Yelp, the popular customer review site, launched its own bug bounty program on September 6 and announced that white hackers and security researchers were free to walk around on its security systems and find any flaws and potential bugs that would put the service down. Yelp announced during the launch that they would be pleased to give $100 for the smallest bugs and $15,000 for those that would serve up critical flaws and problems.
The bug bounty program will be run in conjunction with the Silicon Valley based bounty program company, HackerOne. Yelp had been offering a private bounty program, but their announcement shows the program now being expanded to the public. The company said that during the two years they were offering the private bounty program, they managed to quash 100 bugs that had been reported. They were working with academic researchers and bug hunters across the globe during the period.
Martin Georgiev said in a statement to announce the news that in the current tech climate, there was no such thing as perfect technology, and it has been like so since they finished the wheel. However at Yelp they strive to achieve that security. The world is a big place, and the company wants to work with skilled security researchers because they believe it would help them identify all the weaknesses in their system, he said. The Yelp bug program is expected to cover Yelp’s systems and services in various ways. The program will cover the website’s consumer site, it business owner’s site, reservations site, corporate blogs, support centre, mobile apps, and API.
The company does have newly acquired firms and third party applications, but it is believed they will not be covered by the program. The company has 73 million subscribers on its desktop site and a lower 69 million unique visitors on the mobile platform. Therefore some areas which they fear will be particularly impacted would be the consumer site and the mobile apps.
Georgiev said that the company was interested in finding out if there would be any attacker that would be able to map user entries to their email addresses. Other problems might include a hacker being able to influence other’s reviews on the site, order free food from the site, or in other instances gain payment details for other users. Bug bounty hunters are also being encouraged to go through the mobile apps to also help with searches for mobile apps related specific flaws.
Despite having said researchers could scour for flaws and bugs in their programs, Yelp however notes that the company wants researchers not to use automated vulnerabilities scanners because they would prefer people use their brain knowledge rather than their processing power. They also asked the researchers to try and be nice and not to break over anything intentionally and unintentionally. The company urged the researchers to bring their strongest game but they should however know the boundaries to their systems.
Yelp joins a long list of tech companies that have been employing the bug bounty method to combat security bugs and flaws. Several other tech behemoths such as Microsoft, Google, Facebook, Yahoo and Twitter all use the program. The Defense Department also recently signed up for the program this year.