“Bug Bounty” contest support service
If you find a security issue in a Yandex service, report it using the form on the “Bug Bounty” contest site. This way Yandex can process the information faster and send you a reply.
This page provides answers to the most frequently asked questions.
- Which vulnerability reports are not rewarded?
- What happens after I send a vulnerability report?
- Can I receive the reward on my PayPal account or another e-payment system account?
- My question is about something else
Which vulnerability reports are not rewarded?
- Vulnerability of a third-party site or a service partnering with Yandex.
- User authentication data (for example, weak passwords).
- Vulnerabilities discovered in third-party projects that are stored in Yandex.Cloud. You can use the WHOIS protocol to find out who the IP address belongs to.
- Possible DDoS attacks on Yandex.
- The use of social engineering techniques (for example, phishing).
- Results from security scanners.
- IP addresses, DNS records and Yandex open ports.
- Information obtained via Banner grabbing on the use of outdated or potentially vulnerable software versions.
- Zero-day errors in TLS.
If you find an error in the yandex.net or yandex.st domain services, Yandex will pay an award. The vulnerability must be either an “Injection” or a “Configuration error in the web environment”.
Reporting about XSS or CSRF is rewarded only if the vulnerabilities affect sensitive user data and are triggered once the user visits a specially designed page, without any additional actions carried out by the user.
What happens after I send a vulnerability report?
After sending the message you will receive an automated email with your report ID to confirm that Yandex received your message. If you want to send any further information about the vulnerability, respond to the received email.
Our specialists will process your report and contact you to clarify the details if necessary. The report is processed within 30 business days.
If your report is rewarded, we will request your bank account details for a money transfer.
Note that Yandex awards the user who was the first to report the problem. If you find a vulnerability, report it as soon as possible.
Can I receive the reward on my PayPal account or another e-payment system account?
Yandex pays awards only through bank transfers. For non-residents of Russia and foreign citizens, awards are paid in US dollars (USD) at the Central Bank of Russia's current exchange rate.
My question is about something else
If your question is related to the “Bug Bounty” contest but you haven't found an answer in the feedback section, send the question to us. Please describe the problem in detail.