[{"id":3768434,"new_policy":"There’s no such thing as a perfect technology — not since they put the finishing touches on the wheel — but here at Yelp we are committed to getting as close as we can. It’s a big world and we believe that working with skilled security researchers from all corners is the key to identifying the weaknesses in any technology. If you think you have found a security issue in our product, it could be your lucky day. Let us know via our bug-bounty program on HackerOne and we’ll work with you to fix it. Yes, there’s a reward in it for you, too. \n\n\nScope\n=====\nWe’d love to have you muck around with our web apps, mobile apps, and infrastructure. Hit us with your best shot. We also put together a [bug-bounty map](https://engineeringblog.yelp.com/2016/09/yelp-public-bug-bounty-map.html) to help you hit the ground running.\n\n\nPayouts\n======\nOur vulnerability-reward payouts will go up to $10,000 USD for the most impactful exploits. Reward structure above is only valid for reports submitted on or after September 19, 2022. Reports submitted priory to this date would be treated with the old reward structure. \n\n\nWe'll Be Nice To You\n================\nThe security team at Yelp is all about keeping our users, our data, our employees, and our sites safe and sound. We are committed to working with security experts from all over the world to stay up-to-date with the latest security techniques. If you have found a security issue and you think we should know about it, we are ready to work with you. Let us know about it and we will make every effort to fix the issue. \n\nWe believe in recognizing everyone’s work. If your work helps us improve the security of our platform and services, we are happy to acknowledge your contribution. Rest assured, there are cash rewards, too. \n\n\nPlease Be Nice To Us\n=================\nWe want you to bring out your big guns, but hold off on actually breaking anything. Please avoid DDoS’ing us or breaking our systems and services while you are testing. If you are testing a feature that involves an email component, use an `@wearehackerone.com` account as per the [Hackerone email alias](https://docs.hackerone.com/en/articles/8404308-hacker-email-alias), where possible, to make your tests easily filterable.\n\n\nExclusions\n========\nIssues related to software not under Yelp’s control are out of scope. If you have found a vulnerability in systems managed externally, we can’t make any guarantees about when we can fix those issues.\n\nWe don’t need help running automated vulnerability scanners. We’ve got those covered. We need your brainpower, not your processing power.\n\nReporting unrestricted Github wikis, as we don't consider them to be a security concern.\n\nOut-of-scope Bugs\n==============\n* Hypothetical issues that do not have any practical impact.\n* Vulnerabilities that require social engineering/phishing.\n* Attacks that require physical access to the user’s device.\n* User enumeration without any further impact.\n* Clickjacking that doesn't result in account compromise.\n* Open redirects that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).\n* Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).\n* Unvalidated vulnerabilities reported by automated tools/scanners.\n* Content Spoofing/Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Host header injection without a specific proof of concept.\n* Reflected File Download, consult this [article](https://sites.google.com/site/bughunteruniversity/nonvuln/reflected-file-download).\n* Self XSS or XSS that affects only out-of-date browsers.\n* Denial of Service Attacks.\n* IDN homograph attacks against one of our domains.\n* Issues related to mapping user profiles to their respective email addresses which do not bypass the 'Let others find my profile using my name or email address.' privacy setting.\n* Dependency confusion or supply chain attacks that do not comply with the respective package manager's (e.g. PyPi, npm, etc.) Terms of Service (ToS). This includes claiming Yelp's package names on public package managers and/or uploading malicious scripts.\n* Vulnerabilities that require the user's device to be jailbroken/rooted.\n* User credentials that were stolen by malware, etc. We will work to resolve affected user accounts, however, valid reports will be closed as Resolved and awarded reputation points in lieu of a bounty and/or bonus.\n* Rate limiting bypass with no clear security impact. We will close the report as Informative.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"User Credential Leaks\",\"details\":\"User credentials that were stolen by malware, etc will be excluded from any rewards from the program. We will work to resolve affected User accounts. Valid reports will be closed as Resolved and awarded reputation points in lieu of a bounty and/or bonus.\"}"],"timestamp":"2026-01-16T18:42:20.934Z"},{"id":3764051,"new_policy":"There’s no such thing as a perfect technology — not since they put the finishing touches on the wheel — but here at Yelp we are committed to getting as close as we can. It’s a big world and we believe that working with skilled security researchers from all corners is the key to identifying the weaknesses in any technology. If you think you have found a security issue in our product, it could be your lucky day. Let us know via our bug-bounty program on HackerOne and we’ll work with you to fix it. Yes, there’s a reward in it for you, too. \n\n\nScope\n=====\nWe’d love to have you muck around with our web apps, mobile apps, and infrastructure. Hit us with your best shot. We also put together a [bug-bounty map](https://engineeringblog.yelp.com/2016/09/yelp-public-bug-bounty-map.html) to help you hit the ground running.\n\n\nPayouts\n======\nOur vulnerability-reward payouts will go up to $10,000 USD for the most impactful exploits. Reward structure above is only valid for reports submitted on or after September 19, 2022. Reports submitted priory to this date would be treated with the old reward structure. \n\n\nWe'll Be Nice To You\n================\nThe security team at Yelp is all about keeping our users, our data, our employees, and our sites safe and sound. We are committed to working with security experts from all over the world to stay up-to-date with the latest security techniques. If you have found a security issue and you think we should know about it, we are ready to work with you. Let us know about it and we will make every effort to fix the issue. \n\nWe believe in recognizing everyone’s work. If your work helps us improve the security of our platform and services, we are happy to acknowledge your contribution. Rest assured, there are cash rewards, too. \n\n\nPlease Be Nice To Us\n=================\nWe want you to bring out your big guns, but hold off on actually breaking anything. Please avoid DDoS’ing us or breaking our systems and services while you are testing. If you are testing a feature that involves an email component, use an `@wearehackerone.com` account as per the [Hackerone email alias](https://docs.hackerone.com/en/articles/8404308-hacker-email-alias), where possible, to make your tests easily filterable.\n\n\nExclusions\n========\nIssues related to software not under Yelp’s control are out of scope. If you have found a vulnerability in systems managed externally, we can’t make any guarantees about when we can fix those issues.\n\nWe don’t need help running automated vulnerability scanners. We’ve got those covered. We need your brainpower, not your processing power.\n\nReporting unrestricted Github wikis, as we don't consider them to be a security concern.\n\nOut-of-scope Bugs\n==============\n* Hypothetical issues that do not have any practical impact.\n* Vulnerabilities that require social engineering/phishing.\n* Attacks that require physical access to the user’s device.\n* User enumeration without any further impact.\n* Clickjacking that doesn't result in account compromise.\n* Open redirects that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).\n* Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).\n* Unvalidated vulnerabilities reported by automated tools/scanners.\n* Content Spoofing/Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Host header injection without a specific proof of concept.\n* Reflected File Download, consult this [article](https://sites.google.com/site/bughunteruniversity/nonvuln/reflected-file-download).\n* Self XSS or XSS that affects only out-of-date browsers.\n* Denial of Service Attacks.\n* IDN homograph attacks against one of our domains.\n* Issues related to mapping user profiles to their respective email addresses which do not bypass the 'Let others find my profile using my name or email address.' privacy setting.\n* Dependency confusion or supply chain attacks that do not comply with the respective package manager's (e.g. PyPi, npm, etc.) Terms of Service (ToS). This includes claiming Yelp's package names on public package managers and/or uploading malicious scripts.\n* Vulnerabilities that require the user's device to be jailbroken/rooted.\n* User credentials that were stolen by malware, etc. We will work to resolve affected user accounts, however, valid reports will be closed as Resolved and awarded reputation points in lieu of a bounty and/or bonus.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"User Credential Leaks\",\"details\":\"User credentials that were stolen by malware, etc will be excluded from any rewards from the program. We will work to resolve affected User accounts. Valid reports will be closed as Resolved and awarded reputation points in lieu of a bounty and/or bonus.