Yoors security


Yoors Security

Disclaimer: This post is intended for security researchers & testers

Scope

Eligible domains

yoo.rs

Vulnerabilities that we accept:

✅ Stored or reflected Cross-Site Scripting

✅ CSRF/XSRF

✅ SQL injection

✅ S3 bucket uploads
✅ Remote Code Execution
✅ Authentication Bypass

✅ Unauthorized data access

✅ User enumeration

Vulnerabilities that we don't accept:
❌ "Self" Cross-Site Scripting
❌ Missing best practices in DNS configuration (DKIM/DMARC/SPF/TXT)

❌ Denial of Service (DOS) attacks

❌ Vulnerabilities in third party applications that integrate with Yoors

❌ Rate limiting

❌ Non-security-impacting UX issues

❌ Social Engineering attacks

❌ Insecure cookies

❌ Only affecting outdated browsers/platforms/frameworks


❌ Considered by the Yoors staff to be of low severity

Rules

Take responsibility and act with extreme care and caution. When investigating the matter, only use methods or techniques that are necessary in order to find or demonstrate the weaknesses.
  • You must be the first one that reported the vulnerability
  • Do not use weaknesses you discover for purposes other than your own investigation
  • Do not use social engineering to gain access to a system or a Yoors account
  • Do not install any backdoors – not even to demonstrate the vulnerability of a system
  • Do not alter or delete any information in the system. If you need to copy information for your investigation, never copy more than you need. If one record is sufficient, do not go any further
  • Do not alter the system in any way
  • If you do manage to infiltrate a system, do not share access with others
  • Do not use brute force techniques to gain access to systems
How to report
  • Provide your IP address in the report. This will be kept private for tracking your testing activities and to review the logs from our side
  • You can report weaknesses to us by email: security@yoo.rs
  • Describe the found weakness as explicit and detailed as possible and provide any evidence you might have, so that we can reproduce it
  • We will not accept only automated scanners output as evidence
  • Particularly include the following in your e-mail:
    • Which vulnerability
    • The steps you undertook
    • The entire URL
    • Objects/files that were involved
    • Videos and/or screenshots of an attack are highly appreciated
More



56 comments