Bug Bounty Program

Yuso develops a SaaS solution for urban transport companies. Our technologies handle fleets of vehicles for Taxis, PHVs, delivery and public shuttle companies. We specialize in dispatch optimization algorithms.

Ensuring security of our clients’ data is a top priority for us. We are therefore launching a public bug bounty program.

  • Yuso offers a bounty for reporting certain security vulnerabilities (see ‘Rewards’ below)
  • Please review the following guidelines before you report a vulnerability
  • By participating in this program, you agree to be bound by these guidelines
  • Only research that respect our guidelines are eligible for a reward

Guidelines

We require that all researchers:

  • Investigate only the scope identified below (only identified vulnerabilities about those will be rewarded).
  • Document the investigation in a report so that we could reproduce the steps of the inquiry by ourselves.
  • Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.
  • Do not degrade our clients’ operations during tests.
  • Gather information to demonstrate any vulnerability and not for any other purpose.
  • Any information you receive or collect about us, our affiliates or any of our users, employees or agents in connection with the bug bounty program must be kept confidential and only used in connection with the program.
  • Do not publicly disclose a vulnerability without our consent.
  • Do not test Yuso’s physical security (equipments, office, employees).
  • Do not do non technical tests (such as social engineering, spam or phishing).

Please note that:

  • The researcher must be the first person to report the bug to be rewarded.
  • Only bugs that we are not already aware of will be rewarded.
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Yuso will determine at its discretion whether a reward should be paid.
  • The reporter must not be an employee of Yuso, nor one of its stakeholders.
  • All payments will be made in euros.

Yuso will not bring a lawsuit against you or ask law enforcement to investigate you if we determine that your research and disclosure meets these requirements and guidelines.

Scope

*.yusofleet.com
*.marcel.cab
*.classnco.com

Not in Scope

www.yusofleet.com
www.marcel.cab

These urls points to wordpress components that are separate from our infrastructure, without any sensitive data and therefore considered not critical.

Rewards

Our rewards are classified based on the impact of the vulnerability on our system.

Priority Impact Vulnerability Types
P1 - Critical Vulnerabilities that cause a privilege escalation from unprivileged to admin or allow for remote execution, financial theft, etc.
  • Remote Code Execution
  • Vertical Authentication Bypass
  • XML External Entities Injection with significant impact
  • SQL Injection with significant impact
P2 - High Vulnerabilities that affect the security of the platform including the processes it supports
  • Lateral authentication bypass
  • Stored XSS with significant impact
  • SSRF with significant impact
  • Direct object reference with significant impact
  • Internal SSRF
P3 - Medium Vulnerabilities that affect multiple users and require little or no user interaction to trigger
  • Reflective XXS with impact
  • Direct object reference
  • URL redirect
  • CSRF with impact
P4 - Low Vulnerabilities that affect singular users and require interaction or significant prerequisites to trigger (MitM) to trigger
  • SSL misconfigurations with little impact
  • SPF configuration problems
  • XSS with limited impact
  • CSRF with limited impact
P5 - Acceptable Risk Non-exploitable vulnerabilities in functionality. Vulnerabilities that are by design or are deemed acceptable business risk to the customer
  • Debug information
  • Use of CAPTCHAs
  • Code obfuscation
  • Rate limiting, etc.
Priority Reward
P1 1500€
P2 900€
P3 300€

We are extremely grateful to the researchers that attend our programme, thank you for helping us making a great urban transport tool for our customers!

If you have found a vulnerability, please contact us at bugbounty@yusofleet.com.