Yelp offers hackers up to $15000 per report to expose vulnerabilities through new bug bounty programme

Popular customer review service Yelp launched a new public bug bounty programme on 6 September, calling on white-hat hackers and security researchers to trawl through its websites and mobile app for security vulnerabilities that could potentially affect its users and business. As a reward for their findings, Yelp will pay a minimum bounty of $100 for every accepted report and up to $15,000 for riskier, critical exploits.

Running the bug bounty programme with Silicon Valley-based bug bounty platform HackerOne, Yelp's new programme is a public expansion of a private bug bounty system that the company launched two years ago which the company says allowed them to squash over 100 potential vulnerabilities with the help of academic researchers and bug hunters from around the world.

"There's no such thing as a perfect technology — not since they put the finishing touches on the wheel — but here at Yelp we are committed to getting as close as we can," Yelp security engineer Martin Georgiev said in a statement. "It's a big world and we believe that working with skilled security researchers from all corners is the key to identifying the weaknesses in any technology."

In an effort to bolster the security of Yelp's systems and services, the expansive bug bounty programme will cover Yelp's consumer website, business owners' site, reservations site, corporate blogs, support centre, mobile apps and API.

However, its newly-acquired companies or websites, third-party systems that are not directly under Yelp's control and its recently acquired food delivery service, Eat24, are not currently included in the programme.

Drawing an average of nearly 73 million unique visitors to its desktop site and 69 million unique visitors on mobile every month, some areas of particular concern to the online review service will include its consumer site and mobile apps.

"We are interested in any vulnerabilities that allow the attacker to map user profiles to their respective email addresses," Georgiev wrote. "Other critical vulnerabilities in our consumer site would involve the ability of a malicious user to modify other users' reviews, order food for free or gain access to another user's payment details: eg, reveal PANs."

Interested bug bounty hunters are also encouraged to scour Yelp's iOS and Android apps, which garner most of Yelp's content and searches, for mobile-specific flaws as well.

"Look for insecure storage of data, insecure WebView configs, insecure network connections, sensitive data disclosure via logs/errors, privilege separation, etc," Georgiev notes. "Vulnerabilities that allow tracking large number of users in real time are also considered high-severity issues."

Besides mapping out its bug bounty programme to help security researchers and hackers get started, Yelp cautioned interested participants against using automated vulnerability scanner to scour its platforms and services for bugs. "We need your brainpower, not your processing power," Yelp said. The company also asked users to "please be nice to us" and "hold off on actually breaking anything."

"We want you to bring out your big guns, but hold off on actually breaking anything," the company said. "Please avoid DDoS'ing us or breaking our systems and services while you are testing."

Yelp is the latest tech giant to launch its own public bounty programme to find and fix holes within their digital infrastructure before they are exploited by malicious entities and beef up their security efforts against increasingly sophisticated cyberattacks.

Earlier this month, Microsoft announced an expansion to its own bounty programme, adding .NET Core and ASP.NET Core to its series of ongoing bounty programmes. At the Black Hat conference in August, Apple and security firm Kaspersky Lab announced their own bug bounty programmes as well. While Apple launched its first-ever, invite-only bug bounty programme, offering researchers up to $200,000 to find flaws in iOS and iCloud, Kaspersky decided to make the closed bug bounty that it ran for some time public.

While several major companies such as Google, Yahoo, Microsoft, Facebook and Twitter have been running their own rewards programmes for years, Uber, Chrysler and the Department of Defence launched their own this year.