\"}"],"timestamp":"2025-10-02T21:02:07.255Z"},{"id":3760382,"new_policy":"There’s no such thing as a perfect technology — not since they put the finishing touches on the wheel — but here at Yelp we are committed to getting as close as we can. It’s a big world and we believe that working with skilled security researchers from all corners is the key to identifying the weaknesses in any technology. If you think you have found a security issue in our product, it could be your lucky day. Let us know via our bug-bounty program on HackerOne and we’ll work with you to fix it. Yes, there’s a reward in it for you, too. \n\n\nScope\n=====\nWe’d love to have you muck around with our web apps, mobile apps, and infrastructure. Hit us with your best shot. We also put together a [bug-bounty map](https://engineeringblog.yelp.com/2016/09/yelp-public-bug-bounty-map.html) to help you hit the ground running.\n\n\nPayouts\n======\nOur vulnerability-reward payouts will go up to $10,000 USD for the most impactful exploits. Reward structure above is only valid for reports submitted on or after September 19, 2022. Reports submitted priory to this date would be treated with the old reward structure. \n\n\nWe'll Be Nice To You\n================\nThe security team at Yelp is all about keeping our users, our data, our employees, and our sites safe and sound. We are committed to working with security experts from all over the world to stay up-to-date with the latest security techniques. If you have found a security issue and you think we should know about it, we are ready to work with you. Let us know about it and we will make every effort to fix the issue. \n\nWe believe in recognizing everyone’s work. If your work helps us improve the security of our platform and services, we are happy to acknowledge your contribution. Rest assured, there are cash rewards, too. \n\n\nPlease Be Nice To Us\n=================\nWe want you to bring out your big guns, but hold off on actually breaking anything. Please avoid DDoS’ing us or breaking our systems and services while you are testing. If you are testing a feature that involves an email component, use an `@wearehackerone.com` account as per the [Hackerone email alias](https://docs.hackerone.com/en/articles/8404308-hacker-email-alias), where possible, to make your tests easily filterable.\n\n\nExclusions\n========\nIssues related to software not under Yelp’s control are out of scope. If you have found a vulnerability in systems managed externally, we can’t make any guarantees about when we can fix those issues.\n\nWe don’t need help running automated vulnerability scanners. We’ve got those covered. We need your brainpower, not your processing power.\n\nReporting unrestricted Github wikis, as we don't consider them to be a security concern.\n\nOut-of-scope Bugs\n==============\n* Hypothetical issues that do not have any practical impact.\n* Vulnerabilities that require social engineering/phishing.\n* Attacks that require physical access to the user’s device.\n* User enumeration without any further impact.\n* Clickjacking that doesn't result in account compromise.\n* Open redirects that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).\n* Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).\n* Unvalidated vulnerabilities reported by automated tools/scanners.\n* Content Spoofing/Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Host header injection without a specific proof of concept.\n* Reflected File Download, consult this [article](https://sites.google.com/site/bughunteruniversity/nonvuln/reflected-file-download).\n* Self XSS or XSS that affects only out-of-date browsers.\n* Denial of Service Attacks.\n* IDN homograph attacks against one of our domains.\n* Issues related to mapping user profiles to their respective email addresses which do not bypass the 'Let others find my profile using my name or email address.' privacy setting.\n* Dependency confusion or supply chain attacks that do not comply with the respective package manager's (e.g. PyPi, npm, etc.) Terms of Service (ToS). This includes claiming Yelp's package names on public package managers and/or uploading malicious scripts.\n* Vulnerabilities that require the user's device to be jailbroken/rooted.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-08-01T17:43:10.343Z"},{"id":3758373,"new_policy":"There’s no such thing as a perfect technology — not since they put the finishing touches on the wheel — but here at Yelp we are committed to getting as close as we can. It’s a big world and we believe that working with skilled security researchers from all corners is the key to identifying the weaknesses in any technology. If you think you have found a security issue in our product, it could be your lucky day. Let us know via our bug-bounty program on HackerOne and we’ll work with you to fix it. Yes, there’s a reward in it for you, too. \n\n\nScope\n=====\nWe’d love to have you muck around with our web apps, mobile apps, and infrastructure. Hit us with your best shot. We also put together a [bug-bounty map](https://engineeringblog.yelp.com/2016/09/yelp-public-bug-bounty-map.html) to help you hit the ground running.\n\n\nPayouts\n======\nOur vulnerability-reward payouts will go up to $10,000 USD for the most impactful exploits. Reward structure above is only valid for reports submitted on or after September 19, 2022. Reports submitted priory to this date would be treated with the old reward structure. \n\n\nWe'll Be Nice To You\n================\nThe security team at Yelp is all about keeping our users, our data, our employees, and our sites safe and sound. We are committed to working with security experts from all over the world to stay up-to-date with the latest security techniques. If you have found a security issue and you think we should know about it, we are ready to work with you. Let us know about it and we will make every effort to fix the issue. \n\nWe believe in recognizing everyone’s work. If your work helps us improve the security of our platform and services, we are happy to acknowledge your contribution. Rest assured, there are cash rewards, too. \n\n\nPlease Be Nice To Us\n=================\nWe want you to bring out your big guns, but hold off on actually breaking anything. Please avoid DDoS’ing us or breaking our systems and services while you are testing. If you are testing a feature that involves an email component, use an `@test.com` account, where possible, to make your tests easily filterable.\n\n\nExclusions\n========\nIssues related to software not under Yelp’s control are out of scope. If you have found a vulnerability in systems managed externally, we can’t make any guarantees about when we can fix those issues.\n\nWe don’t need help running automated vulnerability scanners. We’ve got those covered. We need your brainpower, not your processing power.\n\nReporting unrestricted Github wikis, as we don't consider them to be a security concern.\n\nOut-of-scope Bugs\n==============\n* Hypothetical issues that do not have any practical impact.\n* Vulnerabilities that require social engineering/phishing.\n* Attacks that require physical access to the user’s device.\n* User enumeration without any further impact.\n* Clickjacking that doesn't result in account compromise.\n* Open redirects that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).\n* Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).\n* Unvalidated vulnerabilities reported by automated tools/scanners.\n* Content Spoofing/Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Host header injection without a specific proof of concept.\n* Reflected File Download, consult this [article](https://sites.google.com/site/bughunteruniversity/nonvuln/reflected-file-download).\n* Self XSS or XSS that affects only out-of-date browsers.\n* Denial of Service Attacks.\n* IDN homograph attacks against one of our domains.\n* Issues related to mapping user profiles to their respective email addresses which do not bypass the 'Let others find my profile using my name or email address.' privacy setting.\n* Dependency confusion or supply chain attacks that do not comply with the respective package manager's (e.g. PyPi, npm, etc.) Terms of Service (ToS). This includes claiming Yelp's package names on public package managers and/or uploading malicious scripts.\n* Vulnerabilities that require the user's device to be jailbroken/rooted.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-06-30T19:01:46.480Z"},{"id":3708014,"new_policy":"There’s no such thing as a perfect technology — not since they put the finishing touches on the wheel — but here at Yelp we are committed to getting as close as we can. It’s a big world and we believe that working with skilled security researchers from all corners is the key to identifying the weaknesses in any technology. If you think you have found a security issue in our product, it could be your lucky day. Let us know via our bug-bounty program on HackerOne and we’ll work with you to fix it. Yes, there’s a reward in it for you, too. \n\n\nScope\n=====\nWe’d love to have you muck around with our web apps, mobile apps, and infrastructure. Hit us with your best shot. We also put together a [bug-bounty map](https://engineeringblog.yelp.com/2016/09/yelp-public-bug-bounty-map.html) to help you hit the ground running.\n\n\nPayouts\n======\nOur vulnerability-reward payouts will go up to $10,000 USD for the most impactful exploits. Reward structure above is only valid for reports submitted on or after September 19, 2022. Reports submitted priory to this date would be treated with the old reward structure. \n\n\nWe'll Be Nice To You\n================\nThe security team at Yelp is all about keeping our users, our data, our employees, and our sites safe and sound. We are committed to working with security experts from all over the world to stay up-to-date with the latest security techniques. If you have found a security issue and you think we should know about it, we are ready to work with you. Let us know about it and we will make every effort to fix the issue. \n\nWe believe in recognizing everyone’s work. If your work helps us improve the security of our platform and services, we are happy to acknowledge your contribution. Rest assured, there are cash rewards, too. \n\n\nPlease Be Nice To Us\n=================\nWe want you to bring out your big guns, but hold off on actually breaking anything. Please avoid DDoS’ing us or breaking our systems and services while you are testing. If you are testing a feature that involves an email component, use an `@test.com` account, where possible, to make your tests easily filterable.