Odnoklassniki is one of the largest social networks with 40 million monthly audience in Russia. OK is a hi-tech content and service platform. The social network's priority is the security of OK users' data.
The Bug Bounty program only accepts and pays for reports on vulnerabilities previously unknown to the VK team.
The types of vulnerabilities eligible for bounties are listed in the "Maximum bounty" table at the end of the rules for the Bug Bounty program rules.
The bounty amounts shown in the description are for reference only.
The applicability and amount of a bounty may depend on the severity of the problem, novelty, likelihood of use, environment, and/or other factors.
The VK security team makes a bounty decision for each message individually.
Any vulnerabilities not listed in the "Bounty amount" table are paid for at the discretion of the program owner.
Odnoklassniki: Social network on the App Store,
TamTam Messenger & Video Calls AppStore,
OK: Social Network - Apps on Google Play,
TamTam: Messenger, chat, calls - Apps on Google Play
Tier 1:
ok.ru, m.ok.ru, api.ok.ru, connect.ok.ru, paymentnew.ok.ru
Tier 2:
*.tamtam.chat, *.ok.ru, mycdn.me, *.mycdn.me, ok.me, apiok.ru, apptracer.ru, api-hprof.odkl.ru
insideok.ru, okl.lt
MitM, open redirects, SSL misconfigurations, etc. are not accepted unless additional vectors are defined (e.g., the ability to steal a session token via a remote vector for open redirects).
Vulnerabilities in the TamTam messenger are only accepted with a critical risk level.
Public 0-day/1-day vulnerabilities may be considered duplicates for several weeks after a vulnerability is published if our team knows about the vulnerability from open sources and we are working to eliminate or fix it.
Bug reports submitted by current or former employees (up to one year from the end of employment) of the VK Group are accepted without payment.
When testing RCE, SQLi, LFI, LFR, or SSTI, only the use of the MINIMUM possible POC (sleep, reading /etc/passwd, curl) is allowed. If you want to test the possibility of privilege elevation on a server, please create a report and write that you want to elevate privileges.
Publishing or disclosing bug report details without approval from VK's information security team is prohibited. We reserve the right to refuse any request for public disclosure of the report.
It is recommended to limit all scanning tools to 10 requests per second.
Vulnerability | Tier 1 | Tier 2 |
---|---|---|
Remote Code Execution (RCE), server-side | 1 800 000 ₽ | 120 000 ₽ - 600 000 ₽ |
Remote Code Execution (RCE), mobile app | 360 000 ₽ | 120 000 ₽ |
SQL Injection (SQLi) | 1 200 000 ₽ | 120 000 ₽ |
Local/Remote File Inclusion (LFI, RFI) | 1 200 000 ₽ | 60 000 ₽ |
XML External Entity (XXE) | 1 200 000 ₽ | 60 000 ₽ |
Server-Side Request Forgery (SSRF) (except dedicated isolated proxies) | 900 000 ₽ | 60 000 ₽ |
Server-Side Request Forgery (SSRF) (except dedicated isolated proxies), blind | 240 000 ₽ | 60 000 ₽ |
Insecure Direct Object Reference (IDOR) | 30 000 - 360 000 ₽ | 9 000 - 36 000 ₽ |
Admin panel auth bypass | 360 000 ₽ | 120 000 ₽ |
Blind XSS in admin panel | 180 000 ₽ | 60 000 ₽ |
Cross-Site Scripting (XSS) | 18 000 - 120 000 ₽ | 18 000 ₽ |
Detailed error output, local installation path, phpinfo() output, performance counters, etc. are not considered confidential; such messages are usually accepted without payment of a bounty. Messages about disclosure of software versions are not accepted.
Self-XSS, XSS specific to non-common browsers (e.g. IE), blocked CSPs and other vectors without proven script execution are generally accepted without reward. Subdomain takeovers are considered under the same severity/conditions as cross-site request forgery (CSRF).
Vulnerabilities in Android applications can also participate in the Google Play Bug Bounty program.