Yandex Eats competition

Find vulnerabilities in the infrastructure, services, and apps related to Yandex Eats. Bug Bounty scope: domains, infrastructure, mobile apps, fraud methods, and more.

What you need to know about the competition

Competition scope

Out of scope

The competition is held from July 01 through August 31, 2022.
During this period, we're doubling the reward size for this service.

The main objective of the competition is to find technical vulnerabilities that may lead to the disclosure of users' and partner couriers' personal data and to identify fraud risks in Yandex Eats. There are several main areas.

Disclosure of user data

We’re interested in detecting any technical means of disclosing the private data of our users and partner couriers, such as phone numbers, addresses, order details, and so on.

Examples of data disclosure methods:

A courier sees the address and details of the order to deliver, but they, just like users, should not see other orders. A method to bypass this may be considered.
Bypassing the mechanism that hides the real phone numbers of a courier and user when making a call from the app.

Bypassing the rules for using promo codes

Our services can work with discounts and promo codes. We’re interested in detecting ways to bypass the current rules for using promo codes.

Examples of bypassing a rule:

Using your own account to activate promo codes that are linked to another account.
Disclosing promo codes by exhaustive search from one account or anonymously.

Fraud with Yandex Plus bonus points

We’re interested in detecting any technical means of getting Yandex Plus bonus points without spending money, which may cause significant damage.

Fraud by partner couriers

We’re interested in finding any methods of fraud on the part of couriers.

Fraud example:

A courier is on shift, but fraudulently avoids accepting orders, which ultimately allows them to receive a subsidy without making any deliveries. to take a break or leave a shift are not considered here.

Methods of fraud in the courier app that require root privileges/jailbreaking a device are within the scope of the program.

Domains

*.eda.yandex.ru
*.eda.yandex
*.eda.yandex.net

Infrastructure

The program scope includes the IP addresses of the Yandex infrastructure that serves Yandex Eats. You can check their affiliation using the WHOIS protocol or ASN in BGP. The exception is the Yandex Cloud user networks.

Mobile Applications

The Yandex Go app with the Yandex Eats section for Android and iOS.
The Yandex Eats app for Android and iOS.
The Yandex Pro app with the courier section for Android and iOS.

Vulnerabilities in other Yandex apps and services are beyond the scope of this competition and their detection is rewarded based on the program they’re included in. List of programs.

Yandex doesn't reward:

Fraud that requires mass and simultaneous actions of a large number of users or partner couriers.
When user data and fraud schemes are publicly available.
Bypassing the phone number substitution mechanism that is not likely to be reproduced over a long period of time.
A slow bruteforce which using multiple accounts is beyond the scope of the competition.
Legitimate ways for a service partner courier to not accept an order, such as leaving a shift or taking a break, are not covered by the program.
Vulnerabilities on mobile devices that can be exploited only using root privileges, jailbreak, and any other modification of apps or devices. This restriction does not apply to fraud through apps for service partner couriers.
Issues that require the use of social engineering techniques or phishing reports.
Social engineering that targets Yandex employees or contractors.
Bypassing checks in the mobile app for partner couriers to launch the app on jailbroken systems or devices with root privileges.
Vulnerabilities in apps on the device that don't have a significant impact on security.
Disclosure of Access keys that have restrictions or are embedded in .apk and don't provide access to personal data.
Reports of security scanners and other automated tools.
Disclosure of non-critical information, such as the software name or version.
Disclosure of public user information.
Problems and vulnerabilities based on the product version used, which don't demonstrate exploitation.
Information about Yandex IP addresses, DNS records, and open ports.
Zero-day error messages in TLS.
Reports on insecure SSL/TLS ciphers that don't demonstrate the exploitation. Lack of SSL or other BCP (best current practices).
Physical attacks on Yandex property or its data centers.
Reports on the lack of security mechanisms that don't demonstrate the exploitation that may affect user data. For example, the lack of CSRF tokens, Clickjacking, and so on.
Login/Logout CSRF or other actions without a proven impact on security.
Open redirects, except for the issues that affect the service security, for example, allow you to steal a user authentication token. With such issues, you can qualify for the Hall of Fame.
Self XSS, XSS exploited outside Yandex Browser, Chrome or Firefox browsers. With this issue, you can qualify for the Hall of Fame.
Reflected download, same site scripting, and other attacks with questionable impact on the service security.
Injection of Excel and CSV formulas.
Lack of CSP policies on the domain or unsafe CSP configuration.
XSS and CSRF that require additional actions from the user. Rewards are paid only if they affect the user's sensitive data and are triggered immediately when opening a specially generated page, without any user actions (interaction with javascript schema links included in the scope).
XSS that requires injection or forging a header, such as Host, User-Agent, Referer, Cookie, and so on. With this issue, you can qualify for the Hall of Fame.
CORS Misconfiguration on the 127.0.0.1, mc.yandex.com domain and other advertising domains without a proven security impact.
Tabnabbing-target = "_blank" in links without proven security impact.
Content spoofing, content injection, or text injection without a proven security impact.
Lack of flags on insensitive cookies.
The autosuggest attribute in web forms.
Lack of Rate Limit without a proven security impact.
Presence or absence of SPF and DMARC records.
The use of known vulnerable libraries without demonstrating the exploitation.
Vulnerabilities in partner services if Yandex user data is not affected.
Vulnerabilities of passwords, password policies and other user authentication data.
Vulnerabilities that affect only users of outdated or vulnerable browsers and platforms.
Attacks that require physical access to the user's device.
Ability to execute scripts on sandbox domains or domains without session cookies, for example, *.yandex.net, *.yandex-bank.net.
Domains of the Connect service during the transition period in favor of 360.
The possibility to decompile or use reverse application development.

For error reports about services located on the yandex.net and yandex.st domains, rewards are paid only for server-side class vulnerabilities.

{ Rewards}

The reward is doubled for the Yandex Eats competition period and depends on how critical the vulnerability is, how easily it can be exploited, and how it impacts user and partner courier data. In the case of fraud, the reward amount depends on whether it’s possible to scale a particular method of the detected fraud, how easily it can be used, and what damage it causes. See the reward amounts in the table below.

We team up with developers to determine the level of severity, so it does take some time.

Vulnerability	Reward amount
Remote code execution (RCE)	$6000 — $20000
Local files access и другое. (LFR, RFI, XXE)	$2000 — $12000
Injections	$2000 — $12000
SSRF	$2000 — $8000
SSRF, blind	$600 — $3000
Memory leaks / IDORs / Disclosure of protected personal data or sensitive user information	$400 — $7000
Cross-Site Scripting (XSS) except self-XSS and *.yandex.net	$400 — $3000
Cross-Site Request Forgery (СSRF, Flash crossdomain requests, CORS)	$200 — $2000
Other confirmed vulnerabilities	based on impact
Different fraud methods	$300 — $3000