Vulnerability Disclosure Policy
Yoola SMS takes the security of our platform, our 840+ business customers, and the millions of message recipients we serve very seriously. We value the security research community and welcome responsible disclosure of vulnerabilities.
This policy sets out how to report security issues to us, what we commit to in return, and what activities are authorized.
1. How to Report
Send security reports to security@yoolasms.com.
What to include
- Description — clear, concise summary of the vulnerability
- Impact — what an attacker could achieve
- Steps to reproduce — numbered, specific, complete
- Proof of concept — code, screenshots, or video (whatever is clearest)
- Suggested fix — if you have one (optional but appreciated)
- Your contact info — how we should credit and reward you
Our response commitments
- Within 3 business days — we acknowledge your report
- Within 10 business days — we confirm the vulnerability or explain why we've closed it
- Within 30-90 days — we ship a fix (severity-dependent)
- Coordinated disclosure — we work with you on public disclosure timing after the fix ships
2. Scope
In scope
yoolasms.comand all subdomains- Our API endpoints at
yoolasms.com/api/v1/* - Our customer dashboard at
yoolasms.com/accounts/* - Our admin systems (as visible to non-admins)
Out of scope
- Third-party services we use (Africa's Talking, Flutterwave, mobile money providers) — please report those to the respective providers
- Social engineering attacks against Yoola SMS staff or customers
- Physical attacks against Yoola SMS infrastructure
- Denial-of-service (DoS/DDoS) attacks
- Attacks requiring MITM or physical access to a victim's device
- Development and staging environments (if you find one, please tell us — but don't test on it)
3. Reward Structure
We offer monetary rewards for validated, in-scope vulnerabilities based on severity:
- 🔴 Critical — UGX 150,000 · Remote code execution, full database access, authentication bypass allowing mass account takeover, SMS credit theft at scale
- 🟠 High — UGX 60,000 · Individual account takeover, admin panel access, SMS spoofing, significant privilege escalation
- 🟡 Medium — UGX 25,000 · Sensitive information disclosure, credit/balance manipulation, IDOR with real impact, stored XSS in customer areas
- 🟢 Low — UGX 10,000 · Reflected XSS with limited impact, CSRF on non-critical actions, verbose error messages leaking system info
Reward payment
- Paid via mobile money (MTN, Airtel), bank transfer, or Flutterwave to any supported country
- Paid within 30 days of vulnerability confirmation and fix
- First reporter of a specific vulnerability receives the reward; duplicates do not qualify
- Reward tier is determined by our security team based on actual impact
- You may decline monetary reward and receive only Hall of Fame credit
4. Rules of Engagement
To qualify for reward and safe harbor, you must:
- ✅ Report the vulnerability privately to security@yoolasms.com before any public disclosure
- ✅ Give us reasonable time (minimum 30 days) to investigate and fix
- ✅ Only test using accounts you own or have explicit permission to access
- ✅ Avoid privacy violations, data destruction, and service disruption
- ✅ Access only the minimum data necessary to demonstrate the vulnerability
- ✅ Delete any data you access during testing after your report is filed
- ✅ Follow all applicable laws
- Access, modify, or delete data belonging to other users
- Perform destructive testing (DELETE, DROP, etc.)
- Send actual SMS to numbers you don't own
- Deplete another user's SMS credits
- Publicly disclose the vulnerability before we've patched it
- Demand payment as a condition of disclosure (this is extortion)
- Use the vulnerability for any purpose other than reporting it
5. Excluded Issues
The following are NOT eligible for reward:
- Missing security headers with no demonstrable impact
- Missing rate limiting on public endpoints with no impact
- SPF/DKIM/DMARC configuration issues
- Reports from automated scanners without manual verification
- Best-practice recommendations without an actual vulnerability
- Self-XSS (attacker attacks themselves)
- Version disclosure or fingerprinting without exploit
- Clickjacking on pages with no sensitive actions
- CSRF on logout or non-state-changing endpoints
- Any bug reported after a duplicate submission
- Issues on our staff-only admin interface without a way for non-admins to exploit them
- Issues requiring extremely unlikely user interaction
6. Safe Harbor
Yoola SMS commits to the following if you make a good-faith effort to comply with this policy:
- We will not pursue legal action against you for security research conducted in accordance with this policy
- We will not report you to law enforcement for research activities that comply with this policy
- We will work with you to understand and resolve the issue
- We will publicly recognize your contribution (with your permission)
If legal action is initiated by a third party against you for activities conducted under this policy, we will make it known that your activities were authorized.
7. Public Disclosure
After a fix has shipped, we support coordinated public disclosure:
- Researchers may publish their findings 30 days after the fix has shipped
- For critical issues affecting many customers, we may request a longer delay
- We ask that you notify us before publishing so we can prepare
- Blog posts, conference talks, and CVE requests are all welcome
8. Hall of Fame
All researchers who make a valid report are eligible for public credit in our Security Researcher Hall of Fame. Credits include:
- Your name or handle (as you prefer)
- Optional link to your Twitter/GitHub/website
- Date of disclosure
- Severity level (without specific technical details)
You may opt out of public credit and remain anonymous if you prefer.
9. Contact & Questions
Security reports: security@yoolasms.com
Policy questions: security@yoolasms.com
General inquiries: hello@yoolasms.com
Machine-readable: /.well-known/security.txt
This policy may be updated periodically. Material changes will be communicated on our Security page. Version history is maintained in our internal repositories.
← Back to Security page