Vulnerability Disclosure Policy

Last updated: 12 July 2026 · Effective immediately · Version 1.0

Yoola SMS takes the security of our platform, our 840+ business customers, and the millions of message recipients we serve very seriously. We value the security research community and welcome responsible disclosure of vulnerabilities.

This policy sets out how to report security issues to us, what we commit to in return, and what activities are authorized.

🙏 Thank you. By taking the time to responsibly report a vulnerability, you are helping us protect real businesses across East Africa. We treat every report with respect and gratitude.

1. How to Report

Send security reports to security@yoolasms.com.

What to include

Our response commitments

2. Scope

In scope

Out of scope

3. Reward Structure

We offer monetary rewards for validated, in-scope vulnerabilities based on severity:

💎 Exceptional reports may receive rewards exceeding these tiers at our discretion. If your report reveals a systemic issue affecting multiple parts of our platform, we'll recognize that appropriately.

Reward payment

4. Rules of Engagement

To qualify for reward and safe harbor, you must:

⛔ Never do the following:

5. Excluded Issues

The following are NOT eligible for reward:

6. Safe Harbor

Yoola SMS commits to the following if you make a good-faith effort to comply with this policy:

If legal action is initiated by a third party against you for activities conducted under this policy, we will make it known that your activities were authorized.

7. Public Disclosure

After a fix has shipped, we support coordinated public disclosure:

8. Hall of Fame

All researchers who make a valid report are eligible for public credit in our Security Researcher Hall of Fame. Credits include:

You may opt out of public credit and remain anonymous if you prefer.

9. Contact & Questions

Security reports: security@yoolasms.com
Policy questions: security@yoolasms.com
General inquiries: hello@yoolasms.com
Machine-readable: /.well-known/security.txt

This policy may be updated periodically. Material changes will be communicated on our Security page. Version history is maintained in our internal repositories.

← Back to Security page