Delivery Hunt

Goal: find critical vulnerabilities
Scope: Yandex Delivery services
Duration: from June 10 to July 10, 2024
{ About service }
Yandex Delivery helps to organize delivery of packages.
The Bug Bounty goal is to find critical vulnerabilities that compromise the service or user data.
{ Where to look }
Profile
Profiles of Yandex Delivery partners
The Profile allows to add employees in different roles, create delivery orders, generate reports and much more.
Domains:
  • *.dostavka.yandex.ru
How to try out?
  1. Enter your Yandex account.
  2. Go to the Company profile page.
  3. Be sure to use the prefix «BugBounty» in the name of the company you are creating
    For example, «BugBounty Test»
  4. Be sure to use the prefix «BugBounty» in the name of the company you are creating
    Start hunting!
API
API for Yandex Delivery partners
Besides the UI, Yandex Delivery offers its partners a dedicated API.
Domains:
  • *.b2b.taxi.yandex.net
  • *.b2b-authproxy.taxi.yandex.net
How to try out?
  1. Get an integration token in your Profile
  2. Examine the documentation.
    Here you can learn more about the service, and explore the API.
  3. Start hunting!
Mobile app
Delivery section in the Yandex Go mobile app
You can create personal delivery orders in the app.
Domains:
  • tc.mobile.yandex.net
How to try out?
  1. Scan the QR code with a camera to download Yandex Go.
  2. At the home screen tap Delivery.
  3. Start hunting!
    Examine the app's traffic and find a vulnerability!
Rewards
The Yandex Delivery’s rewards are doubled for the competition period.
The reward depends on the following:
  • Vulnerability severity and composition of potentially affected data.
  • Exploitation complexity,
  • The scope of users who could potentially be affected by the bug,
  • The overall severity of the vulnerability and its impact on the business.
Common web vulnerabilities
Category
Reward
Remote Code Execution
RUB 750 000 — 1 500 000
Injections (SQL/noSQL)
RUB 375 000 — 750 000
Local files access (LFR, RFI, XXE и т. д. )
RUB 300 000 — 600 000
SSRF
RUB 300 000 — 500 000
IDOR / Disclosure of sensitive information
RUB 100 000 — 300 000
Client-side (XSS, CSRF, CORS и т. д. )
RUB 45 000 — 200 000
Other vulnerabilities
RUB 30 000 — 100 000
Vulnerability examples
We’re interested in detecting any technical means of disclosing private data of the users and the couriers, business logic errors, and access control failures. For example:
  • Ways to access another user’s order,
  • Ways to track the movement of a courier delivering an order that is not yours.
  • Ways to access order data of a Yandex Delivery business partner.
  • Ways to raise privileges in the Yandex Delivery Profile.
  • Ways to manipulate the delivery price (free or discounted delivery).
{ Rules and notes:}
  • Yandex Go is a super app for many Yandex services, but the competition only applies to Yandex Delivery vulnerabilities.
  • SSRFs that allow reading responses are considered more critical than blind ones.
  • RCEs in an isolated/test environment get reduced rewards as they have reduced business impact.
  • CSP (Content Security Policy) bypassing is optional, but, in some cases, the reward can be reduced, for example, if the XSS requires a click and is blocked by CSP (href=javascript:alert).
  • Yandex reserves the right to decide which reports suit the competition.
  • Use only your test accounts. Attempting to exploit a bug on real users may result in exclusion from the competition.
  • The report must specify the actions necessary to reproduce the bug.
Good luck!
Tue Oct 01 2024 10:10:44 GMT+0300 (Moscow Standard Time)