\n\n\nExclusions\n========\nIssues related to software not under Yelp’s control are out of scope. If you have found a vulnerability in systems managed externally, we can’t make any guarantees about when we can fix those issues.\n\nWe don’t need help running automated vulnerability scanners. We’ve got those covered. We need your brainpower, not your processing power.\n\nReporting unrestricted Github wikis, as we don't consider them to be a security concern.\n\nOut-of-scope Bugs\n==============\n* Hypothetical issues that do not have any practical impact.\n* Vulnerabilities that require social engineering/phishing.\n* Attacks that require physical access to the user’s device.\n* User enumeration without any further impact.\n* Clickjacking that doesn't result in account compromise.\n* Open redirects that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).\n* Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).\n* Unvalidated vulnerabilities reported by automated tools/scanners.\n* Content Spoofing/Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Host header injection without a specific proof of concept.\n* Reflected File Download, consult this [article](https://sites.google.com/site/bughunteruniversity/nonvuln/reflected-file-download).\n* Self XSS or XSS that affects only out-of-date browsers.\n* Denial of Service Attacks.\n* IDN homograph attacks against one of our domains.\n* Issues related to mapping user profiles to their respective email addresses which do not bypass the 'Let others find my profile using my name or email address.' privacy setting.\n* Dependency confusion or supply chain attacks that do not comply with the respective package manager's (e.g. PyPi, npm, etc.) Terms of Service (ToS). This includes claiming Yelp's package names on public package managers and/or uploading malicious scripts.\n* Vulnerabilities that require the user's device to be jailbroken/rooted.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-11-24T23:55:11.121Z"},{"id":3706620,"new_policy":"There’s no such thing as a perfect technology — not since they put the finishing touches on the wheel — but here at Yelp we are committed to getting as close as we can. It’s a big world and we believe that working with skilled security researchers from all corners is the key to identifying the weaknesses in any technology. If you think you have found a security issue in our product, it could be your lucky day. Let us know via our bug-bounty program on HackerOne and we’ll work with you to fix it. Yes, there’s a reward in it for you, too. \n\n\nScope\n=====\nWe’d love to have you muck around with our web apps, mobile apps, and infrastructure. Hit us with your best shot. We also put together a [bug-bounty map](https://engineeringblog.yelp.com/2016/09/yelp-public-bug-bounty-map.html) to help you hit the ground running.\n\n\nPayouts\n======\nOur vulnerability-reward payouts will go up to $10,000 USD for the most impactful exploits. Reward structure above is only valid for reports submitted on or after September 19, 2022. Reports submitted priory to this date would be treated with the old reward structure. \n\n\nWe'll Be Nice To You\n================\nThe security team at Yelp is all about keeping our users, our data, our employees, and our sites safe and sound. We are committed to working with security experts from all over the world to stay up-to-date with the latest security techniques. If you have found a security issue and you think we should know about it, we are ready to work with you. Let us know about it and we will make every effort to fix the issue. \n\nWe believe in recognizing everyone’s work. If your work helps us improve the security of our platform and services, we are happy to acknowledge your contribution. Rest assured, there are cash rewards, too. \n\n\nPlease Be Nice To Us\n=================\nWe want you to bring out your big guns, but hold off on actually breaking anything. Please avoid DDoS’ing us or breaking our systems and services while you are testing. If you are testing a feature that involves an email component, use an `@test.com` account, where possible, to make your tests easily filterable.\n\n\nExclusions\n========\nIssues related to software not under Yelp’s control are out of scope. If you have found a vulnerability in systems managed externally, we can’t make any guarantees about when we can fix those issues.\n\nWe don’t need help running automated vulnerability scanners. We’ve got those covered. We need your brainpower, not your processing power.\n\nReporting unrestricted Github wikis, as we don't consider them to be a security concern.\n\nOut-of-scope Bugs\n==============\n* Hypothetical issues that do not have any practical impact.\n* Vulnerabilities that require social engineering/phishing.\n* Attacks that require physical access to the user’s device.\n* User enumeration without any further impact.\n* Clickjacking that doesn't result in account compromise.\n* Open redirects that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).\n* Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).\n* Unvalidated vulnerabilities reported by automated tools/scanners.\n* Content Spoofing/Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Host header injection without a specific proof of concept.\n* Reflected File Download, consult this [article](https://sites.google.com/site/bughunteruniversity/nonvuln/reflected-file-download).\n* Self XSS or XSS that affects only out-of-date browsers.\n* Denial of Service Attacks.\n* IDN homograph attacks against one of our domains.\n* Issues related to mapping user profiles to their respective email addresses which do not bypass the 'Let others find my profile using my name or email address.' privacy setting.\n* Dependency confusion or supply chain attacks that do not comply with the respective package manager's (e.g. PyPi, npm, etc.) Terms of Service (ToS). This includes claiming Yelp's package names on public package managers and/or uploading malicious scripts.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-11-06T16:13:06.243Z"},{"id":3706619,"new_policy":"There’s no such thing as a perfect technology — not since they put the finishing touches on the wheel — but here at Yelp we are committed to getting as close as we can. It’s a big world and we believe that working with skilled security researchers from all corners is the key to identifying the weaknesses in any technology. If you think you have found a security issue in our product, it could be your lucky day. Let us know via our bug-bounty program on HackerOne and we’ll work with you to fix it. Yes, there’s a reward in it for you, too. \n\n\nScope\n=====\nWe’d love to have you muck around with our web apps, mobile apps, and infrastructure. Hit us with your best shot. We also put together a [bug-bounty map](https://engineeringblog.yelp.com/2016/09/yelp-public-bug-bounty-map.html) to help you hit the ground running.\n\n\nPayouts\n======\nOur vulnerability-reward payouts will go up to $10,000 USD for the most impactful exploits. Reward structure above is only valid for reports submitted on or after September 19, 2022. Reports submitted priory to this date would be treated with the old reward structure. \n\n\nWe'll Be Nice To You\n================\nThe security team at Yelp is all about keeping our users, our data, our employees, and our sites safe and sound. We are committed to working with security experts from all over the world to stay up-to-date with the latest security techniques. If you have found a security issue and you think we should know about it, we are ready to work with you. Let us know about it and we will make every effort to fix the issue. \n\nWe believe in recognizing everyone’s work. If your work helps us improve the security of our platform and services, we are happy to acknowledge your contribution. Rest assured, there are cash rewards, too. \n\n\nPlease Be Nice To Us\n=================\nWe want you to bring out your big guns, but hold off on actually breaking anything. Please avoid DDoS’ing us or breaking our systems and services while you are testing. If you are testing a feature that involves an email component, use an `@test.com` account, where possible, to make your tests easily filterable.\n\n\nExclusions\n========\nIssues related to software not under Yelp’s control are out of scope. If you have found a vulnerability in systems managed externally, we can’t make any guarantees about when we can fix those issues.\n\nWe don’t need help running automated vulnerability scanners. We’ve got those covered. We need your brainpower, not your processing power.\n\nReporting unrestricted Github wikis, as we don't consider them to be a security concern.\n\nOut-of-scope Bugs\n==============\n* Hypothetical issues that do not have any practical impact.\n* Vulnerabilities that require social engineering/phishing.\n* Attacks that require physical access to the user’s device.\n* User enumeration without any further impact.\n* Clickjacking that doesn't result in account compromise.\n* Open redirects that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).\n* Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).\n* Unvalidated vulnerabilities reported by automated tools/scanners.\n* Content Spoofing/Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Host header injection without a specific proof of concept.\n* Reflected File Download, consult this [article](https://sites.google.com/site/bughunteruniversity/nonvuln/reflected-file-download).\n* Self XSS or XSS that affects only out-of-date browsers.