Yandex offers rewards for security bug reports. Reports about security vulnerabilities on Yandex's services or mobile applications sent to us can win a monetary reward. Bug hunters reporting especially important security problems are also inducted into our The Hall of Fame.
Yandex's web-based services, iOS- or Android-based apps, which process, store or use in one way or another sensitive user information, such as:
personal photos or videos.
Web domains: .yandex.ru (except narod.yandex.ru), yandex.com, yandex.com.tr, yandex.kz, yandex.ua, yandex.by, yandex.net, yandex.st, .ya.ru, .moikrug.ru.
Mobile apps: Yandex.Maps, Yandex.Navigator, Yandex.Music, Yandex.Taxi, Yandex.Mail, Yandex.Market, Yandex.Metro, Yandex.Fotki, Yandex.Trains.
Any security bug that can violate confidentiality, integrity or availability of sensitive user data on websites in the scope of the Yandex Bug Bounty. Web service vulnerabilities are classified using OWASP Top-10. Mobile application vulnerabilities are classified using OWASP Mobile Top-10.
Sending a bug report
You can send a security problem description use the special form or at firstname.lastname@example.org. The first way is preferable because we will process your message and answer you more quickly. You can also use our public PGP key to encrypt your message.
The amount of the reward depends on where the bug has been found - one of the key services or apps, or somewhere else. The bounty rates that you can see in the table below are approximate and may differ from the actual amount that you will receive, because we will be paying you your reward in roubles, which will be converted into U.S. dollars at the current exchange rate at the Central Bank of Russia on the day of payment. The amount of the reward may be increased in special circumstances.
|OWASP Top-10||Key services||Other services|
|A01. Injection||3,133.7 USD||800 USD|
|A02. Cross Site Scripting (XSS) – A05. Cross Site Request Forgery (CSRF)||320 USD||160 USD|
|A06. Security Misconfiguration – A10. Unvalidated Redirects and Forwards||160 USD||100 USD|
Key services: Yandex.Passport, Yandex.Mail, Yandex.Disk, Yandex.Maps, Yandex.Calendar, Moi Krug, Yandex's home page and search results page.
|OWASP Mobile Top-10||Key apps||Other apps|
|M01. Insecure Data Storage – M05. Poor Authorization and Authentication||320 USD||160 USD|
|M06. Improper Session Handling – M08. Side Channel Data Leakage||160 USD||100 USD|
Key apps: Yandex.Maps, Yandex.Navigator, Yandex.Mail, Yandex.Market.
You can test the Yandex services or mobile apps and demonstrate their vulnerabilities only from your own account. Hacking into someone else's account is strictly forbidden.
By submitting a bug report you agree to comply with Yandex’s Responsible Disclosure Policy, which forbids public or private disclosure of the details of any vulnerability found on Yandex within 90 days. We need this time to contact you and fix the problem. Please read our Responsible Disclosure Policy.
Yandex employees, the employees in any of Yandex’s partner companies, the authors of the code where security flaws have been reported, cannot participate in the Yandex Bug Bounty hunt.
The reward will be offered only for reporting those vulnerabilities that have not been previously detected.