Responsible Disclosure Policy

Protecting our infrastructure and the data entrusted to us by our customers is integral to what we do.

We recommend reading this disclosure policy fully before you report any vulnerabilities. This helps ensure that you understand the policy, and act in compliance with it. We value the work done by security researchers in making the Internet a safer and more secure space and have developed this policy using guidance from ISO 29147:2018.

As an organization with highest transparency, and working closely with our developer community, it should be no surprise that Yubi extends the same philosophy to our relationship with security researchers in good faith. Yubi welcomes the responsible disclosure of potential security vulnerabilities in our products, services or systems, subject to terms and conditions outlined in this policy, and in return, Yubi make efforts to show our appreciation to security researchers who take the time and effort to investigate and report security vulnerabilities to us according to this policy wherever we can.

We are committed to thoroughly investigating, understanding and resolving security issues across our websites in collaboration with the security community.

Domains in Scope

Any of the Yubi services iOS, Android or Web apps, which process, store, transfer or use in one way or personal or sensitive personal information, such as customer data and authentication data.

The fully qualified domain names of the systems within scope are listed below. Subdomains not explicitly listed are not in-scope.

Products and services in scope:

Together referred to as Platform.

Cloud, including:

The policy applies to everyone, including for example the Yubi staff, third party suppliers and general users of the Yubi services.

Out of Scope

Qualifying Bugs  

Non-Qualified Bugs

Bug Bounty

Unfortunately, due to Yubi funding structure, it is not currently possible for us to offer a paid bug bounty programme. We will, however, make efforts to show our appreciation to security researchers who take the time and effort to investigate and report security vulnerabilities to us according to this policy wherever we can.

Testing for Vulnerabilities

If you want to actively test our systems for vulnerabilities, you must:

And you must not:

Rules and Legalities to be followed

Yubi will not engage in legal action against individuals or entities that submit vulnerability reports that cover in scope of products and services (as defined above), through the approved channels (defined below).

Furthermore, Yubi agrees not to pursue legal action against individuals or entities that adhere to the following rules of engagement when identifying and submitting vulnerabilities unless we are compelled to do so by a regulatory authority, other third party, or applicable laws:

Must not perform:

We ask you to securely delete any and all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first.

Disclosure Guidelines for Vulnerabilities in third Party Software:

When a security vulnerability in some third party product is discovered by you the following disclosure guideline should apply:

Reporting Template

Vulnerability reports should be submitted to the Yubi security team via email, to the address disclosure@go-yubi.com.

  1. Full Name of the Individual:
  2. Mobile Number:
  3. Link to their professional handles (LinkedIn, Twitter, Facebook, Github, etc)
  4. Bug Information:
  5. Vulnerability Name:
  6. Affected areas:
  7. Impact:
  8. Detailed POC with the below details:

Preference, Prioritization and Acceptance CriteriaIn

order to obtain the most value from this program, for both Yubi and the participating security researcher, we strongly advise that, and will give priority to disclosures which include:

If you follow these guidelines, you can expect the following from Yubi:

After submission, if your issue is accepted, you will hear from us within 72 hours.

If you do not hear from us within 72 hours, it means your issue has not been accepted this time.

The team will triage the reported vulnerability and respond as soon as possible to let you know whether further information is required, whether the vulnerability is in or out of scope, or is a duplicate report. If remediation work is necessary, it is assigned to the appropriate Yubi teams or supplier(s).

Priority for bug fixes or mitigations is assessed by looking at the impact severity and exploit complexity. Vulnerability reports might take some time to triage or address. You are welcome to inquire on the status of the process but should avoid doing so more than once every 14 days. The reason is to allow our teams to focus on the reports as much as possible.

When the reported vulnerability is resolved, or remediation work is scheduled, the Vulnerability Disclosure Team will notify you, and invite you to confirm that the solution covers the vulnerability adequately.

What not to be reported via this program?

The disclosure point is not intended for:

Submitting complaints about services

Making fraud reports and/or suspicions of fraud reports from false mail or phishing emails

Reporting viruses

Submitting complaints or questions about the availability of the website

Hall of Fame

While Yubi does not provide any reward for responsibly disclosing unique vulnerabilities and working with us to remediate them, we would like to publicly convey our deepest gratitude to the security researchers.  We will add your name to our Hall of Fame.  Your legendary efforts are truly appreciated by Yubi.

Legal Note

Your participation in the Program will not violate any law applicable to you or disrupt or compromise any data that is not your own.

You are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments when we run bug bounty programs in the future.

Yubi reserves the right to terminate or discontinue the Program at its discretion.