Main scope
The main testing scope is infrastructure, web services, mobile and desktop apps that work with users' personal information.
  • *
  • *
  • *
  • *
  • *
  • *
  • *
  • *
  • *

The testing scope includes IP addresses owned by Yandex.
You can check their affiliation using the WHOIS protocol or ASN in BGP.
The exception is the Yandex.Cloud user networks.

All Yandex apps that contain user data are part of the program.
You can find the list of apps in Google Play and in the App Store.

Yandex doesn't reward:

  • Reports of security scanners and other automated tools.
  • Disclosure of non-critical information, such as the software name or version.
  • Disclosure of public user information.
  • Problems and vulnerabilities based on the product version used, which don't demonstrate exploitation.
  • Information about Yandex IP addresses, DNS records, and open ports.
  • Zero-day error messages in TLS.
  • Reports on insecure SSL/TLS ciphers that don't demonstrate the exploitation. Lack of SSL or other BCP (best current practices).
  • Physical attacks on Yandex property or its data centers.
  • Reports on the lack of security mechanisms that don't demonstrate the exploitation that may affect user data. For example, the lack of CSRF tokens, Clickjacking, and so on.
  • Login/Logout CSRF or other actions without a proven impact on security.
  • Open redirects, except for the issues that affect the service security, for example, allow you to steal a user authentication token. With such issues, you can qualify for the Hall of Fame.
  • Self XSS, XSS exploited outside Yandex Browser, Chrome or Firefox browsers. With this issue, you can qualify for the Hall of Fame.
  • Reflected download, same site scripting, and other attacks with questionable impact on the service security.
  • Injection of Excel and CSV formulas.
  • Lack of CSP policies on the domain or unsafe CSP configuration.
  • XSS and CSRF that require additional actions from the user. Rewards are paid only if they affect the user's sensitive data and are triggered immediately when opening a specially generated page, without any user actions.
  • XSS that requires injection or forging a header, such as Host, User-Agent, Referer, Cookie, and so on. With this issue, you can qualify for the Hall of Fame.
  • CORS Misconfiguration on the, domain and other advertising domains without a proven security impact.
  • Tabnabbing-target = "_blank" in links without proven security impact.
  • Content spoofing, content injection, or text injection without a proven security impact.
  • Lack of flags on insensitive cookies.
  • The autosuggest attribute in web forms.
  • Lack of Rate Limit without a proven security impact.
  • Presence or absence of SPF and DMARC records.
  • The use of known vulnerable libraries without demonstrating the exploitation.
  • Issues that require use of social engineering techniques, phishing reports.
  • Social engineering that targets Yandex employees or contractors.
  • Vulnerabilities in partner services if Yandex user data is not affected.
  • Vulnerabilities of passwords, password policies and other user authentication data.
  • Vulnerabilities found in external or user projects located in Yandex.Cloud. You can use the WHOIS protocol, and so on to check the address affiliation.
  • Vulnerabilities on mobile devices that can be exploited only using root privileges, jailbreak, and any other modification of apps or devices.
  • Disclosure of Access keys that have restrictions or are embedded in .apk and don't provide access to personal data.
  • Vulnerabilities that affect only users of outdated or vulnerable browsers and platforms.
  • Attacks that require physical access to the user's device.
  • Ability to execute scripts on sandbox domains or domains without session cookies, for example, *
  • The possibility to decompile or use reverse application development.

For error reports about services located on the and domains, rewards are paid only for server-side class vulnerabilities.

The reward size depends on how critical the vulnerability is, how easily it can be exploited, and how it impacts user data.
We team up with developers to determine the level of severity, so it does take some time.


Reward amount
Remote code execution (RCE)
$3000 - $10000
Local files access and manipulation (LFR, RFI, XXE)
$1000 - $6000
$1000 - $6000
$1000 - $4000
SSRF, blind 
$300 - $1500
Memory leaks / IDORs / Disclosure of protected personal data or sensitive user information
$200 - $3500
Cross-Site Scripting (XSS) except self-XSS and *
$200 - $1500
Cross-Site Request Forgery (СSRF, Flash crossdomain requests, CORS)
$100 - 1000$
Other confirmed vulnerabilities
based on impact

Tue May 25 2021 15:54:44 GMT+0300 (Moscow Standard Time)