1. Programs are limited to technical vulnerabilities in the company's web services, mobile/desktop applications, infrastructure and some smart devices that fall within its scope. To report problems not related to security, contact Yandex technical support.
2. Yandex offers rewards only for detecting new vulnerabilities. An error report is considered a duplicate if the original report was sent earlier than the duplicate report or has a smaller report number.
3. Different vectors using the same error or similar errors can be considered duplicates. An error report can also be considered a duplicate if the internal task tracker has a task describing a similar error found by Yandex employees or contractors.
4. Public 0-day or 1-day vulnerabilities can be considered duplicates if they are known to our team from public sources.
5. Users aged 14 and older can participate in Bug Bounty. However, anyone under the age of 18 can only participate with the written consent of their parents.
6. Employees of Yandex or partner companies, as well as the authors of the code where the vulnerability is detected, are not eligible to participate in Bug Bounty.
7. We try to view reports as quickly as possible, but if you didn't receive a response within three business days, send us a reminder in response to the email you received after filling out the form. Leave the email subject unchanged.
Note that the message can be processed only if you receive an automatic response with the number of your error report. The response email usually takes from a few minutes to an hour from the time the form is sent. If you didn't receive such an email (don't forget to search for it in the Spam folder), most likely your report didn't reach us.
8. You can use only your own account to test and demonstrate vulnerabilities. You aren't allowed to hack other people's accounts. Never try to access anyone's data.
9. Don't share information about the error anywhere or with anyone for 90 days after you submit an error message. Please don't post the code of the detected vulnerability on publicly available services and resources, to prevent information disclosure to third parties.
We also recommend that you don't disclose vulnerability details after the 90-day period expires, until the vulnerability is fixed and the fix is released to most users.
Errors disclosed publicly or to third parties may lose eligibility for a reward.
10. [New] The reward may be reduced or not assigned if the report is poorly written: for example, "steps to reproduce" are skipped, and the researcher does not respond to clarifying requests from the information security service.
11. Error reports may lose eligibility for a reward if we detect:
- Physical intervention in the Yandex data centers or offices.
- Hacking the company's infrastructure and using the received information to report vulnerabilities.
- Social engineering aimed at company employees.
- Attempt to access a user's account or data, or post-exploitation of another vulnerability not required for demonstrating the error.
- DOS attacks and other resource exhaustion attacks. If you think you found a critical vulnerability that leads to failures in infrastructure or services, don't try to confirm it. Send it to us, and we will check your hypothesis in the testing environment.
- Accessing other people's accounts or their confidential data. Use your test accounts as a target to check whether you can access the account data or entire account.
12. Be careful and remember that you are testing in the production environment.