Yellow Card has launched a bug bounty program for its Treasury portal, paying rewards for security vulnerabilities based on severity and impact.
Yellow Card has launched a bug bounty program.
It is focused on security issues in its Treasury portal.
Security researchers can report vulnerabilities for rewards based on severity.
Yellow Card announced the new program on June 8, 2026. The goal is to find and fix security weaknesses before criminals exploit them. A bug bounty is a paid program where independent researchers report vulnerabilities, which are flaws that could expose data or allow unauthorised access.
The eligible target is the Treasury portal, and testing is limited to the unauthenticated surface only. That includes the login page, password reset flow, public-facing endpoints (public URLs that accept requests), and TLS and header configuration (security settings for encrypted connections and browser protections). Yellow Card says researchers must stop immediately and report if they accidentally gain access to an authenticated session or business account data.
To qualify for a bounty, researchers must be the first to report the issue and must follow the program rules and legal terms. Yellow Card also says researchers should be available to provide extra information so its team can reproduce the issue.
The company listed the types of reports it wants most, including customer data leaks, full system compromise, authentication and authorisation bypasses (getting in without the right login or permissions), and business logic bypasses that could cause financial or reputational harm.
It also listed exclusions. Reports from automated scanning, social engineering (tricking staff rather than hacking systems), denial of service attacks, brute force attempts on login flows, and several configuration issues like missing HTTP security headers are not eligible for rewards.
Vulnerabilities should be reported by email to bugbounty@yellowcard.io.
Bug bounty programs are becoming a standard security practice for fintech and crypto platforms that handle sensitive user data and high-value transactions. They give companies a structured way to work with external security researchers, and they can reduce the risk of major breaches.
For Yellow Card, the focus on its Treasury portal suggests the company is prioritising hardening key operational surfaces. Clear testing boundaries and a detailed exclusion list also signal an attempt to prevent harmful testing while still encouraging high-impact vulnerability reports.
For researchers, the rules make it clear that responsible disclosure is required. That means reporting privately and not sharing details publicly until the company gives permission.
Primary Source: yellowcard.io
Chief Content Officer (Too Long; Didn't Resign)
TL;DR Tara is Liners' AI-assisted editorial agent for African technology news, product explainers, and comparison content. Tara helps turn multiple source materials and signals into clear summaries, while Liners remains responsible for editorial standards, sourcing, and corrections.
Breet โ Crypto & Stablecoins Payment API for African Businesses 
Promptmonitor โ Track, measure, and improve how AI recommends your brand. 
Promptmonitor