Skip to main content

Platform presentation article

Mohamed Arfaoui
Updated

The platform will be divided into 3 big sections :

 

Tabs for the programs and reports you will be submitting

 

  • Overview: Quick summary of your activity
  • Programs: Here you find the security programs you were invited to and you can work on.
  • Reports: List of the reports you have submitted.
  • Invites: Private programs where you have been invited individually

Security researcher

 

 

  • All security researchers: A list of all the security researchers you can work with.
  • Leaderboard: The top 10 security researchers in the Yogosha Strike Force
  • Kudos: Cumulative amount of kudos you have received while working on projects at Yogosha.

Current balances:

 

 

The cumulative amount of rewards (in different currencies if applicable) you have received for submitted reports.

 

 

Overview tab

In the overview section, you have a quick summary of your activity (Figure 1) :
Kudos: Number of Kudos earned by month, updated when a report is qualified.
Wallet: An overview of your wallet status.
Severity distribution: Number of reports sent per severity.
Top 3 vulnerabilities: Top 3 of the most submitted types of vulnerabilities.
Leaderboard: Rank in our security researchers leaderboard, based on the amount of kudos earned.
Valid reports: Number of accepted reports.
Pending reward reports: Number of accepted reports waiting to be paid.
Relevance: Percentage of accepted reports.

 

 

Notifications:

You get notifications whenever you get invited to a new program, your reports are being treated, or you get rewarded.

 

 

Program tab

In this tab, you can find all the security programs you can work on.

 

 

When you choose a program, and click on it, you will get all the details about the program.

 

Overview

 

The overview section shows all program details :

  • Description: This section presents the asset details.

The goal is to give you as much information as possible, such as links for mobile application downloads, API documentation, etc.

  • Mission: The client will mention here the details of the mission; points of attention, possible attack scenarios, architecture diagrams, download links for a mobile application, API documentation links, etc. 
  • Out of Scope: Everything the client does not want you to test. By default, DDOSS or physical attacks are already specified as out of scope. This section is very important for Bug Bounty programs because if a report concerns a vulnerability outside the scope, you will not get paid for it.
  • Technical Information: The client will specify here any other relevant information about the program.
  • Targets: The asset perimeters, which display URLs, domain names, IP addresses or ranges, links to a mobile application…
  • Security checklist (for pentest only): If the customer wants specific things to be tested as part of the pentest, the name of the checklist will be mentioned here. You will find more details about the checklist you have to follow on the Security Checklist tab of the pentest program (next section of this documentation).
  • VPN: By requesting the use of Yogosha VPN during testing, the customer will be able to give you access to environments that are not publicly accessible or open on the internet.
  • Terms and conditions: If the client has special conditions that he wants the security researchers to accept, beyond those of the Yogosha platform (the ones you are required to accept to work with Yogosha), they will be mentioned here.
  • Test accounts: The list of test accounts that you can use to run the tests, in case of grey box tests, or white box tests.
  • Spoken languages: The language(s) in the reports should be written.
  • Executive summary: The language(s) of the executive summary should be written.

(The executive summary is a comprehensive report presenting the tests carried out, the vulnerabilities identified, possible exploits, and recommendations for correction. You will find more detailed information in section 5. Executive summary and on-the-platform walkthrough).

 

Security checklist (for pentest programs only)

 

If the customer wants specific things to be tested as part of the pentest (in the case of certification, for example), he will provide you with a list of the items to be checked for the pentest. You can use an existing checklist such as Owasp Web/Mobile/ API or IOT, or create your own.

You will then need to respect the checklist items when carrying out your tests.

 

Activity

From the Activity tab, you can view KPIs dedicated to the program in question: criticality level of reports received, acceptance rate of reports and reasons for rejected reports, top 3 vulnerabilities reported, allocated and remaining budget, most prolific researchers, etc.

 

In the reports tab, you can see the reports you submitted for this specific. Click on the desired report to view it, check the stage your report is at, and discuss it with the customer in the commentary section. Reports can also be seen from the reports tab of the platform, on the left, all programs combined.

 

Executive summary (only for pentest programs)

The executive summary is a comprehensive report presenting the tests carried out, the vulnerabilities identified, possible exploits, and recommendations for correction.

From this section, you will be able to start the Executive Summary (by clicking on Initiate Executive Summary) or consult it. 

Consult the platform walkthrough to see step-by-step how to write the Executive Summary.

 

 

Report a vulnerability

Finally, you can report a vulnerability for this program, by clicking on the upper right on “Report a vulnerability”.

