“Bug Bounty” contest support service

If you find a security issue in a Yandex service, report it using the form on the “Bug Bounty” contest site. This way Yandex can process the information faster and send you a reply.

This page provides answers to the most frequently asked questions.

  1. What vulnerabilities aren't rewarded?
  2. What happens after I send a vulnerability report?
  3. Can I get my reward sent to PayPal or another electronic payment system account?
  4. Issues with a granted reward

What vulnerabilities aren't rewarded?

Yandex doesn't reward:
  • Reports of security scanners and other automated tools.
  • Disclosure of non-critical information, such as the software name or version.
  • Disclosure of public user information.
  • Problems and vulnerabilities based on the product version used, which don't demonstrate exploitation.
  • Information about Yandex IP addresses, DNS records, and open ports.
  • Zero-day error messages in TLS.
  • Reports on insecure SSL/TLS ciphers that don't demonstrate the exploitation.
  • Lack of SSL or other BCP (best current practices).
  • Physical attacks on Yandex property or its data centers.
  • Reports on the lack of security mechanisms that don't demonstrate the exploitation that may affect user data. For example, the lack of CSRF tokens, Clickjacking, and so on.
  • Login/Logout CSRF or other actions without a proven impact on security.
  • Open redirects, except for the issues that affect the service security, for example, allow you to steal a user authentication token. With such issues, you can qualify for the Hall of Fame.
  • Self XSS, XSS exploited outside Yandex Browser, Chrome or Firefox browsers. With this issue, you can qualify for the Hall of Fame.
  • Reflected download, same site scripting, and other attacks with questionable impact on the service security.
  • Injection of Excel and CSV formulas.
  • Lack of CSP policies on the domain or unsafe CSP configuration.
  • XSS and CSRF that require additional actions from the user. Rewards are paid only if they affect the user's sensitive data and are triggered immediately when opening a specially generated page, without any user actions.
  • XSS that requires injection or forging a header, such as Host, User-Agent, Referer, Cookie, and so on. With this issue, you can qualify for the Hall of Fame.
  • CORS Misconfiguration on the mc.yandex.ru, mc.yandex.com domain and other advertising domains without a proven security impact.
  • Tabnabbing — target="_blank" in links without proven security impact.
  • Content spoofing, content injection, or text injection without a proven security impact.
  • Lack of flags on insensitive cookies.
  • The autosuggest attribute in web forms.
  • Lack of Rate Limit without a proven security impact.
  • Presence or absence of SPF and DMARC records.
  • The use of known vulnerable libraries without demonstrating the exploitation.
  • Issues that require use of social engineering techniques, phishing reports.
  • Social engineering that targets Yandex employees or contractors.
  • Vulnerabilities in partner services if Yandex user data is not affected.
  • Vulnerabilities of passwords, password policies and other user authentication data.
  • Vulnerabilities found in external or user projects located in Yandex.Cloud. You can use the WHOIS protocol, bgb.he.net and so on to check the address affiliation.
  • Vulnerabilities on mobile devices that can be exploited only using root privileges, jailbreak, and any other modification of apps or devices.
  • Disclosure of Access keys that have restrictions or are embedded in .apk and don't provide access to personal data.
  • Vulnerabilities that affect only users of outdated or vulnerable browsers and platforms.
  • Attacks that require physical access to the user's device.
  • Ability to execute scripts on sandbox domains or domains without session cookies, for example, *.yandex.net.
  • The possibility to decompile or use reverse application development.

For error reports about services located on the yandex.net and yandex.st domains, rewards are paid only for server-side class vulnerabilities.

This list may differ depending on the program. Check out exceptions for each program on the program page within Bug Bounty.

What happens after I send a vulnerability report?

After sending the message you will receive an automated email with your report ID to confirm that Yandex received your message.

Note that the message can be processed only if you receive an automatic response with the number of your error report. The response email usually takes from a few minutes to an hour from the time the form is sent. If you didn't receive such an email (don't forget to search for it in the Spam folder), most likely your report didn't reach us.

If you want to send any further information about the vulnerability, respond to the received email.

Our specialists will process your report and contact you to clarify the details if necessary.

Note that Yandex awards the user who was the first to report the problem. If you find a vulnerability, report it as soon as possible.

Can I get my reward sent to PayPal or another electronic payment system account?

Yandex pays a reward via bank transfers. Non-residents of the Russian Federation and foreign citizens receive remuneration in US dollars at the current exchange rate of the Central Bank of the Russian Federation.

Issues with a granted reward

If you have any problems getting the award or have questions about filling out the financial information form, please use our support form.