reserves the right to discontinue the Program at any time without notice.
You may only exploit, investigate, or target vulnerabilities against your own accounts. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is expressly prohibited and will be dealt with according to legal provisions in place.
If you inadvertently access proprietary customer, employee, or business related information during your testing, the information must not be used, disclosed, stored, or recorded in any way. Inadvertent access of the data must be declared within your submission.
Your testing activities must not negatively impact Yield App or the online environment availability or performance of the Platform.
9. Warranties and Disclaimers
YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT: (1) YOUR PARTICIPATION IN THE PROGRAM AND USE OF ANY REWARD IS AT YOUR SOLE RISK. YIELD APP EXPRESSLY DISCLAIMS ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. YIELD APP SPECIFICALLY DISCLAIMS ANY LIABILITY WITH REGARD TO ANY ACTIONS RESULTING FROM YOUR PARTICIPATION IN THE PROGRAM OR USE OF ANY REWARD.