Log in
Log in
Log in
Yandex Cloud
Scope: all public services of the Yandex Cloud infrastructure.
Your goal is to expose vulnerabilities in our public cloud platform, which provides the infrastructure and services for building applications.
1
Area
2
Domains
3
IP-addresses
4
Exceptions
All public services of Yandex Cloud are listed here
- *.yandex.cloud
- *.cloud.yandex.ru
- *.cloud.yandex.com
- *.cloud.yandex.net (see exceptions)
- *.yandexcloud.net (see exceptions)
- *.yandexcloud.kz (see exceptions)
The program covers subnets of the AS200350 autonomous system. You can use the Whois protocol or ASN in BGP to find out the autonomous system number.
Active scanning of IPv4 subnets is prohibited as our clients lease IPv4 addresses of these subnets for hosting their apps.
You should only scan the following subnets:
- 2a0d:d6c1:/48
- 84.201.181.26/32
- 185.206.167.32/27
Active scanning of internal networks during pivoting is allowed only with the explicit approval of the security team to your request registered as a ticket describing the pivoting method. To confirm the success of the attack and the possibility of pivoting, you may scan localhost, provide the instance-id of the virtual machine from the metadata service, or a string from ssrf-sheriff.
In addition to the general exceptions of the Yandex BugBounty program, there are the following exceptions:
- Client-side vulnerabilities in UGC domains without demonstrated impact (UGC domains - *.yandexcloud.net and *.yandexcloud.kz);
- Reports of bugs in UGC endpoints shall be accepted and assessed only for Yandex Cloud or Yandex-owned resources;
- Client-side vulnerabilities in *.cloud.yandex.net domains shall be accepted only upon their impact demonstration;
- Open redirect in SSO endpoints without demonstrated impact;
- Resistance to DDoS attacks;
- Container escape in Datasphere and Gitlab environments without demonstrated impact;
- Information on Yandex Cloud employees obtained from within the managed services' VMs;
- 1-day vulnerabilities in third-party components (including managed services) within up to 30 days of their disclosure;
- Insecure default settings in Cloud Marketplace images without demonstrated impact;
- Reports of vulnerabilities in third-party products in Cloud Marketplace shall be considered informational;
- Side-channel attacks on RAM or CPU without demonstrated impact;
- LFI attacks through image conversion without demonstrated isolation bypass;
- Search for existing resources via ID brute-forcing;
- Reports on the configuration of repositories https://github.com/yandex-cloud/ shall be considered informational;
{
Rewards
}
Vulnerability | Tier 1 | Tier 2 | Tier 3 |
|---|---|---|---|
Virtual Machine escape in Compute/ Serverless | $36,000 | NA | NA |
Unsandboxed Remote Code Execution | $10,000 — $12,000 | $5,000 — $8,000 | $2,000 — $6,000 |
Cross-tenant IAM Access Controls Bypass (Read-Write Access) | $6,000 — $10,000 | $3,000 — $5,000 | $1,000 — $3,000 |
Cross-tenant IAM Access Controls Bypass (Read Data Access) | $5,000 — $8,000 | $1,000 — $4,000 | $1,000 — $2,000 |
Single-tenant IAM Access Controls Bypass (Read-Write Access) | $2,000 — $6,000 | $500 — $3,000 | $300 — $1,500 |
Unsandboxed SSRF with response leakage | $2,000 — $6,000 | $1,500 — $3,000 | $1,500 |
Unsandboxed LFI, RFI without the impact described above | $2,000 — $6,000 | $1,000 — $3,000 | $1,000 |
Injection (sql, yql и similar) | $2,000 — $6,000 | $1,000 — $3,000 | $1,000 |
DOS in a cloud or virtualization network stack
Examples of such vulnerabilities include a Packet of Death or a sequence of instructions causing a critical termination of a control service on a virtual machine server's Dom0. | $3,000 — $5,000 | NA | NA |
Cross-tenant IAM Access Controls Bypass (Read Metadata Access) | $2,000 — $4,000 | $500 — $3,000 | $500 — $1,000 |
Remote Code Execution in Restricted Environments (Managed Services и Datatransfer)* The amount depends on the impact | $1,000 — $6,000 — Managed database & k8s $5,000 — $20,000 — Datatransfer | $500 — $2,000 | $200 — $1,500 |
Single-tenant IAM Access Controls Bypass (Read Access) | $1,000 — $4,000 | $500 — $2,000 | $200 — $900 |
Unsandboxed SSRF (blind) | $2,000 | $1,000 | $450 |
XSS (except for *. yandex.net, некоторых доменов *.yandexcloud.net и *.yandexcloud.kz и self) | $3,000 — $2,400 | $200 — $1,200 | $100 — $750 |
Other vulnerabilities are assessed in accordance with the «Main Scope» program | 0 — $2,000 | 0 — $2,000 | 0 — $2,000 |
Individual reports can be honored by the security team and rewarded with an additional promo code for Yandex Cloud services. You can use it both for your personal needs and to search for vulnerabilities in paid Yandex Cloud services.
Before checking DoS vulnerabilities, you should contact the Yandex Cloud security team by email in order to allocate a separate host and VM for secure testing.
{
Tiers
}
The Yandex Cloud security team prioritizes Yandex Cloud services according to the internal threat model and the criticality of the data stored in the application:
Tier 1
- Yandex Сompute Cloud
- Virtual Private Cloud
- Yandex Object Storage
- Managed services for Databases
- Managed service for Kubernetes ®
- Yandex Cloud Console
- Yandex Cloud authentication services
- Yandex Cloud Center
- Yandex Cloud Organization
- Yandex Data Transfer
- Yandex SpeechSense
- Yandex Certificate Manager
Tier 2
- Yandex Monitoring
- Yandex DataLens
- Yandex DataSphere
- Yandex Cloud Backup
- Yandex Managed Service for GitLab
- Yandex Vision OCR
- YandexGPT API
- Yandex Foundation Models
- Yandex Container Registry
- Yandex Message Queue
- Yandex Data Streams
Tier 3
- Yandex Load Testing
- Yandex Cloud CDN
- Yandex IoT Core
- Github hook environment
- Any services with Preview status
- Other Yandex Cloud* services (the Tier of new services may change based on reports)
Mon May 26 2025 08:26:42 GMT+0300 (Moscow Standard Time)