Yogosha’s mission is to provide a software platform connecting independent researchers with clients wishing to test and strengthen the security of their information systems.
As such, we are driven by the desire to constantly offer researchers and clients who use our services a platform of quality, based on the essential principles of respect, transparency and confidentiality.
We count on all members of our community, researchers, customers, partners and staff, to create and maintain the productive and collaborative environment that characterizes our platform. To do this, we must all commit ourselves to respect a set of rules of use of the platform, which are rules of common life necessary to ensure the smooth running of Yogosha’s service.
I – Essential principles we undertake to respect:
- Respect: each party commits itself to respect each other, and to respect the ethics that animates the community of researchers: to inform the society (here, the customers) of drifts and technological risks to which it is exposed, whether they deal with intentional danger or not. Thus “ethical hackers” invite, prior to any disclosure to the general public, officials to make the necessary corrections.
- Transparency: Each party involved on Yogosha’s platform agrees to share all the actions it implements and the intentions behind them, if another party so requests.
- Confidentiality: The parties undertake to respect the confidentiality of the information shared, and the researchers undertake in particular to apply the strictest confidentiality around the detected faults and the possible data that the vulnerabilities of the information system of the customer could make accessible.
- Neutrality: Yogosha is committed to making every effort to resolve any dispute that may arise between clients and researchers. This principle of neutrality goes hand in hand with that of transparency.
II – Essential principles researchers commit to respect in their use of the platform
As professionals, researchers must provide a service that meets market standards, including the following:
- Diligence and professionalism in the bug bounty operations entrusted by the clients
- The researchers, after examining the requests of the customers, will evaluate the criticality objectively, according to the highest standards of the practice ;
- They will then have to write according to these same requests, reports of vulnerabilities in an understandable language by making the flaws easily reproducible and identifiable for the client, including description, PoC, steps to reproduce, screenshot, impact, remediation ;
- The researchers make the commitment not to harm the systems tested, including performing DDoS, upload exploits, downloads of sensitive data. They pledge not to store the sensitive data they may encounter in their fault search, by erasing them from their device immediately.
- Serious and responsible behavior
In order to deliver a quality service, the researchers:
- Commit to addressing customers, including in their security reports, using correct and courteous language ;
- They also recognize the need to demonstrate pedagogy by favoring clear and accessible language ;
- Researchers commit to respect the work and reputation of other researchers and the community ;
- They undertake to never intervene negatively on social networks concerning the community and the current projects.
- Protection of the integrity and confidentiality of the customer’s data, including personal data
Given the specificity of their activity and the sensitivity of the information to which they have access, the researchers acknowledge that they:
- Must not include personal data (ie any data relating to or identifying a natural person) in a vulnerability report, and if this is not possible, they undertake to communicate with the relevant customer at prior ;
- Never reveal the existence of the current bug bounty campaigns, or communicate on the content of the campaigns, the identity of the customers or, more generally, any data or any tool of the customers ;
- Must use appropriate tools and measures to protect the confidentiality of customer information.
- Diplomacy and communication in case of problem
Being in direct contact with clients, researchers recognize that the adoption of courteous behavior must remain the norm and commit to the following:
- Do not solicit clients in an untimely manner, systematically challenge counterparties, or submit to customers repeatedly and deliberately non-professional, reports of security breach ;
- Do not overstate the criticality level of the faults only in order to increase the level of reward. Evaluations should only be based on technical and business criteria ;
- Dial with customers to avoid misunderstanding or misunderstanding on both sides ;
- Contact Yogosha as soon as possible in case of dispute with a client.
III – The essential principles that customers commit to respect in their use of the platform
- Caution in organizing bug bounty operations
In order to evaluate in the best possible conditions, the existing risks, customers commit to:
- Carefully assess the sensitivity of the targets under test ;
- Do not test critical elements for the customer without taking appropriate internal technical precautions ;
- Minimize, and protect as much as possible, personal data that may be accessed by researchers.
- Respect for researchers
Like researchers, clients are committed to respectful behavior, including:
- Address the researchers with politeness and correction ;
- Objectively evaluate the weaknesses reported by the researchers and remunerate them in accordance with the agreed rates ;
- Treat all researchers equally, without discrimination or favoritism.
- Communication and responsiveness
The effectiveness and success of the detection and correction of the vulnerabilities of the customers supposes that these last ones:
- Handle safety reports submitted by researchers within a reasonable time ;
- Pay researchers, replenish the budget in case of insufficient funds ;
- Communicate with the researcher in the event of a change in criticality, its report or counterparts.
- Flexibility and diplomacy
Finally, customers commit themselves to:
- Accept the security reports a priori out of scope, whenever they reveal a real security breach of the client ;
- Try to resolve disputes by non-adversarial means ;
- In any case, contact Yogosha in the event of an incident.