Yield App

Bug Bounty Policy

Last revised on 7 November 2023

1. Introduction

In light of current market and industry technological developments, Yield has decided to implement a Bug Bounty Policy (the “Policy”) to ensure all vulnerabilities across its platform are identified in a timely and efficient manner. This Policy is applicable to Yield App Limited and Yield App SRL, including but not limited to, their legal persons, unincorporated organisations and teams that provide Yield Services (collectively, "Yield", "we", "our", and "us"), collect, use, process, disclose, share, transfer, and protect the information you provide on the Yield website ("Yield App") as well as our mobile application (collectively as "Yield Platform"). The defined terms when used in this Policy shall bear the same meaning given to such terms as those stipulated in the Terms, unless otherwise indicated herein.

Yield has engaged security experts across the globe to stay up-to-date with the latest security techniques and technological developments. If you've discovered a security issue that you believe we should know about, we'd love to hear from you. Our bug bounty program provides a monetary reward for these efforts.

This Policy applies to security vulnerabilities found within the public-facing online environment of the Yield Platform. This includes, but is not limited to, the Yield website, exposed APIs, mobile applications, and devices. For the protection of our customers, we do not disclose, discuss or confirm security matters until comprehensively investigating, diagnosing and fixing any known issues.

2. How to make a Report?

Yield has put in place a Bug Bounty Program that you can participate in provided you submit a Report in accordance with the Terms of this Policy and the Terms and Conditions listed on our website (the “Program”).

If you believe you have found a vulnerability or issue and would like to participate in our Program, we ask that you submit a detailed description of the issue to us, including the steps that we can take to reproduce the issue and/or a proof-of-concept ("Report").

When submitting a Report make sure you have included at least the following:

  • A description of the vulnerability including the exploitability and impact if not a common attack type;

  • Steps required to exploit the vulnerability including: URL(s)/application(s) affected;

  • Prior conditions required (for example, logged in, not logged in, previous actions) and how to demonstrate the problem;

  • IPs used when the vulnerability was discovered;

  • If post authentication, the user ID used when the vulnerability was discovered;

  • A proof of concept;

  • Names of any files uploaded to our systems.

Reports must be submitted via [email protected]. Please use the following text in the subject line of the email: BUG BOUNTY REPORT.

We will investigate legitimate reports and make every effort to correct any vulnerability as quickly as possible. A well written Report will allow us to filter through your submission as efficiently as possible.

To ensure the correct and complete review of a Report you must make yourself available to answer any questions Yield may have with regards to the Report submitted, issue(s) presented or your methods.

3. Bounty eligibility

The Program is open to individuals who are 18 years of age or older (or the age of majority in their jurisdiction of residence, whichever is older), with the exemption of users who access our Platform from any country against which there are local and international sanctions or other trade restrictions in place that Yield is obligated to observe and adhere to that are not eligible to participate in the Program. The Program is void wherever prohibited or restricted and is subject to all Applicable Laws. You must comply with all Applicable Laws during your participation in the Program, including but not limited to those regarding the transmission of data exported from the Yield Platform and the EU or the country from which you access our Yield Platform. Yield shall have the right at any time to change or discontinue any aspect or feature of the Program.

4. Ownership and Rewards

Any Report that you submit to us will become Yield property. Yield is under no obligation to act on a Report. However, if we do act on a Report, we may in our sole discretion extend monetary rewards ("Reward") to you as a gesture of our appreciation for raising the respective issue with the Yield Platform and support Yield in improving its customer and community experience. You will be responsible for any taxes and any expenses, costs, or fees associated with your participation in the Program and any Reward paid to you by Yield as a result.

5. Program Rules

Acceptable Behaviour

Unacceptable Behaviour

  • Act in a responsible way;

  • Provide complete details so we have optimal opportunities to resolve reported issues;

  • Assume penetration testing experts will be reviewing your submission;

  • Report common vulnerabilities (don’t explain the problem and the impact, just point out what you have discovered);

  • Report esoteric or very new issues and fully explain the problem encountered;

  • Provide references or sources when submitting your Report;

  • Follow the principles of responsible disclosure.

  • Put the data of Yield or its Users’ data at risk, or degrade any of our system’s performance, or conduct any type of denial of service attack;

  • Intentionally harm the experience or usefulness of the service to others;

  • Disclose the reported vulnerability to others until we’ve had reasonable time to address it;

  • Attempts to gain access to another user’s account or data;

  • Usage of scanners or automated tools to find vulnerabilities; or

  • Attempts of non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.

6. Confidentiality

Information relating to our technology and information security arrangements is confidential. Any information you receive or collect about Yield or any of its users as part of your research prior to making a Report as detailed in this Policy and these Terms must therefore be kept confidential and only used in connection with the Yield App.

7. Rewards

You may be eligible to receive a Reward if:

  • You are the first person to submit a site or product vulnerability;

  • That vulnerability is determined to be a valid security issue by the Yield Security Team; and

  • You have complied with all Terms of this Policy and the Terms and Conditions and Privacy Policy of Yield.

All Rewards will be determined at the discretion of Yield. Each Report will be evaluated for severity, impact, and quality. Rewards amounts vary depending upon the severity of the vulnerability reported. There could be submissions that we determine have an acceptable level of risk therefore no adjustments will be made and no Rewards will be paid.

You understand that Yield retains the right to determine if the Report submitted is eligible. All determinations as to the amount of a Reward made by Yield are final.

All Reward payments will be made in YLD to a wallet address indicated in writing by the person submitting the Report. You must ensure the wallet address communicated by you is correct. Yield takes no responsibility for payments made to wrong wallet addresses that are not in your possession or control.

8. Terms

All Reports submissions are subject to the following Terms.

There are constraints on who may participate in the Smartling Bug Bounty Program (the "Program"). In addition, there may be additional restrictions depending upon applicable local laws.

The parties to this agreement are you and Yield as defined in the Terms and Conditions.

You understand all your actions, findings and Report must be lawful in accordance with Applicable Law.

Yield employees, contractors, and their families are not eligible for rewards.

By submitting a Report, you undertake not to disclose and agree that you will not disclose the issue/bug or the details of your Report to anyone other than Yield in accordance with this Policy and its Terms.

By submitting information about a potential vulnerability, you are agreeing to these Terms and conditions and grant Yield a worldwide, royalty-free, non-exclusive license to use your Report for the purpose of addressing and correcting vulnerabilities identified. Only the first report of a given issue is eligible. In the event of a duplicate submission, the earliest received report is considered for Rewards.

Eligibility for rewards and determining who and the amount of Rewards payable is discretionary to Yield.

The Program is focused predominantly on the Yield website executing on internet domains that provide significant business value and are supported directly by Yield and its suppliers; Yield-branded mobile applications; devices; and the Platform. Vulnerabilities submitted outside this scope are generally less likely to receive recognition or rewards under this Policy. These will be treated with utmost seriousness and depending on the matter raised will be considered for Rewards.

In instances where your contact details have changed, you are responsible for notifying Yield. Such details include your email address. Failure to do so may lead to the forfeiture of Rewards.

Yield reserves the right to discontinue the Program at any time without notice.

You may only exploit, investigate, or target vulnerabilities against your own accounts. Testing must not violate any Applicable Law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is expressly prohibited and will be dealt with according to legal provisions in place.

If you inadvertently access proprietary customer, employee, or business-related information during your testing, the information must not be used, disclosed, stored, or recorded in any way. Inadvertent access of the data must be declared within your submission.

Your testing activities must not negatively impact Yield or the online environment availability or performance of the Yield Platform.

9. Warranties and Disclaimers