\n* Denial of Service Attacks.\n* IDN homograph attacks against one of our domains\n* Issues related to mapping user profiles to their respective email addresses which do not bypass the 'Let others find my profile using my name or email address.' privacy setting.\n* Dependency confusion or supply chain attacks that do not comply with the respective package manager's (e.g. PyPi, npm, etc.) Terms of Service (ToS). This includes claiming Yelp's package names on public package managers and/or uploading malicious scripts.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-11-06T16:12:11.774Z"},{"id":3677743,"new_policy":"There’s no such thing as a perfect technology — not since they put the finishing touches on the wheel — but here at Yelp we are committed to getting as close as we can. It’s a big world and we believe that working with skilled security researchers from all corners is the key to identifying the weaknesses in any technology. If you think you have found a security issue in our product, it could be your lucky day. Let us know via our bug-bounty program on HackerOne and we’ll work with you to fix it. Yes, there’s a reward in it for you, too. \n\n\nScope\n=====\nWe’d love to have you muck around with our web apps, mobile apps, and infrastructure. Hit us with your best shot. We also put together a [bug-bounty map](https://engineeringblog.yelp.com/2016/09/yelp-public-bug-bounty-map.html) to help you hit the ground running.\n\n\nPayouts\n======\nOur vulnerability-reward payouts will go up to $10,000 USD for the most impactful exploits. Reward structure above is only valid for reports submitted on or after September 19, 2022. Reports submitted priory to this date would be treated with the old reward structure. \n\n\nWe'll Be Nice To You\n================\nThe security team at Yelp is all about keeping our users, our data, our employees, and our sites safe and sound. We are committed to working with security experts from all over the world to stay up-to-date with the latest security techniques. If you have found a security issue and you think we should know about it, we are ready to work with you. Let us know about it and we will make every effort to fix the issue. \n\nWe believe in recognizing everyone’s work. If your work helps us improve the security of our platform and services, we are happy to acknowledge your contribution. Rest assured, there are cash rewards, too. \n\n\nPlease Be Nice To Us\n=================\nWe want you to bring out your big guns, but hold off on actually breaking anything. Please avoid DDoS’ing us or breaking our systems and services while you are testing. If you are testing a feature that involves an email component, use an `@test.com` account, where possible, to make your tests easily filterable.\n\n\nExclusions\n========\nIssues related to software not under Yelp’s control are out of scope. If you have found a vulnerability in systems managed externally, we can’t make any guarantees about when we can fix those issues.\n\nWe don’t need help running automated vulnerability scanners. We’ve got those covered. We need your brainpower, not your processing power.\n\nReporting unrestricted Github wikis, as we don't consider them to be a security concern.\n\nOut-of-scope Bugs\n==============\n* Hypothetical issues that do not have any practical impact.\n* Vulnerabilities that require social engineering/phishing.\n* Attacks that require physical access to the user’s device.\n* User enumeration without any further impact.\n* Clickjacking that doesn't result in account compromise.\n* Open redirects that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).\n* Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).\n* Unvalidated vulnerabilities reported by automated tools/scanners.\n* Content Spoofing/Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Host header injection without a specific proof of concept.\n* Reflected File Download, consult this [article](https://sites.google.com/site/bughunteruniversity/nonvuln/reflected-file-download).\n* Self XSS or XSS that affects only out-of-date browsers.\n* Denial of Service Attacks.\n* IDN homograph attacks against one of our domains\n* Issues related to mapping user profiles to their respective email addresses which do not bypass the 'Let others find my profile using my name or email address.' privacy setting.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-09-27T19:47:17.446Z"},{"id":3677494,"new_policy":"There’s no such thing as a perfect technology — not since they put the finishing touches on the wheel — but here at Yelp we are committed to getting as close as we can. It’s a big world and we believe that working with skilled security researchers from all corners is the key to identifying the weaknesses in any technology. If you think you have found a security issue in our product, it could be your lucky day. Let us know via our bug-bounty program on HackerOne and we’ll work with you to fix it. Yes, there’s a reward in it for you, too. \n\n\nScope\n=====\nWe’d love to have you muck around with our web apps, mobile apps, and infrastructure. Hit us with your best shot. We also put together a [bug-bounty map](https://engineeringblog.yelp.com/2016/09/yelp-public-bug-bounty-map.html) to help you hit the ground running.\n\n\nPayouts\n======\nOur vulnerability-reward payouts will go up to $10,000 USD for the most impactful exploits.\n\n\nWe'll Be Nice To You\n================\nThe security team at Yelp is all about keeping our users, our data, our employees, and our sites safe and sound. We are committed to working with security experts from all over the world to stay up-to-date with the latest security techniques. If you have found a security issue and you think we should know about it, we are ready to work with you. Let us know about it and we will make every effort to fix the issue. \n\nWe believe in recognizing everyone’s work. If your work helps us improve the security of our platform and services, we are happy to acknowledge your contribution. Rest assured, there are cash rewards, too. \n\n\nPlease Be Nice To Us\n=================\nWe want you to bring out your big guns, but hold off on actually breaking anything. Please avoid DDoS’ing us or breaking our systems and services while you are testing. If you are testing a feature that involves an email component, use an `@test.com` account, where possible, to make your tests easily filterable.\n\n\nExclusions\n========\nIssues related to software not under Yelp’s control are out of scope. If you have found a vulnerability in systems managed externally, we can’t make any guarantees about when we can fix those issues.\n\nWe don’t need help running automated vulnerability scanners. We’ve got those covered. We need your brainpower, not your processing power.\n\nReporting unrestricted Github wikis, as we don't consider them to be a security concern.\n\nOut-of-scope Bugs\n==============\n* Hypothetical issues that do not have any practical impact.\n* Vulnerabilities that require social engineering/phishing.\n* Attacks that require physical access to the user’s device.\n* User enumeration without any further impact.\n* Clickjacking that doesn't result in account compromise.\n* Open redirects that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).\n* Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).\n* Unvalidated vulnerabilities reported by automated tools/scanners.\n* Content Spoofing/Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Host header injection without a specific proof of concept.\n* Reflected File Download, consult this [article](https://sites.google.com/site/bughunteruniversity/nonvuln/reflected-file-download).\n* Self XSS or XSS that affects only out-of-date browsers.\n* Denial of Service Attacks.\n* IDN homograph attacks against one of our domains\n* Issues related to mapping user profiles to their respective email addresses which do not bypass the 'Let others find my profile using my name or email address.' privacy setting.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-09-20T19:09:43.069Z"},{"id":3654083,"new_policy":"There’s no such thing as a perfect technology — not since they put the finishing touches on the wheel — but here at Yelp we are committed to getting as close as we can. It’s a big world and we believe that working with skilled security researchers from all corners is the key to identifying the weaknesses in any technology. If you think you have found a security issue in our product, it could be your lucky day. Let us know via our bug-bounty program on HackerOne and we’ll work with you to fix it. Yes, there’s a reward in it for you, too. \n\n\nScope\n=====\nWe’d love to have you muck around with our web apps, mobile apps, and infrastructure. Hit us with your best shot. We also put together a [bug-bounty map](https://engineeringblog.yelp.com/2016/09/yelp-public-bug-bounty-map.html) to help you hit the ground running.\n\n\nPayouts\n======\nOur vulnerability-reward payouts will go up to $15,000 USD for the most impactful exploits.\n\n\nWe'll Be Nice To You\n================\nThe security team at Yelp is all about keeping our users, our data, our employees, and our sites safe and sound. We are committed to working with security experts from all over the world to stay up-to-date with the latest security techniques. If you have found a security issue and you think we should know about it, we are ready to work with you. Let us know about it and we will make every effort to fix the issue. \n\nWe believe in recognizing everyone’s work. If your work helps us improve the security of our platform and services, we are happy to acknowledge your contribution. Rest assured, there are cash rewards, too. \n\n\nPlease Be Nice To Us\n=================\nWe want you to bring out your big guns, but hold off on actually breaking anything. Please avoid DDoS’ing us or breaking our systems and services while you are testing. If you are testing a feature that involves an email component, use an `@test.com` account, where possible, to make your tests easily filterable.