Yandex Browser bug bounty

Bug bounty

Every day new threats and attack vectors are appeared. Yandex strives to keep abreast on the latest state-of-the-art security trend by working with independet security researchers and it companies.
We appreciate the community's efforts in creating a more secure world. And we launched bug bounty program to make our products better. This web-page connected with one of our key product - Yandex Browser.

Target

https://browser.yandex.com/

Please Note, the target is the current build of Yandex Browser (desktop) NOT the web domain.

Bug reporting

The quickest and best way to send a bug report is via this special form.

Focus Areas & Reward guidelines

All submissions must be relevant only for the Yandex Browser, i.e. must be reproduced in Yandex Browser, but not in Chromium-based browsers.

How to check your vulnerability:

  • Get Chromium version (just use link: browser://version).
  • Check your bug on same version of Chromium.
  • If it doesn't work - send it to us.



Attack vector Vulnerabilities types Reward for high-quality detailed report with PoC Baseline
Sandbox escape Any kind of Chromium security sandbox violation 3300 USD 1300 USD
Remote code execution in browser Memory corruption and logic vulenrabilities 3300 USD 1300 USD
Same Origin Policy violation Universal XSS, browser-API vulnerabilities, cache-timing vulnerabilities 2200 USD 650 USD
Yandex Protect bypass Secure WiFi violation, safebrowsing bypass 2200 USD 650 USD
HTTPS bypass Vulnerabilities in SSL\TLS realization, vulnerabilities in certificate validation, stealth SSL-strip 1200 USD 400 USD
Content Security Policy violation All kinds except CSP-violation through extensions or HTTP/HTTPS headers hijacking 1200 USD 400 USD
Built-in Extensions vulnerabilities Xss, xxe, xsrf, sensetive information disclosure 650 USD 200 USD

Excluded Submissions

Restrictions and responsible disclosure policy

The reward will be offered only for reporting those vulnerabilities that have not been previously detected.

The Yandex Bug Bounty participants' age has the lower age limit of 14 years old. Participants younger than 18 years old are required to provide a written permission for participation in the contest from their parents or guardians.

Yandex employees, the employees in any of Yandex’s partner companies, the authors of the code where security flaws have been reported, cannot participate in the Yandex Bug Bounty hunt.

You can test the Yandex services or mobile apps and demonstrate their vulnerabilities only from your own account. Hacking into someone else's account is strictly forbidden.

By submitting a bug report you agree to comply with Yandex’s Responsible Disclosure Policy, which forbids public or private disclosure of the details of any vulnerability found on Yandex within 90 days.