 

 

Consult the platform walkthrough to see step-by-step how to report a vulnerability.

 

Reports tab

On this tab, you will be able to see all the reports you submitted and consult them individually. 

 

 

To consult a report that has already been submitted, click on it. From the report, you can see what stage your report is at, or access the comment section to discuss it with the customer (check the Step 6 - Discuss a vulnerability from the Platform Walkthrough).

From this view, you can also delete the report or ask for a mediation (check Step 6 - Discuss about a vulnerability from the Platform Walkthrough).

 

Invites tab

 

This tab offers a view of the private programs, to which you have been invited individually. Click on one of the programs to see its details and submit a report.

 

 

 

All security researcher tab

To get the list of all the security researchers, go to the All Security Researchers tab.

And by clicking on any security researcher’s name you would be able to get his profile and all the information about him: Name, country, Groups, Social Media, Skills, number of reports accepted based on closed reports, the leaderboard rate …

 

 

Leaderboard tab

In the leaderboard tab, you find the top 10 security researchers in the YSF (Yogosha Strike Force). You can change the filter for the different options displayed( All time, Current month, Last month, Last 30Days …)

 

 

Kudos tab

The number of Kudos earned, and it’s updated when a report is qualified.
(learn more in the playbook & rules.)

 

Current balances tab

At the Current Balances tab, you can check:

  • Your wallet is $ or € depending on the mission and the client's payment currency. 
  • On this tab, you will find your invoices and get paid for them.

 

Personal information & account parameters

Profile

  1. Public information

Edit your username and upload a profile picture.

  1. Biography and interest

Add a biography, your current job, hobbies, and a quote that represents you in your profile.

  1. Languages and skills

Precise your spoken language and your different skills.

  1. Social networks

Add your social networks such as Twitter, Linkedin, GitHub, and any other social media.

  1. Public profile

Choose if you want your profile to be public or private. Your profile can be accessed by the clients and security researchers within the same groups only.

Wallet

  1. Wallet

Check on this tab your wallet and payment information that has been made to you by customers for reports you submitted. 

  1. Invoices

On this tab, you will find your invoices and get paid for them.

KYC and payment

The KYC procedure consists of verifying the identity and integrity of the cyber security researchers in our community.

This section is mandatory, so please fill it with corresponding answers.

 

  1. Identity: The identity information, except your birth date, is visible to users who are able to see your profile. (Admin, Customers, Hunters…).
  2. Proof of identity: This part is also obligatory, but it’s confidential.
    You need to provide your passport or ID, The accepted documents depend on your citizenship:
    - For EU citizens: ID Card or Passport.
    - For the UK, USA, Canada, and all other country citizens: Passport only.
  3. Personal Address: Please enter your correct personal address here. We do verify your address so make sure to provide us with the right one. 
  4. Billing: The purpose of this section is to have your billing information to be able to generate bills. There are two options as shown in the following figure: 

 

You must choose the first option if you are part of the European Union, "You are a freelancer or you have your own business". Indeed, you must have a tax status because you have to declare VAT (even if you are exempt).

Active payment method: In order to get paid you must activate your payment method by adding your bank account, and filling the needed information.

 

Settings

 

  1. Language: The platform is available in two languages: English and French. You can switch to the language that suits you the most. 
  2. Email: You have the ability to update your Email address, the Email address is not visible to other users, only you can see it.
  3. Password: You can change your password by entering the old then the new one.
  4. Two-Factor Authentication: In order to protect your Yogosha account, add two-factor authentication by linking your account to your mobile phone.
  5. API keys: This section allows you to generate a personal API key to access our API. Read the documentation and follow the steps to learn how to use the API.
  6. VPN Configurations: In programs where the client demands the usage of the VPN, you must use the VPN even if the target is publicly accessible. If you don't have any VPN configurations, you can generate one.
  7. Availability: This ON/OFF button allows you to share your current availability. If it is OFF, you will receive neither invitations to work on private programs nor notifications about new programs open.
  1. Yogosha Strike Force: In order to work on challenging and rewarding programs, Join the Yogosha Strike Force. There are few steps to follow in order to join the community. Everything is well detailed in the platform if you wish to join.
  2. Legal Documents: The terms and conditions of use that you accept via the platform Yogosha. 
  3. Delete my account: By deleting your account, know that:
  • The deletion will be effective within 1 month.
  • You'll lose access to the platform.
  • Your personal data will permanently be erased, there will be no way to restore your account.

→ insister sur la suppression du compte (question souvent posée en ticket)

Logout

You can simply logout by clicking on Logout.

 

 

Related articles