\n\n\nExclusions\n========\nIssues related to software not under Yelp’s control are out of scope. If you have found a vulnerability in systems managed externally, we can’t make any guarantees about when we can fix those issues.\n\nWe don’t need help running automated vulnerability scanners. We’ve got those covered. We need your brainpower, not your processing power.\n\nReporting unrestricted Github wikis, as we don't consider them to be a security concern.\n\nOut-of-scope Bugs\n==============\n* Hypothetical issues that do not have any practical impact.\n* Vulnerabilities that require social engineering/phishing.\n* Attacks that require physical access to the user’s device.\n* User enumeration without any further impact.\n* Clickjacking that doesn't result in account compromise.\n* Open redirects that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).\n* Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).\n* Unvalidated vulnerabilities reported by automated tools/scanners.\n* Content Spoofing/Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Host header injection without a specific proof of concept.\n* Reflected File Download, consult this [article](https://sites.google.com/site/bughunteruniversity/nonvuln/reflected-file-download).\n* Self XSS or XSS that affects only out-of-date browsers.\n* Denial of Service Attacks.\n* IDN homograph attacks against one of our domains\n* Issues related to mapping user profiles to their respective email addresses which do not bypass the 'Let others find my profile using my name or email address.' privacy setting.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-06-29T20:36:44.230Z"},{"id":3652064,"new_policy":"There’s no such thing as a perfect technology — not since they put the finishing touches on the wheel — but here at Yelp we are committed to getting as close as we can. It’s a big world and we believe that working with skilled security researchers from all corners is the key to identifying the weaknesses in any technology. If you think you have found a security issue in our product, it could be your lucky day. Let us know via our bug-bounty program on HackerOne and we’ll work with you to fix it. Yes, there’s a reward in it for you, too. \n\n\nScope\n=====\nWe’d love to have you muck around with our web apps, mobile apps, and infrastructure. Hit us with your best shot. We also put together a [bug-bounty map](https://engineeringblog.yelp.com/2016/09/yelp-public-bug-bounty-map.html) to help you hit the ground running.\n\n\nPayouts\n======\nOur vulnerability-reward payouts will go up to $15,000 USD for the most impactful exploits.\n\n\nWe'll Be Nice To You\n================\nThe security team at Yelp is all about keeping our users, our data, our employees, and our sites safe and sound. We are committed to working with security experts from all over the world to stay up-to-date with the latest security techniques. If you have found a security issue and you think we should know about it, we are ready to work with you. Let us know about it and we will make every effort to fix the issue. \n\nWe believe in recognizing everyone’s work. If your work helps us improve the security of our platform and services, we are happy to acknowledge your contribution. Rest assured, there are cash rewards, too. \n\n\nPlease Be Nice To Us\n=================\nWe want you to bring out your big guns, but hold off on actually breaking anything. Please avoid DDoS’ing us or breaking our systems and services while you are testing. If you are testing a feature that involves an email component, use an \"@test.com\" account, where possible, to make your tests easily filterable.\n\n\nExclusions\n========\nIssues related to software not under Yelp’s control are out of scope. If you have found a vulnerability in systems managed externally, we can’t make any guarantees about when we can fix those issues.\n\nWe don’t need help running automated vulnerability scanners. We’ve got those covered. We need your brainpower, not your processing power.\n\nReporting unrestricted Github wikis, as we don't consider them to be a security concern.\n\nOut-of-scope Bugs\n==============\n* Hypothetical issues that do not have any practical impact.\n* Vulnerabilities that require social engineering/phishing.\n* Attacks that require physical access to the user’s device.\n* User enumeration without any further impact.\n* Clickjacking that doesn't result in account compromise.\n* Open redirects that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).\n* Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).\n* Unvalidated vulnerabilities reported by automated tools/scanners.\n* Content Spoofing/Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Host header injection without a specific proof of concept.\n* Reflected File Download, consult this [article](https://sites.google.com/site/bughunteruniversity/nonvuln/reflected-file-download).\n* Self XSS or XSS that affects only out-of-date browsers.\n* Denial of Service Attacks.\n* IDN homograph attacks against one of our domains\n* Issues related to mapping user profiles to their respective email addresses which do not bypass the 'Let others find my profile using my name or email address.' privacy setting.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-05-07T19:07:56.068Z"},{"id":3630630,"new_policy":"There’s no such thing as a perfect technology — not since they put the finishing touches on the wheel — but here at Yelp we are committed to getting as close as we can. It’s a big world and we believe that working with skilled security researchers from all corners is the key to identifying the weaknesses in any technology. If you think you have found a security issue in our product, it could be your lucky day. Let us know via our bug-bounty program on HackerOne and we’ll work with you to fix it. Yes, there’s a reward in it for you, too. \n\n\nScope\n=====\nWe’d love to have you muck around with our web apps, mobile apps, and infrastructure. Hit us with your best shot. We also put together a [bug-bounty map](https://engineeringblog.yelp.com/2016/09/yelp-public-bug-bounty-map.html) to help you hit the ground running.\n\n\nPayouts\n======\nOur vulnerability-reward payouts will go up to $15,000 USD for the most impactful exploits.\n\n\nWe'll Be Nice To You\n================\nThe security team at Yelp is all about keeping our users, our data, our employees, and our sites safe and sound. We are committed to working with security experts from all over the world to stay up-to-date with the latest security techniques. If you have found a security issue and you think we should know about it, we are ready to work with you. Let us know about it and we will make every effort to fix the issue. \n\nWe believe in recognizing everyone’s work. If your work helps us improve the security of our platform and services, we are happy to acknowledge your contribution. Rest assured, there are cash rewards, too. \n\n\nPlease Be Nice To Us\n=================\nWe want you to bring out your big guns, but hold off on actually breaking anything. Please avoid DDoS’ing us or breaking our systems and services while you are testing. If you are testing a feature that involves an email component, use an \"@test.com\" account, where possible, to make your tests easily filterable.\n\n\nExclusions\n========\nIssues related to software not under Yelp’s control are out of scope. If you have found a vulnerability in systems managed externally, we can’t make any guarantees about when we can fix those issues.\n\nWe don’t need help running automated vulnerability scanners. We’ve got those covered. We need your brainpower, not your processing power.\n\nOut-of-scope Bugs\n==============\n* Hypothetical issues that do not have any practical impact.\n* Vulnerabilities that require social engineering/phishing.\n* Attacks that require physical access to the user’s device.\n* User enumeration without any further impact.\n* Clickjacking that doesn't result in account compromise.\n* Open redirects that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).\n* Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).\n* Unvalidated vulnerabilities reported by automated tools/scanners.\n* Content Spoofing/Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Host header injection without a specific proof of concept.\n* Reflected File Download, consult this [article](https://sites.google.com/site/bughunteruniversity/nonvuln/reflected-file-download).\n* Self XSS or XSS that affects only out-of-date browsers.\n* Denial of Service Attacks.\n* IDN homograph attacks against one of our domains\n* Issues related to mapping user profiles to their respective email addresses which do not bypass the 'Let others find my profile using my name or email address.' privacy setting.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-02-15T00:00:06.375Z"},{"id":3621072,"new_policy":"There’s no such thing as a perfect technology — not since they put the finishing touches on the wheel — but here at Yelp we are committed to getting as close as we can. It’s a big world and we believe that working with skilled security researchers from all corners is the key to identifying the weaknesses in any technology. If you think you have found a security issue in our product, it could be your lucky day. Let us know via our bug-bounty program on HackerOne and we’ll work with you to fix it. Yes, there’s a reward in it for you, too. \n\n\nScope\n=====\nWe’d love to have you muck around with our web apps, mobile apps, and infrastructure. Hit us with your best shot. We also put together a [bug-bounty map](https://engineeringblog.yelp.com/2016/09/yelp-public-bug-bounty-map.html) to help you hit the ground running.\n\n\nPayouts\n======\nOur vulnerability-reward payouts will go up to $15,000 USD for the most impactful exploits.