Y Combinator Security

March, 2018

For security issues with Hacker News, please visit https://news.ycombinator.com/security.html.

Y Combinator considers the security of our systems and applications to be of the utmost importance.

Security Practices

Y Combinator uses a variety of tools and techniques to help protect our data and software. We employ on-prem and cloud services, both of which receive routine review for safety.

Reporting Security Vulnerabilities

Y Combinator welcomes input from the security research community. Through responsible disclosure we are hoping to advance the cause of improving the security of our applications and user data. To that end, we encourage security researchers to notify us of any potential vulnerabilities uncovered to security@ycombinator.com. Reports received through this channel should receive a prompt reply and if you do not receive a timely response we ask that you please attempt to contact us again. To protect our users we also request that you please refrain from sharing information about any potential vulnerabilities with anyone outside of YC. Once we have confirmed the vulnerability and mitigation we hope that you will join us in an announcement.

Bug Bounties

We will be launching a formal bug bounty program shortly.


Thanks to the following people who have discovered and responsibly disclosed security holes in Y Combinator software.

20180304 Arkadiy Tetelman

  • Our signature computation in SSO was vulnerable to an http parameter pollution attack that allowed account takeovers.

20180313 Wai Yan Aung

  • A static website that we served via S3 was leaking staff operating system usernames and ids.