Log in
Log in
Log in
Main scope
The main testing scope is infrastructure, web services, desktop apps
1
Categories
2
Domains
3
IP addresses
4
Mobile apps
5
Out of scope
Under the Yandex Bug Bounty program, all services are classified into categories based on severity levels.
The Yandex security team is responsible for this classification: they determine the severity level of each service according to an internal threat model, solely for the purposes of the Yandex Bug Bounty program.
• *.yandex.ru
• *.yandex.com
• *.yandex.com.tr
• *.yandex.kz
• *.yandex.by
• *.yandex.st
• *.yandex.net
• *.ya.ru
• *.yandex-bank.net
• *.kinopoisk.ru
• *.auto.ru
• *.edadeal.ru
• *.bookmate.ru
• *.band.link
The testing scope includes IP addresses owned by Yandex.
You can check their affiliation using the WHOIS protocol or ASN in BGP.
The exception is the Yandex Cloud user networks.
All public Yandex mobile apps are part of the program. You can find the full information about mobile apps program here.
Yandex doesn’t reward:
• Reports of security scanners and other automated tools.
• Disclosure of non-critical information, such as the software name or version.
• Disclosure of public user information.
• Problems and vulnerabilities based on the product version used, which don’t demonstrate exploitation.
• Information about Yandex IP addresses, DNS records, and open ports.
• Zero-day error messages in TLS.
• Reports on insecure SSL/TLS ciphers that don’t demonstrate the exploitation.
• Lack of SSL or other BCP (best current practices).
• Physical attacks on Yandex property or its data centers.
• Reports on the lack of security mechanisms that don’t demonstrate the exploitation that may affect user data.
• For example, the lack of CSRF tokens, Clickjacking, and so on. Login/Logout CSRF or other actions without a proven impact on security.
• Open redirects, except for the issues that affect the service security, for example, allow you to steal a user authentication token.
• With such issues, you can qualify for the Hall of Fame.
• Self XSS, XSS exploited outside Yandex Browser, Chrome or Firefox browsers.
• With this issue, you can qualify for the Hall of Fame.
• Reflected download, same site scripting, and other attacks with questionable impact on the service security.
• Injection of Excel and CSV formulas. Lack of CSP policies on the domain or unsafe CSP configuration.
• XSS and CSRF that require additional actions from the user.
• Rewards are paid only if they affect the user’s sensitive data and are triggered immediately when opening a specially generated page, without any user actions (interaction with javascript schema links included in the scope).
• XSS that requires injection or forging a header, such as Host, User-Agent, Referer, Cookie, and so on. With this issue, you can qualify for the Hall of Fame.
• CORS Misconfiguration on the mc.yandex.ru, mc.yandex.com domain and other advertising domains without a proven security impact.
• Tabnabbing-target = «_blank» in links without proven security impact.
• Content spoofing, content injection, or text injection without a proven security impact.
• Lack of flags on insensitive cookies.
• The autosuggest attribute in web forms.
• Lack of Rate Limit without a proven security impact.
• Presence or absence of SPF, DKIM and DMARC records.
• The use of known vulnerable libraries without demonstrating the exploitation.
• Issues that require use of social engineering techniques, phishing reports.
• Social engineering that targets Yandex employees or contractors.
• Vulnerabilities in partner services if Yandex user data is not affected.
• Vulnerabilities of passwords, password policies and other user authentication data.
• Vulnerabilities found in external or user projects located in Yandex Cloud. You can use the WHOIS protocol, bgb.he.net and so on to check the address affiliation.
• Vulnerabilities on mobile devices that can be exploited only using root privileges, jailbreak, and any other modification of apps or devices.
• Disclosure of Access keys that have restrictions or are embedded in.apk and don’t provide access to personal data.
• Vulnerabilities that affect only users of outdated or vulnerable browsers and platforms.
• Attacks that require physical access to the user’s device.