\n\n\nWe'll Be Nice To You\n================\nThe security team at Yelp is all about keeping our users, our data, our employees, and our sites safe and sound. We are committed to working with security experts from all over the world to stay up-to-date with the latest security techniques. If you have found a security issue and you think we should know about it, we are ready to work with you. Let us know about it and we will make every effort to fix the issue. \n\nWe believe in recognizing everyone’s work. If your work helps us improve the security of our platform and services, we are happy to acknowledge your contribution. Rest assured, there are cash rewards, too. \n\n\nPlease Be Nice To Us\n=================\nWe want you to bring out your big guns, but hold off on actually breaking anything. Please avoid DDoS’ing us or breaking our systems and services while you are testing. If you are testing a feature that involves an email component, use an \"@test.com\" account, where possible, to make your tests easily filterable.\n\n\nExclusions\n========\nIssues related to software not under Yelp’s control are out of scope. If you have found a vulnerability in systems managed externally, we can’t make any guarantees about when we can fix those issues.\n\nWe don’t need help running automated vulnerability scanners. We’ve got those covered. We need your brainpower, not your processing power.\n\nNowait and Yelp WiFi (Turnstyle) are currently out of scope for the program. Bugs reported sooner are certainly appreciated but won't qualify for rewards. We will update this policy document once those properties are eligible for bounty.\n\n**Note**: Eat24 is no longer owned by Yelp and not in the scope for this program.\n\nOut-of-scope Bugs\n==============\n* Hypothetical issues that do not have any practical impact.\n* Vulnerabilities that require social engineering/phishing.\n* Attacks that require physical access to the user’s device.\n* User enumeration without any further impact.\n* Clickjacking that doesn't result in account compromise.\n* Open redirects that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).\n* Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).\n* Unvalidated vulnerabilities reported by automated tools/scanners.\n* Content Spoofing/Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Host header injection without a specific proof of concept.\n* Reflected File Download, consult this [article](https://sites.google.com/site/bughunteruniversity/nonvuln/reflected-file-download).\n* Self XSS or XSS that affects only out-of-date browsers.\n* Denial of Service Attacks.\n* IDN homograph attacks against one of our domains\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-10-11T18:49:03.788Z"},{"id":3612903,"new_policy":"There’s no such thing as a perfect technology — not since they put the finishing touches on the wheel — but here at Yelp we are committed to getting as close as we can. It’s a big world and we believe that working with skilled security researchers from all corners is the key to identifying the weaknesses in any technology. If you think you have found a security issue in our product, it could be your lucky day. Let us know via our bug-bounty program on HackerOne and we’ll work with you to fix it. Yes, there’s a reward in it for you, too. \n\n\nScope\n=====\nWe’d love to have you muck around with our web apps, mobile apps, and infrastructure. Hit us with your best shot. We also put together a [bug-bounty map](https://engineeringblog.yelp.com/2016/09/yelp-public-bug-bounty-map.html) to help you hit the ground running.\n\n\nPayouts\n======\nOur vulnerability-reward payouts will go up to $15,000 USD for the most impactful exploits.\n\n\nWe'll Be Nice To You\n================\nThe security team at Yelp is all about keeping our users, our data, our employees, and our sites safe and sound. We are committed to working with security experts from all over the world to stay up-to-date with the latest security techniques. If you have found a security issue and you think we should know about it, we are ready to work with you. Let us know about it and we will make every effort to fix the issue. \n\nWe believe in recognizing everyone’s work. If your work helps us improve the security of our platform and services, we are happy to acknowledge your contribution. Rest assured, there are cash rewards, too. \n\n\nPlease Be Nice To Us\n=================\nWe want you to bring out your big guns, but hold off on actually breaking anything. Please avoid DDoS’ing us or breaking our systems and services while you are testing. If you are testing a feature that involves an email component, use an \"@test.com\" account, where possible, to make your tests easily filterable.\n\n\nExclusions\n========\nIssues related to software not under Yelp’s control are out of scope. If you have found a vulnerability in systems managed externally, we can’t make any guarantees about when we can fix those issues.\n\nWe don’t need help running automated vulnerability scanners. We’ve got those covered. We need your brainpower, not your processing power.\n\nNowait and Yelp WiFi (Turnstyle) are currently out of scope for the program. Bugs reported sooner are certainly appreciated but won't qualify for rewards. We will update this policy document once those properties are eligible for bounty.\n\n**Note**: Eat24 is no longer owned by Yelp and not in the scope for this program.\n\nOut-of-scope Bugs\n==============\n* Hypothetical issues that do not have any practical impact.\n* Vulnerabilities that require social engineering/phishing.\n* Attacks that require physical access to the user’s device.\n* User enumeration without any further impact.\n* Clickjacking that doesn't result in account compromise.\n* Open redirects that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).\n* Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).\n* Unvalidated vulnerabilities reported by automated tools/scanners.\n* Content Spoofing/Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Host header injection without a specific proof of concept.\n* Reflected File Download, consult this [article](https://sites.google.com/site/bughunteruniversity/nonvuln/reflected-file-download).\n* Self XSS or XSS that affects only out-of-date browsers.\n* Denial of Service Attacks.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-06-27T23:14:04.254Z"},{"id":3575313,"new_policy":"There’s no such thing as a perfect technology — not since they put the finishing touches on the wheel — but here at Yelp we are committed to getting as close as we can. It’s a big world and we believe that working with skilled security researchers from all corners is the key to identifying the weaknesses in any technology. If you think you have found a security issue in our product, it could be your lucky day. Let us know via our bug-bounty program on HackerOne and we’ll work with you to fix it. Yes, there’s a reward in it for you, too. \n\n\nScope\n=====\nWe’d love to have you muck around with our web apps, mobile apps, and infrastructure. Hit us with your best shot. We also put together a [bug-bounty map](https://engineeringblog.yelp.com/2016/09/yelp-public-bug-bounty-map.html) to help you hit the ground running.\n\n\nPayouts\n======\nOur vulnerability-reward payouts will go up to $15,000 USD for the most impactful exploits.\n\n\nWe'll Be Nice To You\n================\nThe security team at Yelp is all about keeping our users, our data, our employees, and our sites safe and sound. We are committed to working with security experts from all over the world to stay up-to-date with the latest security techniques. If you have found a security issue and you think we should know about it, we are ready to work with you. Let us know about it and we will make every effort to fix the issue. \n\nWe believe in recognizing everyone’s work. If your work helps us improve the security of our platform and services, we are happy to acknowledge your contribution. Rest assured, there are cash rewards, too. \n\n\nPlease Be Nice To Us\n=================\nWe want you to bring out your big guns, but hold off on actually breaking anything. Please avoid DDoS’ing us or breaking our systems and services while you are testing. If you are testing a feature that involves an email component, use an \"@test.com\" account, where possible, to make your tests easily filterable.\n\n\nExclusions\n========\nIssues related to software not under Yelp’s control are out of scope. If you have found a vulnerability in systems managed externally, we can’t make any guarantees about when we can fix those issues.\n\nWe don’t need help running automated vulnerability scanners. We’ve got those covered. We need your brainpower, not your processing power.\n\nNowait and Yelp WiFi (Turnstyle) are currently out of scope for the program. Bugs reported sooner are certainly appreciated but won't qualify for rewards. We will update this policy document once those properties are eligible for bounty.\n\n**Note**: Eat24 is no longer owned by Yelp and not in the scope for this program.\n\nOut-of-scope Bugs\n==============\n* Hypothetical issues that do not have any practical impact.\n* Vulnerabilities that require social engineering/phishing.\n* Attacks that require physical access to the user’s device.\n* User enumeration without any further impact.\n* Clickjacking that doesn't result in account compromise / exfiltration of sensitive information.\n* Open redirects that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).\n* Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).\n* Unvalidated vulnerabilities reported by automated tools/scanners.\n* Content Spoofing/Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Host header injection without a specific proof of concept.\n* Reflected File Download, consult this [article](https://sites.google.com/site/bughunteruniversity/nonvuln/reflected-file-download).