High priority devices
Recently issued devices with modern security mechanisms that we want to test:
Low priority devices
Previous generation devices that we update and support:
Devices which out of scope
The bug bounty program doesn't include Smart Home devices, TVs, and other devices developed in conjunction with other brands.
The infrastructure around smart devices is part of the main scope.
This program focuses on finding vulnerabilities in Yandex smart devices.
We've identified several key areas:
Vulnerabilities in apps and services on the device
Code execution, local files reading, various injections that grant privileged permissions on the device.
Vulnerabilities can be located in apps on the device, voice skills, privileged/non-privileged processes, and more.
Vulnerabilities in the manufacturer's SoC software and firmware
At the low level of the device, we are interested in attacks that bypass secure boot mechanisms and arbitrary code execution.
We pass such vulnerabilities on to our partners, but don't take part in the CVE release.
If you want to look for low-level problems, you should read the ARM Trusted Firmware specification. Most of our devices are based on it.
Bypassing the subscription model
Some of our devices are sold on a subscription model, which assumes regular payments for device use. Without payments, device use is restricted.
For example, the user cannot watch movies on KinoPoisk or communicate with Alice by voice. We are interested in learning about ways to bypass these restrictions.
Obtaining advanced privileges through PCB interfaces
We do not consider complex, expensive, and difficult-to-reproduce attacks on the circuit board, such as Fault Injection. However, we are interested if attacks provide highly privileged access through connections to JTAG, USB, and other physical interfaces of the device.
Disclosure of critical user information
We are interested in vulnerabilities that can lead to the disclosure of critical user information, for example, personally identifiable information. Disclosure must occur without any physical contact with the device.
Yandex doesn't reward:
The size of the reward depends on the level of privileges received, the type of device, the criticality of the issue, and its impact on security. It can be assigned according to the ranges in the table below.
The level of criticality is often determined with the developers, which may take some time.
For vulnerabilities in second-priority devices, a price reducer is applied to the payout. If your vulnerability is reproducible and carries security risks for first-priority devices, you will receive the full reward.
Rewards
Vulnerability Severity Levels | Critical | High | Medium | Low |
---|---|---|---|---|
Reward amount | $4000 | $2000 | $1000 | $200 |