Responsible disclosure

Yokahu Vulnerability Disclosure Policy

Yokahu is a trading name of McCosh Holdings Ltd. In this Vulnerability Disclosure Policy, references to "Yokahu" are to McCosh Holdings Ltd.

We take the security of our customer's confidential information extremely seriously. The disclosure of security vulnerabilities helps us protect the security and privacy of our users.

We want to hear from security researchers who have information related to suspected security vulnerabilities of any Yokahu services exposed to the internet. We value your work and are committed to working with you. Thank you in advance for your contribution.

Guidelines

We require that all researchers:

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
  • Perform research only within the scope set out below;
  • Use the identified communication channels to report vulnerability information to us; and
  • Keep information about any vulnerabilities you've discovered confidential between yourself and Yokahu until we've had 90 days to resolve the issue

We ask that you do the following in conducting your research:

  • Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Yokahu
  • Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including denial of service)
  • Comply with all applicable laws

In conducting your research under this policy you are not permitted to carry out any of the following:

  • Spamming forms or scanning applications through automated vulnerability scanners
  • Publicly disclosing a Vulnerability without giving us a reasonable amount of time to respond to the issue
  • Accessing or modifying our data or our users' data, without explicit permission of the relevant owner. Only interact with your own accounts or test accounts for security research purposes
  • Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
  • Attacks on third party services

If you follow these guidelines when reporting an issue to us, we commit to:

  • Not pursue or support any legal action related to your research and/or for what we consider to be accidental, good faith violations of this Policy. We consider activities conducted consistently with this Policy and in good faith to constitute “authorised” conduct under the Computer Misuse Act 1990
  • Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission)
  • If legal action is initiated by a third party against you and you have complied with this policy we will take reasonable steps to make it known that your actions were conducted in compliance with this policy
  • Not attempting to silence researchers who report vulnerabilities to us. We encourage full public disclosure, but ask that we are provided with advance notification and a reasonable amount of time to fix the issues prior to disclosure
  • Acting in good faith to fix issues reported in a timely manner where we deem necessary

You should contact us at security@yokahu.co to request specific and advance approval if you believe your proposed activities are likely to be inconsistent with this policy.

Scope

https://app.yokahu.co

Out of scope

Any services hosted by 3rd party providers and services are excluded from scope. These services include:

  • Payment services such as Stripe
  • KYC, AML and identity checking services
  • The presence or absence of SPF records

In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types and/or vulnerabilities are excluded from scope:

  • Findings from physical testing such as office access (e.g. open doors, tailgating)
  • Findings derived primarily from social engineering (e.g. phishing, vishing)
  • UI and UX bugs and spelling mistakes
  • Passwords, emails and user accounts, such as email identification verification, reset link expiration and password complexity
  • Attacks requiring physical access to a user's device
  • Missing security headers which do not lead directly to a vulnerability
  • Missing best practices
  • Self-XSS that does not lead to leakage of confidential information
  • Host header injections that does not lead to leakage of confidential information
  • Use of a known-vulnerable library without evidence of exploitability
  • Reports from automated tools or scans
  • Reports of spam
  • Attacks that require an attacker application to have the permission to overlay on top of our application (for example, tapjacking, clickjacking)
  • Vulnerabilities affecting users of outdated browsers or platforms
  • Social engineering vulnerabilities
  • Physical exploits
  • Any access to data where the targeted user needs to be operating a rooted mobile device
  • Content spoofing vulnerabilities
  • Absence of rate limiting, unless related to authentication
  • Network level Denial of Service (DoS/DDoS) vulnerabilities

Reporting a vulnerability

If you believe you've found a security vulnerability in one of our products or platforms please send it to us by emailing security@yokahu.co. All communication should be PGP encrypted; our public keys can be found at https://keys.openpgp.org, search for security@yokahu.co or admin@yokahu.co

Please include the following details with your report:

  • Description of the location and potential impact of the vulnerability
  • Whether or not, in your opinion, customer data is or could be exposed as a result of this vulnerability
  • A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us)
  • Optionally, recommendations for remediation if you are aware of how to fix the vulnerability

Things we do not want to receive from you:

  • Personally identifiable information (PII)
  • Credit card holder data

By submitting your report:

  • You agree not to publicly disclose the Vulnerability until Yokahu agrees to a public disclosure
  • You agree to keep all communication with Yokahu confidential
  • You represent the report is original to you and that you did not copy the report or any part of it from another third party
  • You allow Yokahu the unconditional ability to use, distribute, and/or disclose information provided in your report