Log in
*.dialogs.yandex.ru
— the main domain of the service. It includes: /developer
- administrative interface for skills management, /store
- skills store, /b2b
- internal administrative interface for hotel columns management, /api
- main API of the service, etc.;
social.yandex.net
— a service allowing to unify OAuth integrations connected by Yandex users. We included it because the service is actively used in smart device manufacturers' APIs to authenticate our users.
Category | Reward |
---|---|
Remote Code Execution | up to RUB 2,400,000 |
Injections (SQL/noSQL) | up to RUB 1,200,000 |
Local files access (LFR, RFI, XXE, etc.) | up to RUB 1,200,000 |
SSRF | up to RUB 600,000 |
Critical IDOR/Information disclosure | up to RUB 400,000 |
Client-side (XSS, CSRF, CORS, etc.) | up to RUB 240,000 |
Other vulnerabilities | up to RUB 75,000 |
Category | Reward |
---|---|
End-user device vulnerabilities caused by the operation of a “malicious” skill. For instance, DoS of a device or one of the internal services | up to RUB 2,000,000 for the 1st category smart devices up to RUB 1,000,000 for the 2st category smart devices |
Account takeover via OAuth flow vulnerabilities | up to RUB 1,000,000 |
Fraud in skill popularity rating systems. For instance, сheat on rating or metrics of DAO/MAO | up to RUB 400,000 |
(href=javascript:alert)
;