Yelp Launches Public Bug Bounty

Yelp today announced a public bug bounty, which will pay up to $15,000 for critical vulnerabilities found on its mobile and desktop sites, public API and other areas of its infrastructure.

For a long time, Yelp.com has been one of the Internet’s most-frequented resources for crowd-sourced local business, restaurant and hospitality reviews and tips. Starting today, the door will be open to researchers and bug-hunters who are invited to participate in Yelp’s public bug bounty.

The company has, for two years, participated in a private bounty program with HackerOne, rewarding a closed field of experts for finding hundreds of vulnerabilities, said Martin Georgiev, Yelp security engineer.

Today, the program goes public, and it’s fairly expansive with a number of areas of its infrastructure in scope, including its desktop site, mobile application and public API.

“It’s a big world and we believe that working with skilled security researchers from all corners is the key to identifying the weaknesses in any technology,” Georgiev said in a statement announcing the public bounty.

Yelp is ranked 165 by Alexa and between its desktop and mobile offerings, reaches close to 150 million unique visitors a month. Georgiev said the payouts will go as high as $15,000, with a minimum bounty of $100.

The most targeted areas for bug-hunters figure to be the consumer site and mobile application. Yelp says its consumer site attracts 73 million unique visitors a month, and Georgiev said unauthorized account access is a top priority.

“We are interested in any vulnerabilities that allow the attacker to map user profiles to their respective email addresses,” he said. “Other critical vulnerabilities in our consumer site would involve the ability of a malicious user to modify other users’ reviews, order food for free or gain access to another user’s payment details: e.g., reveal PANs.”

Yelp’s iOS and Android apps, however, garner most of the service’s content, as well as most of its searches. Bounty participants are urged to seek out mobile-specific vulnerabilities on both platforms.

“Look for insecure storage of data, insecure WebView configs, insecure network connections, sensitive data disclosure via logs/errors, privilege separation, etc.,” Georgiev said. “Vulnerabilities that allow tracking large number of users in real time are also considered high-severity issues.”

Yelp has also put its business owner’s site in the scope of the bounty; business owners manage their Yelp accounts through this site and have access to analytics and can interact with customer questions and reviews. Web vulnerabilities and any issues that would allow an attacker to bypass authentication are especially in scope, Yelp said.

“We are especially interested in vulnerabilities that allow an attacker to impersonate a business owner, escalate account privileges within a business page (e.g., upgrade an employee account to an admin account), modify ad spending, obtain non-public or bulk data sets that ought to be restricted to the business owners, or obtain non-public or bulk information about Yelp users’ interactions with a particular business,” Georgiev said.

Also in the scope of the bounty program is Yelp’s public API, used by developers to build apps on top of Yelp’s data stores, for example. Georgiev said that vulnerabilities that enable authentication bypasses, or data injection attacks that expose data stores to leaks are a priority.

Yelp said that bugs in its Yelp Reservations service, engineering blog and Yelp support are also eligible for rewards.

Yelp cautioned that participants should not expect to be able to use automated vulnerability scanners to find bugs. “We need your brainpower, not your processing power,” the company said.

More and more technology and large Internet sites are establishing public bounty programs, During the recent Black Hat hacker conference, Apple and Kaspersky Lab announced rewards programs. Kaspersky Lab, like Yelp, had run a private beta with HackerOne for some time before going public. Apple, meanwhile, began a private rewards program on Sept. 1 with six-figure payouts available for critical bugs in iOS.

Moving from a private to public bounty program, meanwhile, requires significant preparation, starting with the ability to accept and triage bug reports, to integrating fixes into a company’s development lifecycle, and working closely with researchers, assuring them firsthand that their work won’t land them in court or jail.

“Bug bounty programs are a sign that everything under it is mature and in shape,” HackerOne CTO Alex Rice said prior to Kaspersky’s public unveiling of its rewards program. “You can’t launch unless you have architectural reviews, a SDLC and other critical processes in place. Organizations think they have it, but don’t really know until they try it out. Some organizations that have bounty programs and their processes are less mature than they thought, the first 10 hackers they’ve invited have created six months worth of work.”

Suggested articles