The Yandex Bug Bounty

Yandex offers monetary rewards and a place in its Hall of Fame for reports about security vulnerabilities found on its services, infrastructure, mobile and desktop applications.

Scope

Yandex's web-based services, iOS- or Android-based applications, which process, store or use in one way or another sensitive user information, such as:

  • authentication data;
  • email correspondence;
  • personal photos or videos.

Web domains: yandex.ru, yandex.com, yandex.com.tr, yandex.kz, yandex.ua, yandex.by, yandex.net (except people.yandex.net), yandex.st, ya.ru.

Mobile apps: Yandex.Maps, Yandex.Navigator, Yandex.Music, Yandex.Taxi, Yandex.Mail, Yandex.Market, Yandex.Metro, Yandex.Fotki, Yandex.Trains, Yandex.Disk, Yandex.Store, Yandex.Browser, Yandex.Key.

Desktop apps: Yandex Browser

Entire Yandex AS, excluding addresses of other 3rd party projects hosted on Yandex infrastructure.

Sending a bug report

The quickest and best way to send a bug report is via this special form.

Focus

Any security bug, a technical flaw, that can facilitate violation of confidentiality, integrity or availability of confidential user information on websites in the scope of the Yandex Bug Bounty contest. Web service vulnerabilities are classified using OWASP Top-10 of 2010. Mobile application vulnerabilities are classified using OWASP Mobile Top-10.

Severity level correlates with the size of the payment in bounty program.

Infrastructure bugs:

  • Unauthorised access to Yandex servers and network equipment
  • Abuse of Yandex infrastructure
  • Critical information disclosure

Reward

Services

OWASP Top-10 Reward
A01. Injection 800 - 3,133.7 USD
A02. Cross Site Scripting (XSS) – A05. Cross Site Request Forgery (CSRF) 160 - 320 USD
A06. Security Misconfiguration – A10. Unvalidated Redirects and Forwards 100 - 160 USD

Mobile applications.

OWASP Mobile Top-10 Reward
M01. Insecure Data Storage – M05. Poor Authorization and Authentication 160 - 320 USD
M06. Improper Session Handling – M08. Side Channel Data Leakage 100 - 160 USD

In some cases the reward may be increased.

Restrictions and responsible disclosure policy

The reward will be offered only for reporting those vulnerabilities that have not been previously detected.

The Yandex Bug Bounty participants' age has the lower age limit of 14 years old. Participants younger than 18 years old are required to provide a written permission for participation in the contest from their parents or guardians.

Yandex employees, the employees in any of Yandex’s partner companies, the authors of the code where security flaws have been reported, cannot participate in the Yandex Bug Bounty hunt.

You can test the Yandex services or mobile apps and demonstrate their vulnerabilities only from your own account. Hacking into someone else's account is strictly forbidden.

By submitting a bug report you agree to comply with Yandex’s Responsible Disclosure Policy, which forbids public or private disclosure of the details of any vulnerability found on Yandex within 90 days.