\n* Self XSS or XSS that affects only out-of-date browsers.\n* Denial of Service Attacks.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-05-01T23:33:44.799Z"},{"id":3571587,"new_policy":"There’s no such thing as a perfect technology — not since they put the finishing touches on the wheel — but here at Yelp we are committed to getting as close as we can. It’s a big world and we believe that working with skilled security researchers from all corners is the key to identifying the weaknesses in any technology. If you think you have found a security issue in our product, it could be your lucky day. Let us know via our bug-bounty program on HackerOne and we’ll work with you to fix it. Yes, there’s a reward in it for you, too. \n\n\nScope\n=====\nWe’d love to have you muck around with our web apps, mobile apps, and infrastructure. Hit us with your best shot. We also put together a [bug-bounty map](https://engineeringblog.yelp.com/2016/09/yelp-public-bug-bounty-map.html) to help you hit the ground running.\n\n\nPayouts\n======\nOur vulnerability-reward payouts will go up to $15,000 USD for the most impactful exploits.\n\n\nWe'll Be Nice To You\n================\nThe security team at Yelp is all about keeping our users, our data, our employees, and our sites safe and sound. We are committed to working with security experts from all over the world to stay up-to-date with the latest security techniques. If you have found a security issue and you think we should know about it, we are ready to work with you. Let us know about it and we will make every effort to fix the issue. \n\nWe believe in recognizing everyone’s work. If your work helps us improve the security of our platform and services, we are happy to acknowledge your contribution. Rest assured, there are cash rewards, too. \n\n\nPlease Be Nice To Us\n=================\nWe want you to bring out your big guns, but hold off on actually breaking anything. Please avoid DDoS’ing us or breaking our systems and services while you are testing. If you are testing a feature that involves an email component, use an \"@test.com\" account, where possible, to make your tests easily filterable.\n\n\nExclusions\n========\nIssues related to software not under Yelp’s control are out of scope. If you have found a vulnerability in systems managed externally, we can’t make any guarantees about when we can fix those issues.\n\nWe don’t need help running automated vulnerability scanners. We’ve got those covered. We need your brainpower, not your processing power.\n\nNowait and Yelp WiFi (Turnstyle) are currently out of scope for the program. Bugs reported sooner are certainly appreciated but won't qualify for rewards. We will update this policy document once those properties are eligible for bounty.\n\n**Note**: Eat24 is no longer owned by Yelp and not in the scope for this program.\n\nOut-of-scope Bugs\n==============\n* Hypothetical issues that do not have any practical impact.\n* Vulnerabilities that require social engineering/phishing.\n* Attacks that require physical access to the user’s device.\n* User enumeration without any further impact.\n* Clickjacking without a well-defined security/privacy risk.\n* Open redirects that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).\n* Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).\n* Unvalidated vulnerabilities reported by automated tools/scanners.\n* Content Spoofing/Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Host header injection without a specific proof of concept.\n* Reflected File Download, consult this [article](https://sites.google.com/site/bughunteruniversity/nonvuln/reflected-file-download).\n* Self XSS or XSS that affects only out-of-date browsers.\n* Denial of Service Attacks.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-03-19T17:33:25.111Z"},{"id":3560753,"new_policy":"There’s no such thing as a perfect technology — not since they put the finishing touches on the wheel — but here at Yelp we are committed to getting as close as we can. It’s a big world and we believe that working with skilled security researchers from all corners is the key to identifying the weaknesses in any technology. If you think you have found a security issue in our product, it could be your lucky day. Let us know via our bug-bounty program on HackerOne and we’ll work with you to fix it. Yes, there’s a reward in it for you, too. \n\n\nScope\n=====\nWe’d love to have you muck around with our web apps, mobile apps, and infrastructure. Hit us with your best shot. We also put together a [bug-bounty map](https://engineeringblog.yelp.com/2016/09/yelp-public-bug-bounty-map.html) to help you hit the ground running.\n\n\nPayouts\n======\nOur vulnerability-reward payouts will go up to $15,000 USD for the most impactful exploits.\n\n\nWe'll Be Nice To You\n================\nThe security team at Yelp is all about keeping our users, our data, our employees, and our sites safe and sound. We are committed to working with security experts from all over the world to stay up-to-date with the latest security techniques. If you have found a security issue and you think we should know about it, we are ready to work with you. Let us know about it and we will make every effort to fix the issue. \n\nWe believe in recognizing everyone’s work. If your work helps us improve the security of our platform and services, we are happy to acknowledge your contribution. Rest assured, there are cash rewards, too. \n\n\nPlease Be Nice To Us\n=================\nWe want you to bring out your big guns, but hold off on actually breaking anything. Please avoid DDoS’ing us or breaking our systems and services while you are testing. If you are testing a feature that involves an email component, use an \"@test.com\" account, where possible, to make your tests easily filterable.\n\n\nExclusions\n========\nIssues related to software not under Yelp’s control are out of scope. If you have found a vulnerability in systems managed externally, we can’t make any guarantees about when we can fix those issues.\n\nWe don’t need help running automated vulnerability scanners. We’ve got those covered. We need your brainpower, not your processing power.\n\nNewly acquired sites and companies are subject to a twelve-month blackout period. Yelp Reservations (Nowait) and Yelp WiFi (Turnstyle) are currently subject to this blackout period. Bugs reported sooner are certainly appreciated but won't qualify for rewards. \n\n**Note** eat24hours.com, eat24.com, yes-pos.com, Eat24 mobile apps, and other Eat24 properties are not in the scope of this program.\n\nOut-of-scope Bugs\n==============\n* Hypothetical issues that do not have any practical impact.\n* Vulnerabilities that require social engineering/phishing.\n* Attacks that require physical access to the user’s device.\n* User enumeration without any further impact.\n* Clickjacking without a well-defined security/privacy risk.\n* Open redirects that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).\n* Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).\n* Unvalidated vulnerabilities reported by automated tools/scanners.\n* Content Spoofing/Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Host header injection without a specific proof of concept.\n* Reflected File Download, consult this [article](https://sites.google.com/site/bughunteruniversity/nonvuln/reflected-file-download).\n* Self XSS or XSS that affects only out-of-date browsers.\n* Denial of Service Attacks.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-09-21T18:58:46.102Z"},{"id":3555270,"new_policy":"There’s no such thing as a perfect technology — not since they put the finishing touches on the wheel — but here at Yelp we are committed to getting as close as we can. It’s a big world and we believe that working with skilled security researchers from all corners is the key to identifying the weaknesses in any technology. If you think you have found a security issue in our product, it could be your lucky day. Let us know via our bug-bounty program on HackerOne and we’ll work with you to fix it. Yes, there’s a reward in it for you, too. \n\n\nScope\n=====\nWe’d love to have you muck around with our web apps, mobile apps, and infrastructure. Hit us with your best shot. We also put together a [bug-bounty map](https://engineeringblog.yelp.com/2016/09/yelp-public-bug-bounty-map.html) to help you hit the ground running.\n\n\nPayouts\n======\nOur vulnerability-reward payouts will go up to $15,000 USD for the most impactful exploits.\n\n\nWe'll Be Nice To You\n================\nThe security team at Yelp is all about keeping our users, our data, our employees, and our sites safe and sound. We are committed to working with security experts from all over the world to stay up-to-date with the latest security techniques. If you have found a security issue and you think we should know about it, we are ready to work with you. Let us know about it and we will make every effort to fix the issue. \n\nWe believe in recognizing everyone’s work. If your work helps us improve the security of our platform and services, we are happy to acknowledge your contribution. Rest assured, there are cash rewards, too. \n\n\nPlease Be Nice To Us\n=================\nWe want you to bring out your big guns, but hold off on actually breaking anything. Please avoid DDoS’ing us or breaking our systems and services while you are testing. If you are testing a feature that involves an email component, use an \"@test.com\" account, where possible, to make your tests easily filterable.\n\n\nExclusions\n========\nIssues related to software not under Yelp’s control are out of scope. If you have found a vulnerability in systems managed externally, we can’t make any guarantees about when we can fix those issues.\n\nWe don’t need help running automated vulnerability scanners. We’ve got those covered. We need your brainpower, not your processing power.