Yandex Browser 
Bug Bounty
Bug Bounty is designed to encourage security research on 
one of our key applications — Yandex Browser.

This program is aimed at the following products:


The program includes vulnerabilities that can be reproduced on Windows 7+, macOS v10. 10+, Linux, Android 4.4+, iOS 7+.

The current version of the product is considered to be the release version at the time when the vulnerability is reported.

Yandex doesn't reward reports on:

  • Vulnerabilities in the Yandex Browser Lite product (com.yandex.browser.lite).
  • Vulnerabilities in a similar Chromium version, vulnerabilities in Yandex Browser for Android (alpha) (com.yandex.browser. alpha) and Yandex Browser for Android (beta) (com.yandex.browser. beta) if they can be reproduced in Yandex Browser for Android (com.yandex.browser).
  • DLL hijacking, if it requires local access for system modification.
  • Any differences in the Yandex Browser behavior compared to other chromium-based browsers without demonstrating the security threat (executing a code, getting unauthorized access to user data, bypassing the browser's security mechanisms).
  • Vulnerabilities in browser extensions not bundled by Yandex in a release.
  • Vulnerabilities that have the root-cause in the Chromium code.
  • IDN homograph attack.
  • Vulnerabilities that can be exploited only after modifying the browser default settings and/or policies.
  • Vulnerabilities that can be exploited only if the user performs specific actions (for example, user-gestures).
  • Vulnerabilities of third-party components (libraries, plugins) used by the browser.
  • Vulnerabilities on mobile devices that can be exploited only with root privileges, jailbreak, or any other modification of apps or devices.
  • Find out the Chromium version using the browser://version link.
  • Check your vulnerability in the same Chromium version.
  • If the issue isn't reproduced, send it to us.

The Yandex Browser Bug Bounty program is subject to the general provisions of the Bug Bounty competition: in addition to being rewarded for a verified vulnerability, the researcher will be added to the Hall of Fame. You can also request a CVE, information about which will be posted on our thank you page.

You should only report vulnerabilities in Yandex Browser, meaning that they should be reproducible in Yandex Browser, not Chromium-based browsers. To lean more, see "How to check a vulnerability".

The bounty depends on how critical the vulnerability is, how easily it can be exploited, how it impacts user data, and on the error message type (detailed PoC error message or a basic error message).
We team up with developers to determine the level of severity, so it does take some time.

Rewards

Attack vector
Vulnerability class
Rewards for a detailed error report
Rewards for a basic error report
Examples of vulnerabilities
Chromium sandbox escape
Bypassing the sandbox mechanism in any way
$5000
$3000
Executing arbitrary commands in the OS on behalf of a privileged browser process
Remote execution of code in the browser
Vulnerabilities associated with operation logic issues or memory corruption
$3000

$1500
Executing code in the context of a renderer process inside a sandbox
Bypassing the Same Origin Policy
UXSS, browser API vulnerabilities
$1500

$750
UXSS, obtaining data of arbitrary origin
Vulnerabilities in Yandex Browser services and mechanisms
Vulnerabilities of account synchronization or password storage, critical data autosuggest vulnerabilities
$1500
$750
Getting access to the password manager data
NTP (new tab page) implementation vulnerabilities 
Getting access to interfaces or NTP context with subsequent access to user data
$1000
$500
Getting access to the browser API available for NTP from an arbitrary site context
Bypassing HTTPS, vulnerabilities in SSL/TLS implementation, bypassing Yandex Protect protection mechanisms
Bypassing the Secure WI-FI mechanism, bypassing the Safebrowsing mechanisms
$1000
$500
Accessing blocked sites or disabling notifications on sites with untrusted certificates
Replacing user interface elements
Address Bar Spoofing, notification spoofing vulnerabilities
$500
$250
Address Bar Spoofing
Bypassing Content Security Policy
Any bypass methods except for extension variants or HTTP/HTTPS header substitution
$500
$250
Bypassing rules from a site's CSP directives
Built-in extensions vulnerabilities
XSS, XXE, CSRF, disclosure of sensitive information
$500
$250
XSS in embedded extensions

A detailed error report should contain the following:

  • PoC and screencast that shows exploiting vulnerabilities and security breach: executing a code, accessing user data, bypassing browser mechanisms, and so on.
  • For vulnerabilities that let you bypass security mechanisms, in addition to showing the potential of bypassing, the report should demonstrate getting access to protected data or functionality. For example, a report about UXSS or SOP Bypass must demonstrate a scenario for accessing third-party origin data.
  • Information about the browser version and environment (browser://version).

Requirements for detailed error messages

Mon Sep 27 2021 12:45:45 GMT+0300 (Moscow Standard Time)