Yandex's web-based services, iOS- or Android-based applications, which process, store or use in one way or another sensitive user information, such as:
Web domains: yandex.ru, yandex.com, yandex.com.tr, yandex.kz, yandex.ua, yandex.by, yandex.net (except people.yandex.net), yandex.st, ya.ru.
Mobile apps: Yandex.Maps, Yandex.Navigator, Yandex.Music, Yandex.Taxi, Yandex.Mail, Yandex.Market, Yandex.Metro, Yandex.Fotki, Yandex.Trains, Yandex.Disk, Yandex.Store, Yandex.Browser, Yandex.Key.
Desktop apps: Yandex.Browser
Entire Yandex AS, excluding addresses of other 3rd party projects hosted on Yandex infrastructure.
The quickest and best way to send a bug report is via this special form.
Any security bug, a technical flaw, that can facilitate violation of confidentiality, integrity or availability of confidential user information on websites in the scope of the Yandex Bug Bounty contest. Web service vulnerabilities are classified using OWASP Top-10 of 2010. Mobile application vulnerabilities are classified using OWASP Mobile Top-10.
Yandex.Browser. All attacks (see applicable table below) must be relevant only for Yandex Browser, i.e. attach must be reproduced in Yandex Browser, but not in Chromium-based browsers which use same Chromium release. Severity level correlates with the size of the payment in bounty program.
The amount of the reward depends on whether a security bug has been found on one of the key services or apps, or somewhere else.
Key services: Yandex.Passport, Yandex.Mail, Yandex.Disk, Yandex.Maps, Yandex.Calendar, Yandex.Direct, Yandex.Market, Yandex's home page and search results page.
|OWASP Top-10||Key services||Other services|
|A01. Injection||3,133.7 USD||800 USD|
|A02. Cross Site Scripting (XSS) – A05. Cross Site Request Forgery (CSRF)||320 USD||160 USD|
|A06. Security Misconfiguration – A10. Unvalidated Redirects and Forwards||160 USD||100 USD|
Key apps: Yandex.Maps, Yandex.Navigator, Yandex.Music, Yandex.Mail, Yandex.Market, Yandex.Store, Yandex.Browser, Yandex.Key.
|OWASP Mobile Top-10||Key apps||Other apps|
|M01. Insecure Data Storage – M05. Poor Authorization and Authentication||320 USD||160 USD|
|M06. Improper Session Handling – M08. Side Channel Data Leakage||160 USD||100 USD|
|Attack vector||Vulnerabilities types||Reward for High-quality detailed report with PoC||Baseline|
|Remote code execution in browser||Stack-based buffer overflow Heap-based buffer overflow Type confusion Use-after-free||3300 USD||1300 USD|
|Sandbox escape||Any kind of Chromium security sandbox violation||3300 USD||1300 USD|
|Protect(c) bypass||Secure WiFi violation Password bruteforce through phishing protection Security file checking bypass||2200 USD||650 USD|
|Same Origin Policy violation||Universal XSS Cache-timing vulnerabilities Browser-API vulnerabilities||2200 USD||650 USD|
|Content Security Policy violation||Except CSP-violation through extensions or HTTP/HTTPS headers hijacking||1200 USD||400 USD|
|HTTPS bypass||Vulnerabilities in SSL\TLS realization Vulnerabilities in certificate validation SSL-strip||1200 USD||400 USD|
|Built-in Extensions vulnerabilities||XSS XXE XSRF Critical information disclosure||650 USD||200 USD|
The reward will be offered only for reporting those vulnerabilities that have not been previously detected.
The Yandex Bug Bounty participants' age has the lower age limit of 14 years old. Participants younger than 18 years old are required to provide a written permission for participation in the contest from their parents or guardians.
Yandex employees, the employees in any of Yandex’s partner companies, the authors of the code where security flaws have been reported, cannot participate in the Yandex Bug Bounty hunt.
You can test the Yandex services or mobile apps and demonstrate their vulnerabilities only from your own account. Hacking into someone else's account is strictly forbidden.
By submitting a bug report you agree to comply with Yandex’s Responsible Disclosure Policy, which forbids public or private disclosure of the details of any vulnerability found on Yandex within 90 days.