This program focuses on finding vulnerabilities in Yandex smart devices.
We've identified several key areas:

Vulnerabilities in apps and services on the device
Code execution, local files reading, various injections that grant privileged permissions on the device.
Vulnerabilities can be located in apps on the device, voice skills, privileged/non-privileged processes, and more.

Vulnerabilities in the manufacturer's SoC software and firmware
At the low level of the device, we are interested in attacks that bypass secure boot mechanisms and arbitrary code execution.
We pass such vulnerabilities on to our partners, but don't take part in the CVE release.
If you want to look for low-level problems, you should read the ARM Trusted Firmware specification. Most of our devices are based on it.

Bypassing the subscription model
Some of our devices are sold on a subscription model, which assumes regular payments for device use. Without payments, device use is restricted.
For example, the user cannot watch movies on KinoPoisk or communicate with Alice by voice. We are interested in learning about ways to bypass these restrictions.

Obtaining advanced privileges through PCB interfaces
We do not consider complex, expensive, and difficult-to-reproduce attacks on the circuit board, such as Fault Injection. However, we are interested if attacks provide highly privileged access through connections to JTAG, USB, and other physical interfaces of the device.

Disclosure of critical user information
We are interested in vulnerabilities that can lead to the disclosure of critical user information, for example, personally identifiable information. Disclosure must occur without any physical contact with the device.

Yandex doesn't reward:

• Any attacks on hardware that involve changing the board configuration, removing chips from the printed circuit board, reprogramming it, or using expensive specific devices and attacks. We are interested in attacks that provide highly privileged access through connections to JTAG, USB, and other physical interfaces of the device.
• Side-channel attacks that are unlikely to be reproduced.
• "Best practices" for smart device security without a proven impact on security.
• Using an unencrypted file system or not encrypting specific files.
• Missing obfuscation and binary protection (anti-debugging).
• Disclosure of Access keys that have restrictions or are hardcoded in the .apk/other files and don't give access to personal data.
• Vulnerabilities in third-party apps with no proven impact on the security of the Yandex device or apps.
• The fact of storing user data or authentication tokens in the file system.
• Vulnerabilities in apps on the device that don't have a significant impact on security.
• Local DoS attacks. The scope of the program includes remote DoS, DoS in the near field of the device, and DoS attacks that can't be eliminated by rebooting.
• Disclosure of non-critical information about the user, device, or internal company information.
• Voice skills that aren't developed by Yandex.
• Bypassing parental control by changing the voice.
• Vulnerabilities in devices that aren't supported.