Mail.ru services (Mail, Cloud and Calendar) help millions of users to be productive, to communicate and store information. File security and data privacy are top priorities.
The Bug Bounty program only accepts and pays for reports on vulnerabilities previously unknown to the VK team.
The types of vulnerabilities eligible for bounties are listed in the "Rewards" table at the end of the rules for the Bug Bounty program rules.
The bounty amounts shown in the description are for reference only.
The applicability and amount of a bounty may depend on the severity of the problem, novelty, likelihood of use, environment, and/or other factors.
The VK security team makes a bounty decision for each message individually.
Any vulnerabilities not listed in the "Bounty amount" table are paid for at the discretion of the program owner.
Mail.ru Mail for iOS,
Mail.ru Mail for Android,
Mail.ru Calendar for Android,
The Mail.ru Access Code for Android,
The Mail.ru Access Code for iOS,
MyMail for iOS,
MyMail for Android
Cloud Mail.ru
mail.ru (without subdomains), e.mail.ru, touch.mail.ru, m.mail.ru, tel.mail.ru, light.mail.ru, octavius.mail.ru, smtp.mail.ru, mxs.mail.ru, pop.mail.ru, imap.mail.ru, cloud.mail.ru, disk-o.cloud, calendar.mail.ru, todo.mail.ru, calls.mail.ru, auth.mail.ru, o2.mail.ru, account.mail.ru, swa.mail.ru, id.mail.ru, contacts.mail.ru, notes.mail.ru except for delegated and externally hosted domains and branded partner services.
love.mail.ru
Errors common to the application or server for Mail.Ru and MyMail are usually accepted as a single error.
Public 0-day/1-day vulnerabilities may be considered duplicates for several weeks after a vulnerability is published if our team knows about the vulnerability from open sources and we are working to eliminate or fix it.
Bug reports submitted by current or former employees (up to one year from the end of employment) of the VK Group are accepted without payment.
When testing RCE, SQLi, LFI, LFR, or SSTI, only the use of the MINIMUM possible POC (sleep, reading /etc/passwd, curl) is allowed. If you want to test the possibility of privilege elevation on a server, please create a report and write that you want to elevate privileges.
Publishing or disclosing bug report details without approval from VK's information security team is prohibited. We reserve the right to refuse any request for public disclosure of the report.
When testing, it is recommended to limit scanning tools to 10 requests per second.
Vulnerability | Bounty |
---|---|
Remote code execution (RCE) | 3 600 000 ₽ |
Server-side Injections (SQLi or an alternative) | 2 400 000 ₽ |
Access to and work with local files (LFR, RFI, XXE) without jail / chroot / file type restrictions | 2 400 000 ₽ |
RCE/LFI in the dev infrastructure / isolated or virtualized process | 600 000 ₽ |
Non-blind SSRF (with the ability to read the response text), except for dedicated proxies | 800 000 ₽ |
Blind SSRF, except for dedicated proxies | 150 000 ₽ |
Server-side vulnerability involving disclosure (e.g. memory leaks / IDORs) of critical or highly sensitive application data | 1 000 000 ₽ |
Server-side vulnerability involving disclosure (e.g. memory leaks / IDORs) of protected personal data or sensitive client information | 600 000 ₽ |
Server-side vulnerability involving disclosure (e.g. memory leaks / IDORs) of sensitive application* or infrastructure data / organizational role privilege escalation | 150 000 ₽ |
Admin/support authentication bypass | 600 000 ₽ |
Blind XSS in the admin/support interface | 250 000 ₽ |
XSS when reading email through the message content (excluding AMP) | 120 000 ₽ |
Cross Site Scripting (XSS)** | 60 000 ₽ |
Cross-Site Request Forgery (СSRF) | 9 000 - 60 000 ₽ |
Compromising a local account of a mobile application or gaining full access to the data | 60 000 ₽ |
SDC*** bypass techniques for critical projects | 90 000 ₽ |
*Detailed error output, local installation path, phpinfo() output, performance counters, etc. are not considered confidential; such messages are usually accepted without payment of a bounty. Messages about disclosure of software versions are not accepted.
**Self-XSS, XSS specific to non-common browsers (e.g. IE), blocked CSPs and other vectors without proven script execution are generally accepted without reward. Subdomain takeovers are considered under the same severity/conditions as cross-site request forgery (CSRF).
***SDC reports are accepted for SDC-aware domains with critical data (e|m|tel|touch|light|cloud|calendar|biz).mail.ru. SDC circumvention is direct or indirect (via SDC-aware domain) access to product APIs of the projects without a valid sdc/sdcs cookie, without access to ssdc cookie auth.mail.ru or valid user credentials. Web Based SDC attacks via mobile applications, for example, are not considered.
Vulnerabilities in Android applications can also participate in the Google Play Bug Bounty program.