"Alice, ready or not, here I come!"

Goal: find critical vulnerabilities
Bug Bounty scope: Yandex Dialogs platform


Duration:from 13.12.2024 to 26.01.2025
{ About service }
Yandex Dialogs is a platform allowing to develop skills for Alice. It enables external developers to create their own interactive scenarios for interaction with Alice users, such as games or smart home scenarios.
The Bug Bounty goal is to find critical vulnerabilities that compromise the service or user data. We want to find more RCE, SQLi, and critical IDOR vulnerabilities to strengthen personal data protection and make the platform safer.
Main domains participating in the Bug Bounty:
  • *.dialogs.yandex.ru — the main domain of the service. It includes: /developer - administrative interface for skills management, /store - skills store, /b2b - internal administrative interface for hotel columns management, /api - main API of the service, etc.;
  • social.yandex.net — a service allowing to unify OAuth integrations connected by Yandex users. We included it because the service is actively used in smart device manufacturers' APIs to authenticate our users.

{ Where to look }
*Note! The term "end-user device” refers only to Yandex devices participating in the Bug Bounty. You can find detailed information with the current list of devices on the “Smart devices with Alice” page.
We are primarily interested in the following vulnerabilities:
  • End-user device (speakers, speakers with screens, browser-based surfaces, Yandex.Auto, Yandex smart devices) vulnerabilities caused by the operation of a “malicious” skill on the device. For example, you managed to trigger a DoS of a smart speaker by sending a certain message to the speaker using your custom “malicious” skill;
  • Vulnerabilities in the development API for skills' communication with Alice, OAuth flow implementation vulnerability;
  • Ability to control another person's smart home, get unauthorized access to information about another person's smart home;
  • Fraud opportunities in Yandex Dialogs. The places worth paying attention to include, for example, the skill popularity rating system used by Yandex Dialogs to award monthly cash prizes among the developers of the best skills, or the skill rating assignment system.
{ Rewards }
The rewards for all types of vulnerabilities found in Yandex Dialogs are increased for the Bug Bounty period.
The security team assessing vulnerability reports may, at its discretion, decide to double the reward for a vulnerability, even if the vulnerability is not directly related to the Yandex.Dialogs. Such vulnerabilities may include, for example:
  • End-user device vulnerabilities, if they are caused by the operation of a “malicious” skill on the device;
  • Vulnerabilities in the OAuth flow, for example, account takeover through authentication in a “malicious” skill.
Common web vulnerabilities:
Category
Reward
Remote Code Execution
up to RUB 2,400,000
Injections (SQL/noSQL)
up to RUB 1,200,000
Local files access (LFR, RFI, XXE, etc.)
up to RUB 1,200,000
SSRF
up to RUB 600,000
Critical IDOR/Information disclosure
up to RUB 400,000
Client-side (XSS, CSRF, CORS, etc.)
up to RUB 240,000
Other vulnerabilities
up to RUB 75,000
Service-specific vulnerabilities:
Category
Reward
End-user device vulnerabilities caused by the operation of a “malicious” skill. For instance, DoS of a device or one of the internal services
up to RUB 2,000,000 for the 1st category smart devices

up to RUB 1,000,000 for the 2st category smart devices
Account takeover via OAuth flow vulnerabilities
up to RUB 1,000,000
Fraud in skill popularity rating systems. For instance, сheat on rating or metrics of DAO/MAO
up to RUB 400,000
{ Rules and comments }
Since the skills are developed by external developers who are not affiliated with Yandex in any way, they decide on hosting backends for their skills on their own and deploy them on hosts with IP addresses that do not belong to Yandex. Therefore, vulnerabilities found in the services of external developers are not eligible for the Yandex bug bounty program.
  • RCEs in an isolated/test environment get reduced rewards as they have reduced business impact;
  • SSRFs that allow reading responses are considered more critical than blind ones;
  • CSP (Content Security Policy) bypassing is optional, but, in some cases, the reward can be reduced, for example, if the XSS requires a click and is blocked by CSP (href=javascript:alert);
  • No rewards are provided for "vulnerabilities" (functions) that are part of the expected behavior of the service (architecturally designed). For example, the ability of an OAuth provider to obtain personal data using a legitimately obtained OAuth token of a user;
  • Mobile app vulnerabilities are considered "Other vulnerabilities";
  • Yandex reserves the right to decide which reports suit the competition;
  • Use only your test accounts. Attempting to exploit a bug on real users may result in exclusion from the competition;
  • The report must specify the actions necessary to reproduce the bug;
  • You can learn more about the rules in the "out of scope" section on the "Main Scope" and "Smart Devices with Alice" pages. There you can also find the current categories of smart devices participating in the competition.
Good Luck!
Thu Dec 12 2024 19:09:29 GMT+0300 (Moscow Standard Time)