What kind of vulnerabilities will not be rewarded?

We cannot reward vulnerabilities in third-party websites and partner services.

We cannot reward reports about vulnerabilities in Yandex users' authentication, such as weak passwords.

We cannot reward reports about DDoS attacks against Yandex, social engineering, such as phishing, vulnerability scanners reports, including any reconnaissance data (e.g. information about open ports, daemon banners, etc), outdated version of software installed.

We cannot reward reports about vulnerabilities on services in the yandex.net or yandex.st domains, other than ‘Injection’ or ‘Configuration error in the web environment’ reports.

We cannot reward XSS or CSRF reports unless they involve sensitive user data and are triggered instantly after a user clicks through to a forged page without any additional actions.

Can you send my prize money to my PayPal account or some other e-payment account?

We can currently transfer prize funds only to winners' bank accounts. Foreign residents will receive their reward in U.S. dollars converted from roubles at the current exchange rate at the Central Bank of Russia on the day of payment.

What happens after I send bug report?

You will receive an automated email with your ID number to confirm that we've received your report. You can respond to this email if you want to send some additional information.

After studying your report, we may ask you to send more information. You will be informed about the result no later than 30 days after sending your report (this, however, normally happens much sooner).

You may be asked to send us your bank account information if your bug report wins a monetary prize.

Please be aware that only the first of a few similar vulnerability reports will be rewarded, so don't hesitate to report a bug as soon as you find it.