Bug Bounty

🐞 Yolawo Bug Bounty Program – Rules and Guidelines

At Yolawo, we care deeply about the security of our users and their data. We welcome ethical hackers and security researchers to help us keep our services secure. If you discover a vulnerability, we’d like to reward you for your efforts. Please read the following rules carefully before testing or submitting a report.

Scope

✔️ In-Scope Domains:

  • *.yolawo.de (except yolawo.de WordPress site)
  • *.yolawo.net

Out of Scope:

  • Our public WordPress site at yolawo.de
  • Any third-party services or applications

🎯 Who Can Participate?

  • Anyone is welcome to participate, except:
    • Current or former Yolawo employees and contractors.
    • Participants from countries sanctioned by OFAC.

💸 Rewards

We offer monetary rewards for eligible, high-quality reports:

  • Reward range: €5 – €500, based on severity and impact.
  • The reward amount is determined by Yolawo using our custom severity scale.

⚠️ Important:

  • Rewards are granted only for the first valid report of a vulnerability.
  • Duplicate reports will not be compensated.
  • To comply with German tax laws, we can only pay rewards upon receiving a valid invoice from you.
  • We prefer to send payments via PayPal.

📜 Reporting Guidelines

  • Vulnerabilities must be reported privately to us via email: bug@yolawo.de.
  • Public disclosure is not permitted under this program.
  • We commit to:
    • Acknowledging your report within 7 days.
    • Resolving valid issues within 180 days.

🚫 Rules of Engagement

To keep our services and users safe, participants must follow these rules:

  • Do not perform:
    • Brute-forcing of credentials.
    • Denial of Service (DoS/DDoS) attacks.
    • Social engineering (phishing, impersonation, etc.).
    • Use of automated vulnerability scanners or tools.
  • Do not access, modify, or delete data belonging to other users.
  • Do not attempt to compromise or attack the accounts of other people.
  • Do not engage in any activity that degrades or negatively impacts the performance, availability, or stability of our systems.
  • ✔️ You may create up to 2 test accounts per person for testing purposes.

Examples of Accepted Vulnerabilities

We’re especially interested in impactful security issues, including but not limited to:

  • Authentication flaws (e.g., bypasses, logic issues, weak password reset flows)
  • Cross-Site Scripting (XSS) leading to session theft or account compromise
  • Cross-Site Request Forgery (CSRF) with significant impact
  • Privilege escalation (horizontal or vertical)
  • Access control issues (e.g., accessing other users’ data)
  • Sensitive data exposure (e.g., leakage of personal data, API keys, etc.)
  • SQL injection and other critical injection flaws
  • Server-side request forgery (SSRF)

Out of Scope Findings

The following are considered out of scope and will not be eligible for rewards unless combined with a real-world impact:

  • Self-XSS (where a user can XSS themselves)
  • Missing HttpOnly, Secure, or SameSite cookie flags
  • Clickjacking on pages without sensitive actions
  • Lack of DNSSEC
  • Use of outdated libraries or components without a working proof-of-exploit
  • Rate-limiting or brute-force issues that do not lead to account compromise
  • SPF, DKIM, or DMARC misconfigurations without proven exploitability
  • Vulnerabilities on third-party services or software not owned by Yolawo

Additionally, we will not consider:

  • Spam or social engineering attacks against Yolawo employees or users
  • Denial of Service (DoS/DDoS) vulnerabilities
  • Issues requiring physical access to a user’s device

🛡️ Safe Harbor

We value your good-faith efforts to improve our security. If you act in accordance with these rules, we will:

  • Consider your activities as authorized conduct.
  • Not initiate legal action against you.
  • Work with you to understand and resolve the issue quickly.

We’re grateful to security researchers who help us keep our platform safe. Exceptional contributors may be recognized here (with their permission).

📧 Ready to Report?

Send your findings to bug@yolawo.de with clear details so we can reproduce and verify the issue.

🏆 Yolawo Security Hall of Fame

Honored Researchers

  • Aksha Chudasama
  • Your name here!

Send us your report and you could earn a reward and a spot in our Hall of Fame.

Top-Branchen

Lösungen

Integrationen

Funktionalitäten

Partnerschaften