Introduction
Our platform is designed to offer a collaborative, trusted, and secure environment for finding and fixing security vulnerabilities. We expect all users of our platform to make the right choices and act in accordance with our core values and hunting principles.
Platform Core Values
The following core values aim at promoting the upmost professional behaviours among the whole community and ecosystem.
Preserving confidentiality
Cooperating on programs in a respectful manner
Committing to the rules
These Core Values apply to anyone using our platform and services and are embedded in our company principles.
Preserving confidentiality
Maintaining confidentiality is fundamental to the Bug Bounty model. When using our platform, you must preserve the confidentiality of:
the existence and any details of private programs on the platform (name of company running the program, scopes, rewards grids, etc);
vulnerability reports (whatever the status) and associated data;
all communications related to testing and reporting activities.
Breaches of confidentiality undermine trust and expose organizations to additional risk, whether technical, reputational or legal.
Cooperating on programs in a respectful manner
Effective vulnerability testing depends on open, respectful cooperation between Security Researchers and Program Managers. This collaborative approach, initiated by organizations, is the key value of our Bug Bounty model; organizations and the Security Researchers’ community must establish, develop, and maintain a relationship of trust.
Use clear, precise, and constructive language.
Adopt an empathetic and positive attitude.
Accept that report handling by triage teams and managers may take time, be patient throughout the process.
Welcome contradictory opinions and have reasoned discussions when perspectives differ.
Prioritize trust and mutual respect over suspicion.
Committing to the rules
The program rules define the specific terms of engagement, and all stakeholders must comply with them at all times:
Report any discovered vulnerability within 24 hours of identification.
Configure and calibrate testing tools according to provided specifications.
Restrict testing actions to those expressly authorized by the program scope, whatever the potential severity of the findings.
Accept the organization’s determination of the program’s scope and refrain from contesting its decisions on in- and out-of-scope assets.
Respect that program managers hold sole discretion over private programs invitations and refrain from attempting to influence their decisions.
Compliance with General Conditions of Use (GCU’s) available at: https://yeswehack.com/auth/register.
Hunting principles
Security Researchers’ actions should always be guided by the goal of strengthening security without causing harm to assets or individuals. To achieve this, Security Researchers are expected to operate in compliance with the following hunting principles, which ensure that their work consistently mitigates risk, adheres to fair and ethical practices, and maintains a high standard of rigor and thoroughness.
Mitigating risks at all times
As cybersecurity community members, Security Researchers must be aware of and manage the risks of active cybersecurity testing:
Minimize the risks and potential consequences of testing in production environments in terms of confidentiality, integrity, and availability.
Conduct tests that improve security without introducing new risks for the organization.
Apply the precautionary principle by communicating with the program managers for their approval before performing any test with potential side effects.
Understand that certain proofs of concept or techniques (e.g., resource exhaustion or “cyber graffiti”) may impact service stability or organizations' reputation.
Limit testing volume to what is reasonable and maintain control over tools, scanners, payloads, and LLM results.
Determine the most appropriate level of proof needed to qualify and verify vulnerabilities.
Any testing activity causing significant disruption must be reported immediately and without delay.
Adhering to fair and ethical practices
Security Researchers must conduct themselves with integrity and fairness:
Do not retaliate or display malevolent behaviour by leveraging threats, intimidation techniques, or extortion to gain unfair and/or illegal advantage of the Bug Bounty model.
Always operate within the bounds of applicable laws and regulations.
Uphold the trust-based nature of the bug bounty model through virtuous conduct during each of your participations.
Applying security standards
To ensure accurate, secure handling of vulnerability information:
Share findings through appropriate channels and with authorized stakeholders only.
Use scanning and exploitation tools only while explicitly authorized (i.e., while the program is active, the invitation remains valid, and the rules permit such testing).
Avoid damaging third parties or uninvolved systems (e.g., no testing outside the authorized scope).
Use secure and mastered techniques and tools for identifying, communicating, and storing vulnerability data.
Deviating from our Platform CoC/Non-compliant Behaviors
Any failure to comply with our Platform Code of Conduct will be taken very seriously and will be carefully reviewed by our relevant team and individuals involved, including our customers where the situation requires their intervention. Other documents, including but not limited to our General Conditions of Use or our T&Cs, will be taken into account.
Our Platform Code of Conduct aims at helping Security Researchers understand what is expected of them and the following table summarizes the measures which may be taken by categorizing common violations by type, providing examples, and assigning severity levels.
Right to appeal
Depending on the nature of the violation, you may also face legal proceedings, whether civil or criminal.
ℹ️ When in doubt about what is acceptable or allowed, please refer to our support team ([email protected])
Once the sanction is communicated to you, you will have 30 days to appeal. Unless otherwise specified, the sanction will remain in effect throughout the duration of the appeal process. Your case will be re-examined, but sanctions will only be reconsidered in light of new facts or if you provide sufficient elements which demonstrate that the sanctions are not proportionate given the circumstances.
