Log in
Log in
Log in
BugBounty competition: Data protection season
Objective:
find bugs and vulnerabilities that could lead to sensitive data being disclosed
Scope:
all Yandex services
Duration:
from 01.08.2023 to 31.08.2023
{ Contest basics}
Yandex is kicking off a hunt for bugs and vulnerabilities that could lead to sensitive information being disclosed.
During the competition, we'll be offering five times our regular payouts for critical IDOR and Sensitive Information Disclosure reports.
Keep in mind: the bonus is only offered for reports with information about bugs that could lead to the disclosure of sensitive data like locations, saved files, private bookmarks, and so on.
The following is a non-exclusive list of the types of data we're looking for bugs related to:
📍Geodata | — User location data
— Saved private addresses — The ability to view the location of a courier at any time (not just when you're waiting for delivery) |
💰Financial data | — Transaction history and account balances
— Information about contractor earnings — Personal promo codes and certificates |
💾 Service data | — Information about user trips or orders
— Emails, meeting information, and other documents — Access to Kinopoisk content that bypasses our DRM — Data management (exporting data from other services) — Private browser bookmarks — Alice skills — Unpublished ad drafts — Information about ad campaigns or advertisers — Search history — Current phone numbers of users/couriers/drivers/advertisers (not substitutes) |
⚙️ Technical data | — Encryption keys for smart device firmware
— Data from other tennants of YDBaaS, serverless YDB, kinesis, SQS, and so on.
— Data from someone else's MDB/YDBaaS cluster (not including incorrect ACLs from the user side) |
The Rewards
When deciding on payouts, we’ll consider the data type, operation complexity, and how many users could potentially be impacted by the bug.
Working with the service team to understand how critical the bug is could take some time.
Vulnerability | Reward amount |
|---|---|
IDORs / Disclosure of protected personal data or sensitive user information [CRIT] | $4,000 — $31,000 |
{ Important rules:}
- Yandex reserves the sole right to determine which reports are eligible for this competition. Remember that the main target is critical IDORs.
- Only use your own test accounts. Trying to test the error on real users can get you disqualified from the competition.
- Reports must include how to reproduce the bug.
- Links to third-party resources are not eligible for this contest.
Happy hunting!
Tue Oct 01 2024 10:11:17 GMT+0300 (Moscow Standard Time)