Yieldstreet: Vulnerability Disclosure Policy

Thank you for taking interest in the security of Yieldstreet. We value the security of our customers, their data, and our services. In an effort to protect our digital ecosystem, we’ve created this page to allow security researchers from around the world to report any potential security issues they may have found.

Our commitment to you:

  • Maintain trust and confidentiality in our exchanges with researchers who report to the program.

  • To treat everyone who contributes with respect. We appreciate your contribution to keeping us and our customers safe and secure.

  • To work with you to validate and remediate reported vulnerabilities.

  • To investigate and remediate issues in a manner consistent with protecting the safety and security of both on-prem and cloud customers. Addressing a valid reported vulnerability will take time. This will vary based on the severity of the vulnerability and the affected systems.

Our ask of you:

  • Trust. As we promise to maintain trust and confidentiality with you, we ask that you do the same with us. We ask that you do not disclose any information regarding your submission’s details without express written permission from our team.

  • Please provide as much information as possible in your submission. It is vital to provide clear reproduction steps regarding your finding so that we may validate the report in a timely manner.

  • Adhere to the out of scope section below.

  • lease make sure to add your email address to the submission, so we can get in touch with you about any technical details as needed.

Vulnerability Disclosure Scope

Out of scope:

  • Testing the physical security of our offices, employees, equipment, etc.

  • Conducting non-technical attacks such as social engineering or phishing attacks.

  • DoS/DDoS or any other testing that would impact the operation of our systems.

  • Accessing, downloading, modifying, or destroying data residing in an account that does not belong to you.

  • CSRF on forms that are available to anonymous users.

  • Disclosure of known public files or directories (e.g. robots.txt).

  • DNSSEC configuration suggestions.

  • HTTP/HTTPS/SSL/TLS security header configuration suggestions.

  • Lack of Secure/HTTPOnly flags on non-sensitive cookies.

  • Logout Cross Site Request Forgery.

  • Sender Policy Framework (SPF) configuration suggestions.

  • Vulnerabilities only affecting users who are using outdated or unpatched browsers and platforms.

  • Testing that would result in sending spam or other unsolicited messages.

  • Testing third-party applications or services.

  • Defacing any of our assets.

Below you will find the form where you can submit your finding. Please remember to include as much information in a clear manner to help facilitate validation. It is highly recommended that you provide your email address to ensure you can claim your submission and continue communication as needed.