Y Combinator Security

March, 2018

For security issues with Hacker News, please visit https://news.ycombinator.com/security.html.

Y Combinator considers the security of our systems and applications to be of the utmost importance.

Security Practices

Y Combinator uses a variety of tools and techniques to help protect our data and software. We employ on-prem and cloud services, both of which receive routine review for safety.

Reporting Security Vulnerabilities

Y Combinator welcomes input from the security research community. Through responsible disclosure we are hoping to advance the cause of improving the security of our applications and user data. To that end, we encourage security researchers to notify us of any potential vulnerabilities uncovered to security@ycombinator.com. Reports received through this channel should receive a prompt reply and if you do not receive a timely response we ask that you please attempt to contact us again. To protect our users we also request that you please refrain from sharing information about any potential vulnerabilities with anyone outside of YC. Once we have confirmed the vulnerability and mitigation we hope that you will join us in an announcement.

Exclusions

While researching, we'd like to ask you to refrain from:

  • Denial of service

  • Spamming

  • Social engineering (including phishing) of Y Combinator staff or contractors

  • Any physical attempts against Y Combinator property or data centers

Bug Bounties

We will be launching a formal bug bounty program shortly.

Thanks!

Thanks to the following people who have discovered and responsibly disclosed security holes in Y Combinator software.

20180304 Arkadiy Tetelman

  • Our signature computation in SSO was vulnerable to an http parameter pollution attack that allowed account takeovers.

20180313 Wai Yan Aung

  • A static website that we served via S3 was leaking staff operating system usernames and ids.

20180429 Mohamed Sayed

  • The YC blog's API was left enabled after a migration, no data was exposed but it should have been disabled.

20180501 Wai Yan Aung

  • Reported lack of SPF records on unused domains.

20180501 Faizal Abroni

  • Reported that an unused subdomain could be hijacked via AWS Cloudfront