VK Capsule is a smart speaker with powerful sound and Marusia-enabled voice control. It makes it even more convenient to use VKontakte, VK Music, Wink, and other services in the VK ecosystem. Now more than 200 new functions are available to users.
The types of vulnerabilities eligible for bounties are listed in the "Rewards" section at the end of the rules for the Bug Bounty program rules.
The bounty amounts shown in the description are for reference only.
The applicability and amount of a bounty may depend on the severity of the problem, novelty, likelihood of use, environment, and/or other factors.
The VK security team makes a bounty decision for each message individually.
Any vulnerabilities not listed in the "Rewards" section are paid for at the discretion of the program owner.
The testing scope includes all types of smart speakers.
For older speaker models, criticality will be assessed based on the severity of the vulnerability and the number of active devices.
Bugs identified on demo stands, dev infrastructure, domains used for training, delegated, externally hosted domains and partner services are accepted as informational and are not paid for.
0-day/1-day vulnerabilities may be considered as a duplicate within several weeks after vulnerability details publication.
Bug reports submitted by current or former employees (up to one year from the end of employment) of the VK Group are accepted without payment.
When testing RCE, SQLi, LFI, LFR, SSTI it is allowed to use only MINIMALLY possible POC for proof (sleep, accessing /etc/passwd, curl).
Publishing or disclosing bug report details without approval from VK's information security team is prohibited. We reserve the right to refuse any request for public disclosure of the report.
MitM and local attacks, open redirects, insufficient session validation, handling cookies after logout, etc. are not accepted unless additional vectors are defined (e.g., the ability to steal a session token via a remote vector for open redirects).
It is recommended to limit all scanning tools to 10 requests per second.
The vulnerability discloses information about hacked accounts of external users for Mail.Ru or VK.com services;
The vulnerability is identified in a service independently hosted by the user (Mail.Ru\VK Cloud hosting network, hosting of gaming team resources, hosting of student or laboratory work for educational projects, etc.).
Vulnerabilities | Maximum bounty |
---|---|
Remote code execution (RCE) | 1 000 000 ₽ |
Server-side Injections (SQLi or an alternative) | 500 000 ₽ |
Access to and work with local files (LFR, RFI, XXE) without jail / chroot / file type restrictions | 500 000 ₽ |
RCE/LFI in the dev infrastructure / isolated or virtualized process | 200 000 ₽ |
Non-blind SSRF (with the ability to read the response text), except for dedicated proxies | 200 000 ₽ |
Blind SSRF, except for dedicated proxies | 50 000 ₽ |
Server-side vulnerability involving disclosure (e.g. memory leaks / IDORs) of critical or highly sensitive application data | 10 000 ‑ 350 000 ₽ |
Server-side vulnerability involving disclosure (e.g. memory leaks / IDORs) of protected personal data or sensitive client information | 10 000 ‑ 250 000 ₽ |
Server-side vulnerability involving disclosure (e.g. memory leaks / IDORs) of sensitive application or infrastructure data / organizational role privilege escalation | 10 000 ‑ 250 000 ₽ |
Admin/support authentication bypass | 250 000 ₽ |
Blind XSS in the admin/support interface | 200 000 ₽ |
Cross-site scripting (XSS) | 0 000 ‑ 20 000 ₽ |
Cross-Site Request Forgery (СSRF) | 0 000 ‑ 20 000 ₽ |
Capsule vulnerabilities | Maximum bounty |
---|---|
Remote device compromise (code execution) without user interaction | 1 000 000 ₽ |
Breaking the chain of trust during loading by replacing the bootloader (except for Mini Capsules) | 750 000 ₽ |
Remote device compromise (code execution) in local network without user interaction | 650 000 |
Remote compromise of a device with user participation / partial compromise of a device (e.g. ability to access device microphones without user participation) | 500 000 ₽ |
Remote unrecoverable DoS against a device | 250 000 ₽ |
Compromise of a nearby device (Wi-Fi, Bluetooth) | 150 000 ₽ |
Remote recoverable DoS/Abuse of functionality (e.g. ability to cause a loud sound) | 50 000 ₽ |
Detailed error output, the local installation path, phpinfo() output, performance counters, etc. are not considered confidential; such messages are usually accepted without payment of a bounty. Messages about disclosure of software versions are not accepted.
Self-XSS, XSS specific to non-common browsers (e.g. IE), blocked CSPs and other vectors without proven script execution are generally accepted without reward.