Yelp makes its bug bounty program public

After two years of keeping their bug bounty program private and relatively secret, Yelp is opening it up and has invited bug hunters to probe its sites, apps, and infrastructure.

“Our vulnerability reward payouts will go up to $15,000 USD for the most impactful exploits. If we accept your report, our minimum bounty is $100,” the company says.

Apparently, they have already paid bug bounties to dozens of bug hunters, who throughout the years helped them find and patch over a hundred potential vulnerabilities. The company has so far distributed a total of $65,360 to successful bug hunters.

The bug bounty program has been set up on HackerOne, and Yelp has asked researchers to look into their consumer sites, business owner’s site, mobile apps (both for users and business owners), their Yelp Reservations online management system, public API, Support Center, and their blogs.

In order to help them, they have provided an overview of these assets: their location, purpose, what’s under the hood (technical details), and pointers about what they should look for.

Yelp asked that they refrain from breaking their system, from using automated vulnerability scanners, and from testing newly acquired sites and companies for a period of one year after the acquisition. Also, not to test properties tied to Eat24, an online food-ordering service that Yelp has bought in 2015.

It is not unusual for companies to first set up a limited, private, invite-only bug bounty program, especially if their assets are many and their security team, which will have to deal with vulnerability reports and creating fixes, is small.

According to Yelp’s Engineering Manager Vivek Raman, the company’s security team is finally mature enough to handle the increased scrutiny of their assets that the program will likely bring about.