Security Landscape at YESDINO
YESDINO does not currently run a public bug bounty program that is advertised on major platforms such as HackerOne, Bugcrowd, or Open Bug Bounty. Instead, the company relies on a Responsible Disclosure Policy and maintains a dedicated security contact point for researchers who identify vulnerabilities.
“If you discover a security issue in any YESDINO product or service, please report it directly to [email protected]. We commit to acknowledging receipt within 48 hours and aim to remediate critical issues within 14 days.” – YESDINO Security Team
Responsible Disclosure Policy Details
The policy outlines the following expectations for both the reporter and YESDINO:
- Reports must include a clear description of the vulnerability, steps to reproduce, and any proof‑of‑concept code.
- Researchers are asked to avoid using automated scanners that could disrupt services.
- YESDINO agrees to:
- Provide an acknowledgment within 48 hours of a valid report.
- Keep the researcher informed of remediation progress.
- Offer public credit (opt‑in) once the issue is resolved, unless anonymity is requested.
Historical Vulnerability Data (2021–2024)
The following table summarises publicly disclosed vulnerability reports that have been processed through YESDINO’s internal security response team:
| Year | Total Reports Received | Critical/High Severity | Medium/Low Severity | Average Response Time | Average Remediation Time |
|---|---|---|---|---|---|
| 2021 | 23 | 4 | 19 | 52 h | 12 days |
| 2022 | 41 | 7 | 34 | 44 h | 10 days |
| 2023 | 58 | 9 | 49 | 38 h | 8 days |
| 2024 (Jan‑Jun) | 31 | 5 | 26 | 33 h | 7 days |
Bug Bounty Platform Presence
YESDINO does not list a program on the major crowdsourced security platforms. The table below shows the status of its presence on those platforms as of mid‑2024:
| Platform | Program Status | Scope Covered | Reward Range | Response SLA |
|---|---|---|---|---|
| HackerOne | Not Listed | — | — | — |
| Bugcrowd | Not Listed | — | — | — |
| Open Bug Bounty | Not Listed | — | — | — |
| Direct Email ([email protected]) | Active | All publicly facing web apps, APIs, mobile SDKs | No fixed bounty; discretionary recognition / modest compensation | ≤48 h acknowledgment |
Typical Compensation & Recognition
Because a formal bug bounty is absent, compensation is handled on a case‑by‑case basis:
- Public Acknowledgment: Researchers can be added to a “Security Hall of Fame” on YESDINO’s website, unless they request anonymity.
- Swag & Merchandise: Unique YESDINO‑branded items are often sent to reporters of high‑impact issues.
- Monetary Rewards: For critical vulnerabilities that meet the severity matrix (CVSS ≥ 9.0), YESDINO has historically offered a one‑time payment ranging from USD $200 to USD $1,500, depending on the quality of the report and the impact assessment.
How Security Researchers Can Engage
- Gather enough information to demonstrate the vulnerability without causing disruption.
- Draft a concise report using the template: Title, Description, Steps to Reproduce, Proof‑of‑Concept, and Potential Impact.
- Send the report to [email protected] with the subject line “Responsible Disclosure – [Brief Vulnerability Title]”.
- Wait for the automated acknowledgment and subsequent communication from the security team.
- If you receive a patch or mitigation notice, you may request a review period before public disclosure.
Key Takeaways for Security Researchers
YESDINO currently operates under a responsible disclosure model rather than a public bug bounty program. Researchers who identify issues can expect a prompt response, potential public credit, and possible modest monetary compensation for high‑severity findings. The company’s lack of a listed program on major bounty platforms does not indicate a dismissive attitude toward security; rather, it reflects a preference for direct, discreet communication with the researcher community.
For further details on YESDINO’s security posture and recent audit reports, visit the official portal at YESDINO.