Changes
This Platform Code of Conduct may be updated periodically to reflect evolving concerns and any new emerging issues. Any changes will be effective immediately upon posting of the new version at https://helpcenter.yeswehack.io/code-of-conduct, unless otherwise specified.
Any investigations or enforcement actions will be conducted under the version of the Platform Code of Conduct that was in effect at the time of the alleged violation.
Users are encouraged to review the Platform Code of Conduct regularly and to download a copy for reference, in order to remain informed of their responsibilities and the Platform’s expectations.
Continued access to or use of the YesWeHack platform after any update constitutes acknowledgment and acceptance of the revised Platform Code of Conduct.
Violation of the platform Code of Conduct
Behavior | Definitions & examples | Severity (i.e., 1 = low, 7 = severe) |
Out-Of-Scope | Testing outside the scopes and rules defined in the program: | 1 |
Disrespectful behaviour | We do our utmost to ensure that every vulnerability report is meticulously followed up, both in terms of assessment and processing times. We do not tolerate disrespectful communication or tone towards Program Managers, Security Researchers or YesWeHack employees, including condescension, rudeness, or repeated bad-faith interactions during vulnerability reporting or follow-ups. | 2 |
AI Misusage | - Mass non qualifying vulnerability using AI | 3 |
Insecure or unethical testing | Tests must be carried out professionally and must not harm the customer or third parties in any way. - Misrepresenting identity or credentials, impersonating other researchers or YesWeHack employees. | 3 |
Out of Band Contact | In order to preserve the security and confidentiality of communications, all direct contact with the Customer regarding any aspect of a program is forbidden unless an alternative communication channel has been defined in the program rules or during comments on vulnerability reports. | 3 |
Social engineering | Attacks by social engineering are strictly forbidden, unless otherwise stated in the program rules or expressly authorised. | 4 |
Unauthorised Disclosure of private programs information | All information concerning private programs are strictly confidential: Collaboration with non-invited collaborator is not allowed. ℹ️ It is possible to request for collaboration without disclosing this information (anon collab-UUID). | 4 |
Abusive conduct / Harassment | We do our utmost to ensure that every vulnerability report is meticulously followed up, both in terms of assessment and processing times. | 4 |
Unauthorised confidential information disclosure | Disclosure of confidential information regarding: | 5 |
Extortion / Threat | Any attempt at extortion, blackmail or threats is forbidden and will not be tolerated. | 7 |
Circumventing sanctions | Bypassing sanctions via multiple accounts creation is strictly forbidden. | 7 |
YesWeHack reserves the right to adjust the above based on the facts of the case, the severity of the violation and the input of relevant parties involved. This may result in the removal of all current and future programs, an extension of the duration of the temporary ban or a permanent ban from the YesWeHack platform.
How it works
Each security researcher has 7 ethical points. Every confirmed violation of the Platform Code of Conduct decrements this ethical points counter. Security Researchers who maintain the full ethical score of 7 points are considered to be in stellar standing and fully trusted by YesWeHack. This trusted status may be considered when extending invitations to exclusive private programs.
Additional corrective actions may be implemented at YesWeHack’s sole discretion to enhance the awareness and compliance of Security Researchers. Such actions may include, but are not limited to, requiring the completion of an ethical hacking or Code of Conduct training program.
ℹ️ Your points capital is available by mail at : [email protected] (Please provide, username, birthdate and email address)
Timeline
Each warning and point deduction are applicable for separate periods of 12 months, except in the case of Suspension or Ban. Points will be automatically re-credited at the end of each period.
Enforcement actions
Remaining Ethical Points | Action category | Action definitions |
6 | Awareness e-mail
| Awareness message explaining the behaviour that led to the ethical points being deducted. Guidelines for improvement will be provided. The remaining balance of ethical points will also be provided. |
5 | Warning e-mail
| Warning message explaining the behaviour that led to the ethical points being deducted. A change in behaviour will be required. The remaining balance of ethical points will also be provided. |
4 | Last warning before sanction
| Warning message explaining the behaviour that led to the deduction of ethical points and that the next incident will result in disqualification from invitations to private programs, platform temporary suspension or ban. The remaining balance of ethical points will also be provided. |
3 | Disqualification for invitation
| Message explaining the behaviour that led to the deduction of ethical points and that the Security Researcher is subject to a restriction on invitations to private programs. The remaining balance of ethical points will also be provided. |
2 | Temporary suspension
| Message explaining the behaviour that led to the deduction of ethical points and that the Security Researcher is temporarily suspended from the platform for 1 Month. E-wallet withdrawals are still available. The remaining balance of ethical points will also be provided. |
1 | Temporary suspension
| Message explaining the behaviour that led to the deduction of ethical points and that the Security Researcher is temporarily suspended from the platform for 3 Months. E-wallet withdrawals are still available. The remaining balance of ethical points will also be provided. |
0 | Platform Ban | Message explaining the behaviour that led to the deduction of ethical points and that the Security Researcher is banned from the platform. E-wallet withdrawals are still available. |
ℹ️ If you observe a security researcher violating this code of conduct or behaving in an unethical or unprofessional manner, please report it to the YesWeHack Team: [email protected]