Yandex may use third-party external services and partner software products. These can be found both in internal infrastructure and in user-facing services.
Please carefully review the guidelines for vulnerability research in such software.
{ Rules and Conditions }
A third-party service refers to domains and hosts located on IPs/ASes not owned by Yandex.
Active testing (scanning, fuzzing, etc.) of third-party resources and services is prohibited. The only exception is if explicitly permitted by the vendor’s or partner’s Bug Bounty policy.
If the vendor has a Bug Bounty program or a security contact, you must first report the vulnerability to the vendor’s security team.
We may ask for confirmation that you contacted the vendor (e.g., a partial screenshot of the email).
The decision on monetary rewards is made on a case-by-case basis by Yandex’s security team. You may be eligible for a reward from the vendor if they have their own Bug Bounty program.
Yandex cannot influence the vendor’s timeline for analysis, the nature of fixes, or their reward decisions.
The reward amount is determined individually—depending on the type of integration, the nature of the vulnerability, and the volume of data processed.
Yandex reserves the right to deny a reward if the research was conducted in violation of this policy or if the issue does not affect the security of Yandex services or user data.
Wed Aug 27 2025 19:37:06 GMT+0300 (Moscow Standard Time)