LAST UPDATED: 22 FEBRUARY 2024

Youverse simplifies all consumer interactions with secure and private identity and face verification on any device in industries as diverse as Retail, Banking & Payments, Travel & Hospitality, Healthcare, Self-Service & Delivery. Register once and access services anywhere, anytime by just using your face.

At Youverse, we believe in the importance of securing our products and services and we appreciate the efforts and transparency of the security research community in reporting us vulnerabilities that may have slipped past us during the security testing activities of development and testing stages. Should you find a vulnerability in one of our systems, we would prefer to hear about it as soon as possible so that we can take measures to protect our customers and staff.

We may need to update this document from time to time, so we recommend you check back periodically. If we make any substantial changes, we may notify you via email or by posting a notice on our website.

Definitions

For the purposes of this document:

• Company (referred in this document as either “we“, “us“, “our” or “Youverse”) refers to YOONIK – AUTHENTICATION AND PRIVACY SYSTEMS, S.A..
• Services refer to the websites, mobile applications, software development kits and other products and services that have linked to these document offered by YOONIK – AUTHENTICATION AND PRIVACY SYSTEMS, S.A..

Rules of Engagement (RoE)

The RoE we require from you, as a security research/ethical hacker, are the following:

• Use solely the security@youverse.id channel to report vulnerability information to us;
• Keep information about any vulnerabilities you’ve discovered confidential between yourself and Youverse;
• We do not allow authenticated testing and therefore cannot provide credentials;
• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems (e.g. deliberate denial of service attacks), and destruction of data during security testing, including avoiding the exploitation of actual vulnerabilities that may directly or indirectly harm Youverse or any interested party.
  

How to report

You can report vulnerabilities via security@youverse.id. Please always include a description of the vulnerability itself, where exactly did you identify this vulnerability, evidence of the issue (if applicable, screenshots, videos and similar are encouraged), as well as steps explaining how to replicate the vulnerability (we cannot reward nor acknowledge vulnerabilities we cannot verify).

Our commitment

If you follow these guidelines when reporting an issue to us, we commit to:

• Not pursuing or supporting any legal action related to your research;
• Working with you to understand and resolve the issue quickly including a) confirming receipt of report within 5 days of submission and b) providing our conclusion on the report within 90 days of the receipt of report;
• Compensating you appropriately according to the severity of the vulnerability as determined by our internal triage results.
• To provide compensation we require security researchers/ethical hackers to sign a non-disclosure agreement (NDA), provide a copy of valid identification and produce an invoice for our Portuguese-based headquarters.

Exclusions

This program is not intended for reporting complaints. It is also not intended for:

• Reporting problems that are already known to us;
• Reporting that our website or a given service of ours is not available, or DDoS attacks.
• Reporting error messages that do not contain sensitive information or any error behavior which does not pose a security risk.
• Reporting phishing emails.
• Reporting fraud.