Bug Bounty Program
Yuso develops a SaaS solution for urban transport companies. Our technologies handle fleets of vehicles for Taxis, PHVs, delivery and public shuttle companies. We specialize in dispatch optimization algorithms.
Ensuring security of our clients’ data is a top priority for us. We are therefore launching a public bug bounty program.
- Yuso offers a bounty for reporting certain security vulnerabilities (see ‘Rewards’ below)
- Please review the following guidelines before you report a vulnerability
- By participating in this program, you agree to be bound by these guidelines
- Only research that respect our guidelines are eligible for a reward
We require that all researchers:
- Investigate only the scope identified below (only identified vulnerabilities about those will be rewarded).
- Document the investigation in a report so that we could reproduce the steps of the inquiry by ourselves.
- Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.
- Do not degrade our clients’ operations during tests.
- Gather information to demonstrate any vulnerability and not for any other purpose.
- Any information you receive or collect about us, our affiliates or any of our users, employees or agents in connection with the bug bounty program must be kept confidential and only used in connection with the program.
- Do not publicly disclose a vulnerability without our consent.
- Do not test Yuso’s physical security (equipments, office, employees).
- Do not do non technical tests (such as social engineering, spam or phishing).
Please note that:
- The researcher must be the first person to report the bug to be rewarded.
- Only bugs that we are not already aware of will be rewarded.
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- Yuso will determine at its discretion whether a reward should be paid.
- The reporter must not be an employee of Yuso, nor one of its stakeholders.
- All payments will be made in euros.
Yuso will not bring a lawsuit against you or ask law enforcement to investigate you if we determine that your research and disclosure meets these requirements and guidelines.
Not in Scope
These urls points to wordpress components that are separate from our infrastructure, without any sensitive data and therefore considered not critical.
Our rewards are classified based on the impact of the vulnerability on our system.
|P1 - Critical||Vulnerabilities that cause a privilege escalation from unprivileged to admin or allow for remote execution, financial theft, etc.||
|P2 - High||Vulnerabilities that affect the security of the platform including the processes it supports||
|P3 - Medium||Vulnerabilities that affect multiple users and require little or no user interaction to trigger||
|P4 - Low||Vulnerabilities that affect singular users and require interaction or significant prerequisites to trigger (MitM) to trigger||
|P5 - Acceptable Risk||Non-exploitable vulnerabilities in functionality. Vulnerabilities that are by design or are deemed acceptable business risk to the customer||
We are extremely grateful to the researchers that attend our programme, thank you for helping us making a great urban transport tool for our customers!
If you have found a vulnerability, please contact us at firstname.lastname@example.org.