Vulnerability Disclosure and Security policy

This is the Vulnerability Disclosure and Security policy of YGHT Ltd

You Gotta Hack That (YGHT Ltd) takes security issues extremely seriously and welcomes feedback from security researchers in order to improve the security of its products and services. We operate a policy of coordinated disclosure for dealing with reports of security vulnerabilities and other issues.

To privately report a suspected security issue to us, please send an email to security@yg.ht, giving as much detail as you can including a proof of concept and perceived risks where these are appropriate. We prefer secure communication, but not to the extent that no communications are possible. We use PGP/GPG and our key is available to download on our contact page.

We will respond to you as soon as possible. If the suspected security issue is confirmed, we will then come back to you with an estimate of how long the issue will take to fix. Once the fix is deployed, we will notify you and recognise your efforts on this page.

We ask the following:

You do not use the vulnerability to abuse our system including downloading more data than is required to demonstrate the vulnerability;
You do not reveal details of the vulnerability to anyone but us until the corrective action has been completed;
You obfuscate any data you submit and all data should be deleted after the disclosure is complete;
You permit us at least 90 days from disclosure to correct the problem;
You will not perform activities such as modification or destruction of data, Denial of Service, disclosure of personal, proprietary or financial information or anything that has an effect on another user’s experience.

What we promise:

We will not pursue any legal action against you based on your research;
We will work with you to understand and resolve the issue as soon as possible;
We will recognise your efforts by adding your details, twitter handle etc. by thanking you on our security page.

Unfortunately, at this time, we are not able to offer bug bounties, financial payouts or other tangible rewards. However, this page also acts as our hall-of-fame and will include acknowledgments for everyone who makes a report to us, has been confirmed as an issue, and where the issue has been resolved.