Out-of-scope vulnerabilities:
- Attacks against YouCap personnel, facilities or devices.
- Attacks against third-party assets, including Github, Google, or YouTube.
- Vulnerabilities in a browser rather than the extension.
Should a researcher suffer legal consequences due to security research made in good faith, we will do everything we can to the extent that is possible under the law to protect you from legal harm. However, please ensure that you adhere closely to this security policy. Never make unauthorized modifications to data and never perform research under this policy on third-party assets. Should you come into unauthorized contact with sensitive or otherwise restricted data, please halt your research and immediately file a report.
The following table outlines which versions receive active updates and thus are included within the scope of this security policy.
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
Any security vulnerability report must include the following if applicable:
- Your name and email address (unless you wish to remain anonymous). Also include your organization if research was conducted as part of an organizational group.
- The browser, browser version, and extension version.
- The URL(s) that the vulnerability was tested against.
- A description of the vulnerability.
- Steps to reproduce the vulnerability.
- The potential security impact. (Including a CVSS score is helpful but does not meet this requirement in full)
- A working proof of concept, if possible.
- Whether access was made to any data.
Due to YouCap's status as a non-profit, we are unable to offer a bug bounty at this time. However, with your approval we'll include you among our site's list of security researchers.