Security & Compliance

Yoummday attribbutes great importance to the security of its IT systems. However, despite the most careful implementation, configuration and testing, vulnerabilities may still exist. On this page, our aim is to proactively share relevant IT security information with you:

  1. Vulnerability Disclosure Policy (VDP) of Yoummday GmbH
  2. Certifications and Assertions
  3. Data Protection Documents

Vulnerability Disclosure Policy of Yoummday GmbH

VDPyoummday - Background

With the introduction of the VDPyoummday (Vulnerability Disclosure Policy of Yoummday GmbH), developers and security researchers were called upon to uncover vulnerabilities in the IT systems of Yoummday GmbH. Thanks to good co-operation with developers worldwide, our systems have already been made more secure.

With our Vulnerable Disclosure Policy, we are taking a modern approach to finding and closing vulnerabilities.
The use of VDPyoummday should be seen as a supplement to our own investigations into unknown vulnerabilities and security gaps in our systems. This is the prerequisite for closing vulnerabilities and gaps and thus minimising the risk of a successful attack on our IT systems.
The VDPyoummday is aimed at all IT security researchers and developers who would like to find and report a vulnerability discovered in our systems.

VDPyoummday - SecurityPolicy

Security Policy

If you discover vulnerabilities in Yoummday GmbH's IT systems and web applications, please let us know. We will then take immediate action to rectify the vulnerability found as quickly as possible.

Proceed as follows to report a vulnerability:
  • Send your results on the vulnerability found to yoummday using our VDP-Tool. We guarantee you complete anonymity when using the VDP tool. 
  • Alternatively, you can also send your findings by email to security@yoummday.com. However, this does not guarantee complete anonymity. Please use the format template below for your message.
  • Do not exploit the vulnerability or problem, for example by downloading, modifying or deleting data.
  • Do not pass on your information about the vulnerability to third parties or institutions.
  • Do not carry out any attacks on our IT systems that could compromise, change or manipulate infrastructure and/or people.
  • Do not carry out any social engineering (e.g. phishing), (distributed) denial of service, spam or other attacks on us.
  • Provide us with sufficient information so that we can reproduce and analyse the problem. As a rule, the address or URL of the affected system and a description of the vulnerability are sufficient. However, complex vulnerabilities may require further explanation and documentation.
What we promise YOU:
  • We are trying to close the vulnerability as quickly as possible.
  • You will receive feedback from us regarding your message.
  • We will treat your report confidentially and will not pass on your personal data to third parties without your consent.
  • The finder is judged on his or her abilities and not on age, education, gender or origin. We also show this respect publicly and recognise this achievement. If nothing else is requested, we will mention the description of the closed vulnerability and the name (or alias) of the discoverer on our thank you page in order to publicly express our good co-operation with yoummday.
Qualified reporting of vulnerabilities

Any design or implementation problem that is reproducible and affects security can be reported. Common examples are:

  • Cross Site Request Forgery (CSRF)
  • Cross Site Scripting (XSS)
  • Insecure Direct Object Reference
  • Remote Code Execution (RCE) - Injection Flaws
  • Information Leakage and Improper Error Handling
  • Unauthorised access to properties or accounts
  • and much more.

However, these can also be:

  • Data/information leaks
  • Possibility of exfiltration of data / information
  • Actively exploitable backdoors
  • Possibility of unauthorised system use
  • Misconfigurations
Non-qualified weak points

The following vulnerabilities do not fall within the scope of Yoummday GmbH's Vulnerability Disclosure Policy:

  • Attacks that require physical access to a user's device or network.
  • Reports from automated tools or scans without explanatory documentation.
  • Social engineering against individual persons, the companies of Yoummday GmbH or contractors of Yoummday GmbH.
  • Denial of Service attacks (DoS/DDoSDistributed Denial of Service).
  • Bots, SPAM, mass registration.
Format template for a vulnerability report (if the VDP tool is not used):

