Log in
Log in
Log in
Yandex Browser Bug Bounty
Bug Bounty is designed to encourage security research on
one of our key applications — Yandex Browser.
1
Scope
2
Out of scope
3
How do I check a vulnerability?
4
Yandex Browser CVE
This program is aimed at the following products:
- Yandex Browser Desktop
- Yandex Browser for Android (com.yandex.browser)
- Yandex Browser for iOS.
The program includes vulnerabilities that can be reproduced on Windows 7+, macOS v10. 10+, Linux, Android 4.4+, iOS 7+.
The current version of the product is considered to be the release version at the time when the vulnerability is reported.
Yandex doesn't reward reports on:
- Vulnerabilities in the Yandex Browser Lite product (com.yandex.browser.lite).
- Vulnerabilities in a similar Chromium version, vulnerabilities in Yandex Browser for Android (alpha) (com.yandex.browser. alpha) and Yandex Browser for Android (beta) ( com.yandex.browser. beta) if they can be reproduced in Yandex Browser for Android (com.yandex.browser).
- DLL hijacking, if it requires local access for system modification.
- Any differences in the Yandex Browser behavior compared to other chromium-based browsers without demonstrating the security threat (executing a code, getting unauthorized access to user data, bypassing the browser’s security mechanisms).
- Vulnerabilities in browser extensions not bundled by Yandex in a release.
- Vulnerabilities that have the root-cause in the Chromium code.
- IDN homograph attack.
- Vulnerabilities that can be exploited only after modifying the browser default settings and/or policies.
- Vulnerabilities that can be exploited only if the user performs specific actions (for example, user-gestures).
- Vulnerabilities of third-party components (libraries, plugins) used by the browser.
- Vulnerabilities on mobile devices that can be exploited only with root privileges, jailbreak, or any other modification of apps or devices.
- Find out the Chromium version using the browser://version link.
- Check your vulnerability in the same Chromium version.
- If the issue isn’t reproduced, send it to us.
Vulnerabilities in other Yandex apps and services are beyond the scope of this competition and their detection is rewarded based on the program they’re included in. List of programs.
The Yandex Browser Bug Bounty program is subject to the general provisions of the Bug Bounty competition: in addition to being rewarded for a verified vulnerability, the researcher will be added to the Hall of Fame. You can also request a CVE, information about which will be posted on our thank you page.
{ Rewards}
You should only report vulnerabilities in Yandex Browser, meaning that they should be reproducible in Yandex Browser, not Chromium-based browsers. To lean more, see «How to check a vulnerability».
The bounty depends on how critical the vulnerability is, how easily it can be exploited, how it impacts user data, and on the error message type (detailed PoC error message or a basic error message).
We team up with developers to determine the level of severity, so it does take some time.
Attack vector | Vulnerability class | Rewards for a detailed error report | Rewards for a basic error report | Examples of vulnerabilities |
|---|---|---|---|---|
Chromium sandbox escape | Bypassing the sandbox mechanism in any way | $8,200 | $4,900 | Executing arbitrary commands in the OS on behalf of a privileged browser process |
Remote execution of code in the browser | Vulnerabilities associated with operation logic issues or memory corruption | $4,900 | $2,400 | Executing code in the context of a renderer process inside a sandbox |
Bypassing the Same Origin Policy | UXSS, browser API vulnerabilities | $2,400 | $1,200 | UXSS, obtaining data of arbitrary origin |
Vulnerabilities in Yandex Browser services and mechanisms | Vulnerabilities of account synchronization or password storage, critical data autosuggest vulnerabilities | $2,400 | $1,200 | Getting access to the password manager data |
NTP (new tab page) implementation vulnerabilities | Getting access to interfaces or NTP context with subsequent access to user data | $1,700 | $800 | Getting access to the browser API available for NTP from an arbitrary site context |
Bypassing HTTPS, vulnerabilities in SSL/TLS implementation, bypassing Yandex Protect protection mechanisms | Bypassing the Secure WI-FI mechanism, bypassing the Safebrowsing mechanisms | $1,700 | $800 | Accessing blocked sites or disabling notifications on sites with untrusted certificates |
Replacing user interface elements | Address Bar Spoofing, notification spoofing vulnerabilities | $800 | $400 | Address Bar Spoofing |
Bypassing Content Security Policy | Any bypass methods except for extension variants or HTTP/HTTPS header substitution | $800 | $400 | Bypassing rules from a site's CSP directives |
Built-in extensions vulnerabilities | XSS, XXE, CSRF, disclosure of sensitive information | $800 | $400 | XSS in embedded extensions |
Different fraud methods | $300 — $3000 | Ячейка | Ячейка | Ячейка |
{ Requirements for detailed error messages}
A detailed error report should contain the following:
- PoC and screencast that shows exploiting vulnerabilities and security breach: executing a code, accessing user data, bypassing browser mechanisms, and so on.
- For vulnerabilities that let you bypass security mechanisms, in addition to showing the potential of bypassing, the report should demonstrate getting access to protected data or functionality. For example, a report about UXSS or SOP Bypass must demonstrate a scenario for accessing third-party origin data.
- Information about the browser version and environment (browser://version).
Tue Oct 01 2024 10:10:39 GMT+0300 (Moscow Standard Time)