Yandex may use third-party external services and partner software products. These can be found both in internal infrastructure and in user-facing services.

Please carefully review the guidelines for vulnerability research in such software.

• A third-party service refers to domains and hosts located on IPs/ASes not owned by Yandex.

• Active testing (scanning, fuzzing, etc.) of third-party resources and services is prohibited. The only exception is if explicitly permitted by the vendor’s or partner’s Bug Bounty policy.

• If the vendor has a Bug Bounty program or a security contact, you must first report the vulnerability to the vendor’s security team.

• We may ask for confirmation that you contacted the vendor (e.g., a partial screenshot of the email).

• The decision on monetary rewards is made on a case-by-case basis by Yandex’s security team. You may be eligible for a reward from the vendor if they have their own Bug Bounty program.

• Yandex cannot influence the vendor’s timeline for analysis, the nature of fixes, or their reward decisions.

• The reward amount is determined individually—depending on the type of integration, the nature of the vulnerability, and the volume of data processed.

• Yandex reserves the right to deny a reward if the research was conducted in violation of this policy or if the issue does not affect the security of Yandex services or user data.