Youi’s Security Vulnerability Disclosure Policy

Effective date: 8th March 2023

About this policy

At Youi Pty Ltd (ABN 79 123 074 733) (“Youi”), the security of our systems is of the utmost importance, and we go to great lengths to ensure they remain secure.

The goal of this policy is to establish clear guidelines for identifying and addressing vulnerabilities, and to foster a culture of transparency and collaboration with the security community in order to improve the security of Youi's systems and protect the privacy of our customers.

We welcome engagement with the security community and encourage security researchers to share any potential vulnerabilities they discover in our systems, services or products with us as soon as possible.

While we appreciate people’s contribution to improving our security, we unfortunately cannot offer compensation for the discovery of potential or confirmed vulnerabilities.

Scope

This policy covers:

  • Youi’s public facing systems, to the extent to which individuals have lawful access (e.g. our website)

  • Anyone who has identified a vulnerability in Youi’s systems, services or products. This could include employees, customers, independent security researchers or other members of the public.

This policy does not cover:

  • Attempts to modify or destroy data

  • Denial of Service (DoS)

  • Vulnerabilities in third-party products or services

  • Policy violations

  • Clickjacking

  • Social engineering or phishing

  • Weak or insecure SSL ciphers and certificates

  • Physical attacks.

How to report a vulnerability

When reporting a vulnerability, send us an email using the address (security[@]youi.com) listed in the security.txt file on our website and  follow these steps:

  • Encrypt all communications regarding vulnerabilities using the OpenPGP public key provided within the security.txt file.

  • Include written instructions for reproducing the vulnerability. Avoid making submissions without clear reproduction steps or which only include reproduction steps in video form.

Responsible disclosure

We encourage responsible disclosure of vulnerabilities that are discovered in our systems, services and products. To ensure that vulnerabilities are handled in a responsible and effective manner, we ask that researchers follow these rules when reporting vulnerabilities:

  • Do not publicly disclose the vulnerability until it has been fixed.

  • Do not exploit the vulnerability for malicious purposes.

  • Do not share the vulnerability with third parties without our written permission.

  • Coordinate the disclosure of the vulnerability with us to ensure that we have an opportunity to fix it before it is made public.

  • Closely follow the ‘handling personal information’ rules outlined below.

Handling personal information

To protect and respect the privacy of our customers and other stakeholders, please handle any personal information (PI) that you come across as follows:

  • Do not intentionally access PI that is not your own. If you suspect a service provides access to PI, limit queries to your own personal information if possible.

  • Report the vulnerability immediately and do not attempt to access any other data. The Youi Cyber Security team will assess the scope and impact of the PI exposure.

  • Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned.

  • Do not disclose any accessible PI to anyone except Youi. We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability.

  • Delete any inadvertently acquired local, stored or cached copies of data containing PI as soon as possible.

Response and resolution

When a vulnerability is reported to us, we will follow the steps below to ensure a prompt response:

  • Acknowledgment: We will acknowledge receipt of the report within five business days.

  • Assessment: We will assess the severity of the vulnerability and prioritise it accordingly. Vulnerabilities will be assigned a priority based on their potential impact and the likelihood of exploitation.

  • Resolution: We will keep the reporter informed of the progress of the resolution process and will work to fix the vulnerability as quickly as possible. We will provide the reporter with a timeline for when the fix will be implemented.

  • Verification: Once the fix has been implemented, we will verify that the vulnerability has been successfully resolved and will provide confirmation to the reporter.

Youi will not initiate legal action against the reporter if they adhere to this policy. In the event of any non-compliance with this policy, we reserve all our legal rights.

Recognition

We value the contributions of researchers who help us to identify and fix vulnerabilities in our systems, services and products.