We put a lot of focus on security, it's considered one of our top priorities. Having developed with security in mind from the beginning, our system has sanitization, CSRF tokens, and GET/POST request validation. However, having started with security in mind, we also recognize that our platform can always be improved, especially from a security perspective. As a result, we allow security researchers to research and report vulnerabilities as outlined below.

Passive research, which we define as discovery of vulnerabilities through analysis of a public code repository, is in contrast with active research, which we define as seeking out vulnerabilities through use of the code. Due to YouCap's use of third-party providers for hosting and software distribution, active research against YouCap's live software or sites is prohibited. However, researchers can download and locally host their own copy of the code if they wish to engage in active research. Otherwise, the researcher must utilize passive research.

The following platforms are considered in scope:

1. https://www.youcap.com
2. https://*.youcap.com

The following platforms/services and vulnerabilities are considered out-of-scope:

1. Any platform, service or software not explicitly defined in the "In-scope" section.

2. Anything utilizing a third-party provider, including this live site and our Github repositories.

3. DoS/DDoS/DRDoS.

4. Lack of CSRF tokens, unless the lack of such token can be shown to negatively impact security.

5. Physical attacks.

6. Social engineering.

7. Self-XSS.

8. Attacks based entirely on unreasonable user behavior or prior compromise of a device.

Any activity conducted as a part of this policy will be considered authorized and legal action against any involved parties will not be intiated. Should legal action be intiated by a third-party, in connection with activities conducted under this policy, we will take action to make it known that your activities were authorized under this policy.

To report a vulnerability, please email it to us at YouCapService@gmail.com

All vulnerability reports must include the following:

1. A description of the vulnerability

2. An explanation of the potential security impact of the vulnerability.

3. Whether any sensitive data was accessed and, if so, what.

4. A working proof of concept, if one exists.

At this time, we do not offer monetary rewards for verified vulnerabilities. However, we do highlight security researchers through our Research Hall of Fame, shown below.

Below is a list of security researchers who reported verifiable vulnerabilities to YouCap.