The security of our users and partners is a top priority for Yourban.
We appreciate the efforts of the cybersecurity community in helping us identify and fix potential vulnerabilities before they can be exploited. This program applies to all Yourban digital environments, including: the corporate websites https://www.yourban.ai and the SaaS platform https://app-yourban.com
If you discover a potential issue on the site or the platform, please contact us responsibly at diego@go-yourban.com with:
- A clear and concise description of the issue
- Steps to reproduce
- The potential impact and affected endpoint (URL, API, etc.)
⚠️ Please do not exploit vulnerabilities, access personal or confidential data, or disrupt our services.
Allow us reasonable time to investigate and resolve the issue before any public disclosure.
More information on our Testing Policy below.
Please test vulnerabilities only against your own accounts. Only use authorized accounts so as not to inadvertently compromise the security or privacy of our users.
- Avoid tests that could cause degradation or interruption of our service systems.
- Do not use automated scanners or tools that generate large amount of network traffic.
- Do not leak, manipulate, or destroy any user data or files in any system.
- Do not copy any files from the system or disclose them.
Yourban does not currently operate a paid bug bounty program.
However, we value every valid report and may offer:
- Public acknowledgment (Hall of Fame or thank-you mention)
- Early access to selected features
- Occasionally, a symbolic reward depending on impact and report quality
Critical Vulnerabilities
- System Access/RCE: Remote Code Execution (RCE), Command Injection, Web Shell Upload, or SQL Injection leading to system permissions on production servers.
- Data Access (Major): Full access to the core business intelligence database. Severe information leak affecting more than 100,000 records or allowing access to three or more sensitive fields (customer data, aggregated traffic/demand data, billing details).
- Major Logic Flaws: Arbitrary login to any user or administrator account, authentication bypass for critical financial transactions.
- Multi-tenant Security: Unauthorized access to another Yourban.ai client's data and reports (business intelligence).
High-Risk Vulnerabilities
- General Permissions: Vulnerabilities leading to general permissions or internal network access (SSRF with complete response feedback).
- Privilege Escalation: Authentication bypass to access administrative backends or client account management features. Unauthorized modification of critical platform business configurations.
- Information Leak: Information leak affecting more than 10,000 sensitive records, or SQL Injection on secondary databases.
Medium-Risk Vulnerabilities
- User Identity Theft: Stored XSS on critical pages (login, reporting dashboards). SQL Injection on standard application websites (outside Core DB).
- Unauthorized Access: Bypassing interface restrictions to modify a user's data (non-admin) or perform operations on their behalf.
- Moderate Information Leak: Leak of internal source code (complete packages) or exposure of Cloud platform keys.
Low-Risk Vulnerabilities
- User Interaction: Reflected XSS, CSRF on sensitive operations.
- Minor Logic Flaws: SMS/Email verification code bypass, SMS code brute forcing.
- Minor Information Leak: Leak of source code fragments on GitHub, logs (Logcat) not containing critical sensitive information.
No Impact
- Aesthetic issues, functional bugs, non-exploitable vulnerabilities (Self-XSS, scanner reports, etc.).
- Vulnerabilities in test, pre-release, or demo environments.
1. First Reporter: You must be the first person to report a valid vulnerability. Reports on previously known flaws will be marked as Informative.
2. Qualifying Vulnerability: The reported vulnerability must match a risk category defined in Section 1.
3. "OneFixOneReward" Rule: If two or more vulnerabilities are linked to the same root cause and a single fix resolves all instances, only the first valid report submitted will be eligible for a reward (monetary or otherwise). Subsequent related reports will be closed as Informative. These cases will be reviewed on a case-by-case basis.
4. Report Quality: You must provide a clear textual description of the report, including precise steps to reproduce the issue, along with necessary attachments (screenshots, proof of concept code).
5. Ethical Conduct:
- You must avoid testing that could cause degradation or interruption of Yourban.ai services (refrain from using heavy automated tools and limit requests per second).
- You must not, under any circumstances, leak, manipulate, or destroy any data belonging to Yourban.ai or its clients.
- No vulnerability disclosure, including partial disclosure, is allowed before the flaw has been fully patched.
6. Professional Status: You must not be a current or former employee of Yourban.ai, nor a contractor or business partner currently working for Yourban.ai.
7. Assessment: Our analysis and the reward paid are always based on the worst-case exploitation scenario of the reported vulnerability.
We commit to providing you with a complete risk classification (score) and reward decision within a maximum of 15 business days, excluding public holidays and company closure periods, following the receipt of your report.
Security contact: diego@go-yourban.com
.png)
