Main scope

The main testing scope is infrastructure, web services, desktop apps
Under the Yandex Bug Bounty program, all services are classified into categories based on severity levels.

The Yandex security team is responsible for this classification: they determine the severity level of each service according to an internal threat model, solely for the purposes of the Yandex Bug Bounty program.

• *.yandex.ru

• *.yandex.com

• *.yandex.com.tr

• *.yandex.kz

• *.yandex.by

• *.yandex.st

• *.yandex.net

• *.ya.ru

• *.yandex-bank.net

• *.kinopoisk.ru

• *.auto.ru

• *.edadeal.ru

• *.bookmate.ru

• *.band.link

The testing scope includes IP addresses owned by Yandex. You can check their affiliation using the WHOIS protocol or ASN in BGP.

The exception is the Yandex Cloud user networks.

All public Yandex mobile apps are part of the program. You can find the full information about mobile apps program here.
Yandex doesn’t reward:

• Reports of security scanners and other automated tools.

• Disclosure of non-critical information, such as the software name or version.

• Disclosure of public user information.

• Problems and vulnerabilities based on the product version used, which don’t demonstrate exploitation.

• Information about Yandex IP addresses, DNS records, and open ports.

• Zero-day error messages in TLS.

• Reports on insecure SSL/TLS ciphers that don’t demonstrate the exploitation.

• Lack of SSL or other BCP (best current practices).

• Physical attacks on Yandex property or its data centers.

• Reports on the lack of security mechanisms that don’t demonstrate the exploitation that may affect user data.

• For example, the lack of CSRF tokens, Clickjacking, and so on. Login/Logout CSRF or other actions without a proven impact on security.

• Open redirects, except for the issues that affect the service security, for example, allow you to steal a user authentication token.

• With such issues, you can qualify for the Hall of Fame.

• Self XSS, XSS exploited outside Yandex Browser, Chrome or Firefox browsers.

• With this issue, you can qualify for the Hall of Fame.

• Reflected download, same site scripting, and other attacks with questionable impact on the service security.

• Injection of Excel and CSV formulas. Lack of CSP policies on the domain or unsafe CSP configuration.

• XSS and CSRF that require additional actions from the user.

• Rewards are paid only if they affect the user’s sensitive data and are triggered immediately when opening a specially generated page, without any user actions (interaction with javascript schema links included in the scope).

• XSS that requires injection or forging a header, such as Host, User-Agent, Referer, Cookie, and so on. With this issue, you can qualify for the Hall of Fame.

• CORS Misconfiguration on the mc.yandex.ru, mc.yandex.com domain and other advertising domains without a proven security impact.

• Tabnabbing-target = «_blank» in links without proven security impact.

• Content spoofing, content injection, or text injection without a proven security impact.

• Lack of flags on insensitive cookies.

• The autosuggest attribute in web forms.

• Lack of Rate Limit without a proven security impact.

• Presence or absence of SPF, DKIM and DMARC records.

• The use of known vulnerable libraries without demonstrating the exploitation.

• Issues that require use of social engineering techniques, phishing reports.

• Social engineering that targets Yandex employees or contractors.

• Vulnerabilities in partner services if Yandex user data is not affected.

• Vulnerabilities of passwords, password policies and other user authentication data.

• Vulnerabilities found in external or user projects located in Yandex Cloud. You can use the WHOIS protocol, bgb.he.net and so on to check the address affiliation.

• Vulnerabilities on mobile devices that can be exploited only using root privileges, jailbreak, and any other modification of apps or devices.

• Disclosure of Access keys that have restrictions or are embedded in.apk and don’t provide access to personal data.

• Vulnerabilities that affect only users of outdated or vulnerable browsers and platforms.

• Attacks that require physical access to the user’s device.

• Ability to execute scripts on sandbox domains or domains without session cookies, for example, *.yandex.net, *.yandex-bank.net.

• Domains of the Connect service during the transition period in favor of 360.

• The possibility to decompile or use reverse application development.

• [NEW] Email spam/email bombing with messages from Yandex services. (exceptions that are rewarded: SMS spam, ability to control a significant part of the letter)

• [NEW] Bypasses of the «antivirus» (attachment security verification mechanism) belong to social engineering and considered out of the scope

• [NEW] Vulnerabilities which requires local access or local code execution on a system (e.g. DLL Hijacking attacks)

For error reports about services located on the yandex.net and yandex.st domains, rewards are paid only for server-side class vulnerabilities.

Authentication services
Yandex ID Mail
Key services
Alice, Smart Devices API
Geoservices: Maps, Navigator
Market
Payment Infrastructure: Balance, Payment Gateway
Plus
Search
Advertising Services: Metrica, Direct, Ad Network
Yandex 360: Wiki, Tracker, Forms, Messages, Disk
Taxi
БанкСплитПейFinTech: Yandex Pay, Yandex Bank, Yandex Split
ЛавкаЕда FoodTech: Eda, Lavka
Main Services
All main Yandex services
New Services
Experimental and recently integrated Yandex services
{ Rewards }
  • The table shows the maximum reward amounts;
  • Special cases may qualify for higher rewards.
  • Different domains of the same service may fall into different categories. For example: the main site could be in the 'Key' category, while some subdomains might be in the 'Main/New' categories.
    • Vulnerability
    Authentication services
    Key services
    Main services
    New services
    Remote code execution (RCE)
    36,000 $
    13,300 $
    8,300 $
    5,000 $
    Local files access and manipulation (LFR, RFI, XXE)
    12,000 $
    6,700 $
    4,100 $
    1,700 $
    Injections
    12,000 $
    6,700 $
    4,100 $
    1,700 $
    SSRF
    6,700 $
    3,300 $
    2,500 $
    1,700 $
    SSRF blind
    we recommend applying ssrf-sheriff
    2,200$
    1,600 $
    1,200 $
    500 $
    IDORs / Disclosure of sensitive user information
    2,500 —
    6,100 $
    800 —
    2,100 $
    500 —
    1,300 $
    200 —
    500 $
    Cross-Site Request Forgery (СSRF)
    300 —
    2,100 ₽
    300 —
    800 $
    300 —
    500 $
    100 —
    300 $
    Cross-Site Scripting (XSS) except self-XSS and *.yandex.net
    300—
    2,700 $
    300 —
    1,300 $
    300 —
    800 $
    100 —
    500 $
    Other confirmed vulnerabilities
    Based on the impact
    { Attention Required}
    The bounty reward is determined by the vulnerability's criticality, exploitability, and potential impact on user data;
    The bounty reward may be reduced if compensating controls increase the difficulty of vulnerability exploitation;
    Our security team evaluates vulnerability severity in consultation with developers. This process typically takes up to 30 business days.
    Mon May 26 2025 08:26:07 GMT+0300 (Moscow Standard Time)