\n\nNewly acquired sites and companies are subject to a twelve-month blackout period. Bugs reported sooner are certainly appreciated but won't qualify for rewards.\n\n**Note** eat24hours.com, eat24.com, yes-pos.com, Eat24 mobile apps, and other Eat24 properties are not in the scope of this program.\n\nOut-of-scope Bugs\n==============\n* Hypothetical issues that do not have any practical impact.\n* Vulnerabilities that require social engineering/phishing.\n* Attacks that require physical access to the user’s device.\n* User enumeration without any further impact.\n* Clickjacking without a well-defined security/privacy risk.\n* Open redirects that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).\n* Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).\n* Unvalidated vulnerabilities reported by automated tools/scanners.\n* Content Spoofing/Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Host header injection without a specific proof of concept.\n* Reflected File Download, consult this [article](https://sites.google.com/site/bughunteruniversity/nonvuln/reflected-file-download).\n* Self XSS or XSS that affects only out-of-date browsers.\n* Denial of Service Attacks.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-06-07T18:47:25.261Z"},{"id":3546263,"new_policy":"There’s no such thing as a perfect technology — not since they put the finishing touches on the wheel — but here at Yelp we are committed to getting as close as we can. It’s a big world and we believe that working with skilled security researchers from all corners is the key to identifying the weaknesses in any technology. If you think you have found a security issue in our product, it could be your lucky day. Let us know via our bug-bounty program on HackerOne and we’ll work with you to fix it. Yes, there’s a reward in it for you, too. \n\n\nScope\n=====\nWe’d love to have you muck around with our web apps, mobile apps, and infrastructure. Hit us with your best shot. We also put together a [bug-bounty map](https://engineeringblog.yelp.com/2016/09/yelp-public-bug-bounty-map.html) to help you hit the ground running.\n\n\nPayouts\n======\nOur vulnerability-reward payouts will go up to $15,000 USD for the most impactful exploits. If we accept your report, our minimum bounty is $100.\n\n\nWe'll Be Nice To You\n================\nThe security team at Yelp is all about keeping our users, our data, our employees, and our sites safe and sound. We are committed to working with security experts from all over the world to stay up-to-date with the latest security techniques. If you have found a security issue and you think we should know about it, we are ready to work with you. Let us know about it and we will make every effort to fix the issue. \n\nWe believe in recognizing everyone’s work. If your work helps us improve the security of our platform and services, we are happy to acknowledge your contribution. Rest assured, there are cash rewards, too. \n\n\nPlease Be Nice To Us\n=================\nWe want you to bring out your big guns, but hold off on actually breaking anything. Please avoid DDoS’ing us or breaking our systems and services while you are testing. If you are testing a feature that involves an email component, use an \"@test.com\" account, where possible, to make your tests easily filterable.\n\n\nExclusions\n========\nIssues related to software not under Yelp’s control are out of scope. If you have found a vulnerability in systems managed externally, we can’t make any guarantees about when we can fix those issues.\n\nWe don’t need help running automated vulnerability scanners. We’ve got those covered. We need your brainpower, not your processing power.\n\nNewly acquired sites and companies are subject to a twelve-month blackout period. Bugs reported sooner are certainly appreciated but won't qualify for rewards.\n\n**Note** eat24hours.com, eat24.com, yes-pos.com, Eat24 mobile apps, and other Eat24 properties are not in the scope of this program.\n\nOut-of-scope Bugs\n==============\n* Vulnerabilities that require social engineering/phishing.\n* Clickjacking without a well-defined security/privacy risk.\n* Open redirects that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).\n* Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly).\n* Unvalidated vulnerabilities reported by automated tools/scanners.\n* Content Spoofing/Text Injection that cannot be leveraged for XSS or sensitive data disclosure.\n* Host header injection without a specific proof of concept.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-02-06T19:22:22.543Z"},{"id":3538579,"new_policy":"There’s no such thing as a perfect technology — not since they put the finishing touches on the wheel — but here at Yelp we are committed to getting as close as we can. It’s a big world and we believe that working with skilled security researchers from all corners is the key to identifying the weaknesses in any technology. If you think you have found a security issue in our product, it could be your lucky day. Let us know via our bug-bounty program on HackerOne and we’ll work with you to fix it. Yes, there’s a reward in it for you, too. \n\n\nScope\n=====\nWe’d love to have you muck around with our web apps, mobile apps, and infrastructure. Hit us with your best shot. We also put together a [bug-bounty map](https://engineeringblog.yelp.com/2016/09/yelp-public-bug-bounty-map.html) to help you hit the ground running.\n\n\nPayouts\n======\nOur vulnerability-reward payouts will go up to $15,000 USD for the most impactful exploits. If we accept your report, our minimum bounty is $100.\n\n\nWe'll Be Nice To You\n================\nThe security team at Yelp is all about keeping our users, our data, our employees, and our sites safe and sound. We are committed to working with security experts from all over the world to stay up-to-date with the latest security techniques. If you have found a security issue and you think we should know about it, we are ready to work with you. Let us know about it and we will make every effort to fix the issue. \n\nWe believe in recognizing everyone’s work. If your work helps us improve the security of our platform and services, we are happy to acknowledge your contribution. Rest assured, there are cash rewards, too. \n\n\nPlease Be Nice To Us\n=================\nWe want you to bring out your big guns, but hold off on actually breaking anything. Please avoid DDoS’ing us or breaking our systems and services while you are testing. If you are testing a feature that involves an email component, use an \"@test.com\" account, where possible, to make your tests easily filterable.\n\n\nExclusions\n========\nIssues related to software not under Yelp’s control are out of scope. If you have found a vulnerability in systems managed externally, we can’t make any guarantees about when we can fix those issues.\n\nWe don’t need help running automated vulnerability scanners. We’ve got those covered. We need your brainpower, not your processing power.\n\nNewly acquired sites and companies are subject to a twelve-month blackout period. Bugs reported sooner are certainly appreciated but won't qualify for rewards.\n\n**Note** eat24hours.com, eat24.com, yes-pos.com, Eat24 mobile apps, and other Eat24 properties are not in the scope of this program.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-09-06T19:05:58.827Z"},{"id":3538569,"new_policy":"There’s no such thing as a perfect technology — not since they put the finishing touches on the wheel — but here at Yelp we are committed to getting as close as we can. It’s a big world and we believe that working with skilled security researchers from all corners is the key to identifying the weaknesses in any technology. If you think you have found a security issue in our product, it could be your lucky day. Let us know via our bug-bounty program on HackerOne and we’ll work with you to fix it. Yes, there’s a reward in it for you, too. \n\n\nScope\n=====\nWe’d love to have you muck around with our web apps, mobile apps, and infrastructure. Hit us with your best shot. We also put together a [bug-bounty map](https://engineeringblog.yelp.com/2016/09/yelp-public-bug-bounty-map.html) to help you hit the ground running.\n\n\nPayouts\n======\nOur vulnerability-reward payouts will go up to $15,000 USD for the most impactful exploits. If we accept your report, our minimum bounty is $100.\n\n\nWe'll Be Nice To You\n================\nThe security team at Yelp is all about keeping our users, our data, our employees, and our sites safe and sound. We are committed to working with security experts from all over the world to stay up-to-date with the latest security techniques. If you have found a security issue and you think we should know about it, we are ready to work with you. Let us know about it and we will make every effort to fix the issue. \n\nWe believe in recognizing everyone’s work. If your work helps us improve the security of our platform and services, we are happy to acknowledge your contribution. Rest assured, there are cash rewards, too. \n\n\nPlease Be Nice To Us\n=================\nWe want you to bring out your big guns, but hold off on actually breaking anything. Please avoid DDoS’ing us or breaking our systems and services while you are testing.\n\n\nExclusions\n========\nIssues related to software not under Yelp’s control are out of scope. If you have found a vulnerability in systems managed externally, we can’t make any guarantees about when we can fix those issues.\n\nWe don’t need help running automated vulnerability scanners. We’ve got those covered. We need your brainpower, not your processing power.\n\nNewly acquired sites and companies are subject to a twelve-month blackout period. Bugs reported sooner are certainly appreciated but won't qualify for rewards.\n\n**Note** eat24hours.com, eat24.com, yes-pos.com, Eat24 mobile apps, and other Eat24 properties are not in the scope of this program.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-09-06T15:04:02.648Z"}]