• Ability to execute scripts on sandbox domains or domains without session cookies, for example, *.yandex.net, *.yandex-bank.net.
• Domains of the Connect service during the transition period in favor of 360.
• The possibility to decompile or use reverse application development.
• [NEW] Email spam/email bombing with messages from Yandex services. (exceptions that are rewarded: SMS spam, ability to control a significant part of the letter)
• [NEW] Bypasses of the «antivirus» (attachment security verification mechanism) belong to social engineering and considered out of the scope
• [NEW] Vulnerabilities which requires local access or local code execution on a system (e.g. DLL Hijacking attacks)
For error reports about services located on the yandex.net and yandex.st domains, rewards are paid only for server-side class vulnerabilities.
Authentication services | Yandex ID Mail |
|---|---|
Key services | Alice, Smart Devices API
  Geoservices: Maps, NavigatorMarket
Payment Infrastructure: Balance, Payment Gateway
Plus
Search
  Advertising Services: Metrica, Direct, Ad NetworkYandex 360: Wiki, Tracker, Forms, Messages, Disk
Taxi
   FinTech: Yandex Pay, Yandex Bank, Yandex Split  FoodTech: Eda, Lavka |
Main Services | All main Yandex services |
New Services | Experimental and recently integrated Yandex services |
{ Rewards }
Vulnerability | Authentication services | Key services | Main services | New services |
|---|---|---|---|---|
Remote code execution (RCE) | 36,000 $ | 13,300 $ | 8,300 $ | 5,000 $ |
Account Takeover (ATO)
| 36,000 $ | — | — | 570 — 1,100 $ |
1. A zero-click exploit scenario that allows access to any account, even with 2FA enabled — 36,000 $ 2. A vulnerability affecting only users with SMS-based authentication enabled — 1,100 $ If the exploit requires user interaction (e.g., 2 clicks) — 5,500 $ 3. The service was recently integrated into Yandex, and user profiles are not managed via Yandex ID — 570 $ | ||||
Local files access and manipulation (LFR, RFI, XXE) | 12,000 $ | 6,700 $ | 4,100 $ | 1,700 $ |
Injections | 12,000 $ | 6,700 $ | 4,100 $ | 1,700 $ |
SSRF | 6,700 $ | 3,300 $ | 2,500 $ | 1,700 $ |
SSRF blind we recommend applying ssrf-sheriff | 2,200$ | 1,600 $ | 1,200 $ | 500 $ |
IDORs / Disclosure of sensitive user information | 2,500 — 6,100 $ | 800 — 2,100 $ | 500 — 1,300 $ | 200 — 500 $ |
Reward amounts depend on the following factors: 1. Sensitivity of the exposed data Different services process different types of data, and their sensitivity levels vary. The highest payouts are awarded for unauthorized access to highly sensitive information, such as ride/order histories, personal emails, and private documents (including, but not limited to, these examples). 2. Predictability of identifiers Vulnerabilities involving sequential/incremental IDs generally pose a higher risk and are valued higher than those requiring the guessing of a UUIDv4. 3. Size of the affected user base The overall scope of users impacted by the vulnerability. Note: In certain cases, the final bounty may be adjusted (scaled up or down) depending on the attack complexity and the specific prerequisites required for successful exploitation. | ||||
Cross-Site Request Forgery (СSRF) | 300 — 2,100 ₽ | 300 — 800 $ | 300 — 500 $ | 100 — 300 $ |
Cross-Site Scripting (XSS) except self-XSS and *.yandex.net | 300— 2,700 $ | 300 — 1,300 $ | 300 — 800 $ | 100 — 500 $ |
Other confirmed vulnerabilities | Based on the impact |
{ Attention Required}
The bounty reward is determined by the vulnerability's criticality, exploitability, and potential impact on user data;
The bounty reward may be reduced if compensating controls increase the difficulty of vulnerability exploitation;
Our security team evaluates vulnerability severity in consultation with developers. This process typically takes up to 30 business days.