1. Title / name of the vulnerability
2. Vulnerability type
3. Brief explanation of the vulnerability (without technical details)
4. Affected product / service / IT system / device
- Manufacturer
- Product
- Version / Model
5. Exploitation technique
- Remote
- Local
- Network
- Physical
6. Authentication type
- Pre-Auth
- Authentification Guest
- User privileges (user / moderator / manager / admin)
7. User interaction
8. Technical details and description of the vulnerability
9. Proof of concept
10. Demonstration of a possible solution
11.  Author and contact details (if anonymity is not desired, otherwise in ALIAS)
12.  Consent to mention the name and the vulnerability found in the acknowledgement

VDPyoummday - FAQ

 

What is the VDP?
The Vulnerability Disclosure Policy of Yoummday GmbH (VDPyoummday) is a legally harmonised process for the responsible disclosure of vulnerabilities found at Yoummday GmbH by IT security researchers or developers. There is no monetary reward. 

I reported a vulnerability yesterday, why hasn't it been closed yet?
We endeavour to close the reported vulnerabilities as quickly as possible. Once a vulnerability report has been received, it is included in our regular process. It may be the case that further vulnerabilities are waiting in a queue for processing. The report is first checked for plausibility. We may also have to contact the provider in question to clarify the issue and plan and implement mitigation measures.

What is the difference between a danger/threat, a risk, a vulnerability, damage and a hazard at Yoummday GmbH?
Hazards/threats have the fundamental potential to cause damage.
Damage is defined as a disadvantage caused by the reduction or loss of tangible or intangible assets.
The risk is determined by the probability of occurrence and the amount of loss and cannot usually be fully objectively assessed.
Vulnerabilities in terms of information technology are errors within the hardware and software used. They can be caused by inadequate programming, configuration and operation of IT systems, among other things, and can lead to a hazard.
Hazard describes the state when a real danger can affect a specific asset and damage is likely to occur.
Hazards in themselves are not considered qualified vulnerabilities. Vulnerabilities whose exploitation leads to a risk to Yoummday GmbH and where damage is likely to occur are referred to as qualified vulnerabilities.

Can I discuss the vulnerability with other people?
Responsible handling of a vulnerability means that you only report it or share it with others once the vulnerability has been closed. We will of course inform you about this.

 How long does it take you to rectify weak points?
It is customary to finalise the vulnerability report no later than 90 days after receipt. However, depending on the complexity of a vulnerability, it can also take considerably longer.

What is your scope?
The VDPyoummday covers all Yoummday GmbH websites and IT systems accessible via the Internet.

May scanners also be used (e.g. Burp, Nessus, etc.)? Are active scans permitted?
In principle, you can use vulnerability scanners for your work. The intensity and invasiveness of the active vulnerability scans must not impair availability. Invasive active mass scanning is therefore not permitted. In addition, submitted reports from automated tools without explanatory documentation formally count as non-qualified vulnerability reports and are not recognised.

What is a qualified vulnerability?
A qualified vulnerability and the associated recognition are characterised in particular by the fact that this vulnerability poses a threat or risk to the IT infrastructure, persons or assets of Yoummday GmbH. An assessment of the criticality and exploitability of the reported vulnerability is the responsibility of Yoummday GmbH.

VDPyoummday - Our thanks to you

Yoummday says thank you

The reporting developer or IT security researcher is judged on their skills and not on their age, education, gender or origin. We therefore recognise this achievement and make it public. At the moment we do not pay a bug bounty for reporting qualified vulnerabilities.

If nothing else is desired, we will mention the description of the closed vulnerability and the name (or alias) of the discoverer in order to publicly express a good co-operation with yoummday.

Certifications and Assertions

ISO 27001

ISO 9001

ISO 9001 - yoummday GmbH, Germany

ISO 9001 - yoummday EOOD, Bulgaria

ESG - EcoVadis

Data Protection Documents

Technical and Organisational Measures – Managed Service

Technical and Organisational Measures – Talents