Crowdsourced review site Yelp is upping its bug bounty, moving to a public program where white hat hackers can find vulnerabilities across the company’s suite of websites and apps for potentially thousands of dollars.
In the past, Yelp has held private bug bounty programs where more than a hundred potential vulnerabilities have been discovered, amounting to dozens of security experts being paid in the process.
A blog post on Yelp’s website says the new public bounty program will go up to $15,000 for the “most impactful exploit.”
The program covers the company’s consumer, business owner, security, reservation and support websites, along with their mobile apps and APIs. Yelp will pay out for vulnerabilities ranging from minor ones like cross-site scripting and SQL injections, to anything that could give malicious actors the ability to exfiltrate data, impersonate a business owner or lead to an insecure user experience.
“The security team at Yelp is committed to keeping our users, our data, and our platform and services safe and sound,” the blog post reads.
HackerOne, who is running the program on behalf of Yelp, said Wednesday that over 150 vulnerabilities have been found in the program’s first day.
A wider array of companies have been establishing bug bounties. The Department of Defense also held a public bug bounty earlier this year, the first federal government bug bounty aimed at finding holes in DOD websites.