Log in
The reward amount may increase or decrease depending on the exploitation method and app.
See the full list of apps here.
Keep in mind that the number of app downloads, popularity, and the amount of data it processes also affect the reward.
Category | Description | Reward, USD |
---|---|---|
Arbitrary code execution | Execution of code in a running app without explicit user consent and additional OS permissions.
| $1500 - $5500 |
Remote exploit | | $3000 - $11 000 |
Unauthorized access to user authentication data | Vulnerabilities related to gaining access to account login and password or OAuth token.
For example, the ability to load an arbitrary URL in WebView combined with OAuth token theft. | $800 - $5500 |
Remote exploit | | $1500 - $11 000 |
Access to sensitive data | Vulnerabilities related to accessing sensitive data processed by a mobile app | $500 - $2000 |
Other vulnerabilities | Other security vulnerabilities, such as:
| $100 - $1500 |
This competition is designed to test the security of mobile apps for Yandex services.
In deeplinks
Our apps implement a lot of deeplinks - sometimes dozens or even more. We are particularly interested in the attacks on those that can be used to affect an app's operation (mutable deeplinks) or to access sensitive data, for instance:
In WebView
Our apps can also contain WebView components. This usually involves filtering the domains that can be loaded into WebView. We are interested in attacks allowing to bypass those filtering restrictions.
Sometimes WebView can access JavaScript Interface/Bridge to implement advanced functionality. We are interested in scenarios where you can display a controlled domain in WebView and use the available JS interfaces, for example, to get the current geolocation.
In the user account synchronization system
Our apps use Account Manager for seamless authentication. We are interested in the ways third-party apps can get access to a user account.
Category | Description |
---|---|
Fully remote exploit | For instance, if sending a message that doesn't need to be opened to a user or sharing the same Wi-Fi network with a user is enough |
1-click exploit | A user needs to be persuaded to click a link and open a Yandex app |
Malware installation | Malware must be installed by a user.
Please note that the reward amount is reduced due to the difficulty of the exploit |
📍 Geodata |
|
---|---|
💰 Financial data |
|
💾 Service data |
|
Restrictions:
Yandex doesn't reward: