Yolawo - Bug Bounty

🐞 Yolawo Bug Bounty Program – Rules and Guidelines

At Yolawo, we care deeply about the security of our users and their data. We welcome ethical hackers and security researchers to help us keep our services secure. If you discover a vulnerability, we’d like to reward you for your efforts. Please read the following rules carefully before testing or submitting a report.

⚠ Before you report — please read

We receive a high volume of automated, low-quality submissions and must filter them aggressively. Your report will be closed without reply if any of the following apply:

Your proof of concept is a link to an online scanner (e.g. securityheaders.com, domsignal.com, serpworx.com, sidnlabs.nl, ssllabs.com, hardenize.com, internet.nl, mxtoolbox.com, pentest-tools.com, observatory.mozilla.org, or similar).
The finding appears in our out-of-scope list below (missing security headers, DNS/TLS/email hygiene such as SPF/DKIM/DMARC/DANE/TLSA, theoretical crypto attacks such as BREACH/CRIME/BEAST, rate limiting, username enumeration, clickjacking, cookie flags, CORS without impact, version disclosure, etc.).
The finding is on an out-of-scope domain (yolawo.de WordPress site, office.yolawo.de, third-party services).
The report lacks a working, step-by-step exploit against app.yolawo.de or *.yolawo.net that demonstrates concrete impact on Yolawo users or data.

Eligible reports require: (1) a written reproduction we can follow, (2) a working payload or request/response capture, and (3) a clear statement of what an attacker can actually achieve. Scanner output alone is not a vulnerability.

Repeat low-quality submissions will result in the sender being blocked and reported for email abuse.

✅ Scope

✔️ In-Scope Domains:

*.yolawo.de (except yolawo.de WordPress site, office.yolawo.de Hackathon Project)
*.yolawo.net

❌ Out of Scope:

Our public WordPress site at yolawo.de
Our hackathon project at office.yolawo.de
Any third-party services or applications

🎯 Who Can Participate?

Anyone is welcome to participate, except:
- Current or former Yolawo employees and contractors.
- Participants from countries sanctioned by OFAC.

💸 Rewards

We offer monetary rewards for eligible, high-quality reports:

Reward range: €5 – €500, based on severity and impact.
The reward amount is determined by Yolawo using our custom severity scale.

⚠️ Important:

Rewards are granted only for the first valid report of a vulnerability.
Duplicate reports will not be compensated.
To comply with German tax laws, we can only pay rewards upon receiving a valid invoice from you.
We prefer to send payments via PayPal.

📜 Reporting Guidelines

Vulnerabilities must be reported privately to us via email: bug@yolawo.de.
Public disclosure is not permitted under this program.
We aim to:
- Acknowledging your report within 7 days.
- Resolving valid issues within 180 days.

🚫 Rules of Engagement

To keep our services and users safe, participants must follow these rules:

❌ Do not perform:
- Brute-forcing of credentials.
- Denial of Service (DoS/DDoS) attacks.
- Social engineering (phishing, impersonation, etc.).
- Use of automated vulnerability scanners or tools.
❌ Do not access, modify, or delete data belonging to other users.
❌ Do not attempt to compromise or attack the accounts of other people.
❌ Do not engage in any activity that degrades or negatively impacts the performance, availability, or stability of our systems.
✔️ You may create up to 2 test accounts per person for testing purposes.

✅ Examples of Accepted Vulnerabilities

We’re especially interested in impactful security issues, including but not limited to:

Authentication flaws (e.g., bypasses, logic issues, weak password reset flows)
Cross-Site Scripting (XSS) leading to session theft or account compromise
Cross-Site Request Forgery (CSRF) with significant impact
Privilege escalation (horizontal or vertical)
Access control issues (e.g., accessing other users’ data)
Sensitive data exposure (e.g., leakage of personal data, API keys, etc.)
SQL injection and other critical injection flaws
Server-side request forgery (SSRF)

❌ Out of Scope Findings

The following findings are not eligible for rewards and will be closed without detailed response:

Security headers

Missing or misconfigured Content-Security-Policy, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Strict-Transport-Security (HSTS), Referrer-Policy, Permissions-Policy, Feature-Policy, Expect-CT, COOP, COEP, CORP, or similar response headers
Missing security.txt, humans.txt, or /.well-known/ paths

TLS, SSL, DNS & cryptography

Lack of DNSSEC, DANE, TLSA, or CAA records
Weak cipher suites, TLS version support, certificate chain issues, HSTS preloading, or certificate transparency findings without demonstrated exploitation
Theoretical crypto/compression attacks including BREACH (CVE-2013-3587), CRIME, BEAST, POODLE, Lucky13, Sweet32, Logjam, FREAK, and similar, without a working exploit against our application

Email & DNS hygiene

SPF, DKIM, DMARC, BIMI, MTA-STS, or TLS-RPT misconfigurations without proven exploitability
Email spoofing reports based solely on DNS-record configuration

Cookies, sessions & client-side

Missing HttpOnly, Secure, SameSite, or __Host- cookie flags without an end-to-end exploit
Self-XSS (where a user can XSS themselves)
Clickjacking on pages without sensitive, state-changing actions
Tabnabbing, HTML injection without impact, or open redirects without a demonstrated attack chain
CORS misconfiguration without a working PoC demonstrating data exfiltration
Autocomplete enabled on form fields, descriptive error messages, verbose stack traces without sensitive data

Enumeration, rate limiting & policy

Rate-limiting or brute-force issues that do not lead to account compromise (including login, signup, password reset, OTP, and contact forms)
Username or email enumeration, password policy weaknesses, session timeout duration
Host header injection without a working PoC

Software & information disclosure

Use of outdated libraries or components without a working proof-of-exploit against our deployment
Banner grabbing, framework or server version disclosure (nginx, Spring Boot, library versions)
Subdomain takeover reports without a proven takeover PoC
Directory listing or exposure of .git / .env / backup paths that return 403/404 or contain no sensitive data
Hyperlink injections (we are aware)

Scope & source

Vulnerabilities on third-party services or software not owned by Yolawo
Any finding on out-of-scope domains (the WordPress site at yolawo.de, office.yolawo.de, or third-party services), regardless of severity
Any report whose proof of concept is solely a link to a third-party scanner, including but not limited to securityheaders.com, domsignal.com, serpworx.com, sidnlabs.nl, ssllabs.com, hardenize.com, internet.nl, mxtoolbox.com, pentest-tools.com, and observatory.mozilla.org

Additionally, we will not consider

Spam or social engineering attacks against Yolawo employees or users
Denial of Service (DoS/DDoS) vulnerabilities, resource exhaustion, or ReDoS without critical, demonstrated impact
Issues requiring physical access to a user’s device, outdated browsers, or non-default browser configurations
Reports generated by automated tools (Nuclei, Nessus, Acunetix, Burp, ZAP, etc.) without manual verification, a working exploit, and a written impact analysis

🛡️ Safe Harbor

We value your good-faith efforts to improve our security. If you act in accordance with these rules, we will:

Consider your activities as authorized conduct.
Not initiate legal action against you.
Work with you to understand and resolve the issue quickly.

We’re grateful to security researchers who help us keep our platform safe. Exceptional contributors may be recognized here (with their permission).

📧 Ready to Report?

Send your findings to bug@yolawo.de with clear details so we can reproduce and verify the issue.

🏆 Yolawo Security Hall of Fame

⭐ Honored Researchers

Aksha Chudasama
Areeb Jamal
Sachin Kalkumbe
Sumit Bhadouriya
Tanish
Muhammed Nadeem
Your name here!

Send us your report and you could earn a reward and a spot in our Hall of Fame.