Log in
The Yandex security team is responsible for this classification: they determine the severity level of each service according to an internal threat model, solely for the purposes of the Yandex Bug Bounty program.
• *.yandex.com
• *.yandex.com.tr
• *.yandex.kz
• *.yandex.by
• *.yandex.st
• *.yandex.net
• *.ya.ru
• *.yandex-bank.net
• *.kinopoisk.ru
• *.auto.ru
• *.edadeal.ru
• *.bookmate.ru
• *.band.link
The exception is the Yandex Cloud user networks.
• Reports of security scanners and other automated tools.
• Disclosure of non-critical information, such as the software name or version.
• Disclosure of public user information.
• Problems and vulnerabilities based on the product version used, which don’t demonstrate exploitation.
• Information about Yandex IP addresses, DNS records, and open ports.
• Zero-day error messages in TLS.
• Reports on insecure SSL/TLS ciphers that don’t demonstrate the exploitation.
• Lack of SSL or other BCP (best current practices).
• Physical attacks on Yandex property or its data centers.
• Reports on the lack of security mechanisms that don’t demonstrate the exploitation that may affect user data.
• For example, the lack of CSRF tokens, Clickjacking, and so on. Login/Logout CSRF or other actions without a proven impact on security.
• Open redirects, except for the issues that affect the service security, for example, allow you to steal a user authentication token.
• With such issues, you can qualify for the Hall of Fame.
• Self XSS, XSS exploited outside Yandex Browser, Chrome or Firefox browsers.
• With this issue, you can qualify for the Hall of Fame.
• Reflected download, same site scripting, and other attacks with questionable impact on the service security.
• Injection of Excel and CSV formulas. Lack of CSP policies on the domain or unsafe CSP configuration.
• XSS and CSRF that require additional actions from the user.
• Rewards are paid only if they affect the user’s sensitive data and are triggered immediately when opening a specially generated page, without any user actions (interaction with javascript schema links included in the scope).
• XSS that requires injection or forging a header, such as Host, User-Agent, Referer, Cookie, and so on. With this issue, you can qualify for the Hall of Fame.
• CORS Misconfiguration on the mc.yandex.ru, mc.yandex.com domain and other advertising domains without a proven security impact.
• Tabnabbing-target = «_blank» in links without proven security impact.
• Content spoofing, content injection, or text injection without a proven security impact.
• Lack of flags on insensitive cookies.
• The autosuggest attribute in web forms.
• Lack of Rate Limit without a proven security impact.
• Presence or absence of SPF, DKIM and DMARC records.
• The use of known vulnerable libraries without demonstrating the exploitation.
• Issues that require use of social engineering techniques, phishing reports.
• Social engineering that targets Yandex employees or contractors.
• Vulnerabilities in partner services if Yandex user data is not affected.
• Vulnerabilities of passwords, password policies and other user authentication data.
• Vulnerabilities found in external or user projects located in Yandex Cloud. You can use the WHOIS protocol, bgb.he.net and so on to check the address affiliation.
• Vulnerabilities on mobile devices that can be exploited only using root privileges, jailbreak, and any other modification of apps or devices.
• Disclosure of Access keys that have restrictions or are embedded in.apk and don’t provide access to personal data.
• Vulnerabilities that affect only users of outdated or vulnerable browsers and platforms.
• Attacks that require physical access to the user’s device.
• Ability to execute scripts on sandbox domains or domains without session cookies, for example, *.yandex.net, *.yandex-bank.net.
• Domains of the Connect service during the transition period in favor of 360.
• The possibility to decompile or use reverse application development.
• [NEW] Email spam/email bombing with messages from Yandex services. (exceptions that are rewarded: SMS spam, ability to control a significant part of the letter)
• [NEW] Bypasses of the «antivirus» (attachment security verification mechanism) belong to social engineering and considered out of the scope
• [NEW] Vulnerabilities which requires local access or local code execution on a system (e.g. DLL Hijacking attacks)
For error reports about services located on the yandex.net and yandex.st domains, rewards are paid only for server-side class vulnerabilities.
Authentication services | Yandex ID Mail |
---|---|
Key services | Alice, Smart Devices API
Market
Payment Infrastructure: Balance, Payment Gateway
Plus
Search
Yandex 360: Wiki, Tracker, Forms, Messages, Disk
Taxi
|
Main Services | All main Yandex services |
New Services | Experimental and recently integrated Yandex services |
Vulnerability | Authentication services | Key services | Main services | New services |
---|---|---|---|---|
Remote code execution (RCE) | 36,000 $ | 13,300 $ | 8,300 $ | 5,000 $ |
Local files access and manipulation (LFR, RFI, XXE) | 12,000 $ | 6,700 $ | 4,100 $ | 1,700 $ |
Injections | 12,000 $ | 6,700 $ | 4,100 $ | 1,700 $ |
SSRF | 6,700 $ | 3,300 $ | 2,500 $ | 1,700 $ |
SSRF blind we recommend applying ssrf-sheriff | 2,200$ | 1,600 $ | 1,200 $ | 500 $ |
IDORs / Disclosure of sensitive user information | 2,500 — 6,100 $ | 800 — 2,100 $ | 500 — 1,300 $ | 200 — 500 $ |
Cross-Site Request Forgery (СSRF) | 300 — 2,100 ₽ | 300 — 800 $ | 300 — 500 $ | 100 — 300 $ |
Cross-Site Scripting (XSS) except self-XSS and *.yandex.net | 300— 2,700 $ | 300 — 1,300 $ | 300 — 800 $ | 100 — 500 $ |
Other confirmed vulnerabilities | Based on the impact |