Y Combinator Security

For security issues with Hacker News, please visit https://news.ycombinator.com/security.html.

Y Combinator considers the security of our systems and applications to be of the utmost importance.

Reporting Security Vulnerabilities

Y Combinator welcomes input from the security research community. Through responsible disclosure we hope to improve the security of our applications and user data. To that end, we encourage security researchers to notify us of any potential vulnerabilities uncovered to security@ycombinator.com. Reports received through this channel should receive a prompt reply and if you do not receive a timely response we ask that you please attempt to contact us again. To protect our users we also request that you please refrain from sharing information about any potential vulnerabilities with anyone outside of YC. Once we have confirmed the vulnerability and mitigation we hope that you will join us in an announcement.


While researching, we'd like to ask you to refrain from:

  • Denial of service
  • Spamming
  • Social engineering (including phishing) of Y Combinator staff or contractors
  • Any physical attempts against Y Combinator property or data centers

Bug Bounties

We do pay bug bounties at our discretion for significant vulnerabilities responsibly disclosed.


Thanks to the following people who have discovered and responsibly disclosed security holes in Y Combinator software.

20180304 Arkadiy Tetelman

  • Our signature computation in SSO was vulnerable to an http parameter pollution attack that allowed account takeovers.

20180313 Wai Yan Aung

  • A static website that we served via S3 was leaking staff operating system usernames and ids.

20180429 Mohamed Sayed

  • The YC blog's API was left enabled after a migration, no data was exposed but it should have been disabled.

20180501 Wai Yan Aung

  • Reported lack of SPF records on unused domains.

20180501 Faizal Abroni

  • Reported that an unused subdomain could be hijacked via AWS Cloudfront

20180606 nthack

  • Reported XSS vulnerabilities on www.workatastartup.com, fixed quickly. No data was exposed.

20180917 Philip Thomas

  • Reported a vulnerability in Startup School that made founder email addresses accessible to other Startup School founders.

20181023 Philip Thomas

  • Reported a vulnerability in our application that leaked recommendations that were left on previous applications.

20200714 Pritam Mukherjee

  • Reported an endpoint that needed to be rate limited.

20200720 Shiraz Ali Khan

  • Reported a missing DMARC record.

20201124 Anil Bhatt

  • Reported that we were not stripping EXIF data from user-uploaded images

20210524 Kuter Dinel

  • Discovered a vulnerability in how we use Algolia indexes

20220121 Shishir Shrestha

  • Discovered a stored XSS vulnerability.

20230812 Nessim Jerbi

  • Discovered multiple XSS issues.

20231211 Kuter Dinel

  • Discovered an OAuth Client Impersonation Attack