SkillFactory is an educational platform that trains specialists in Data Science, Machine Learning, analytics using Python, development, IT product management and other areas.
The Bug Bounty program only accepts and pays for reports on vulnerabilities previously unknown to the VK team.
The types of vulnerabilities eligible for bounties are listed in the "Rewards" table at the end of the rules for the Bug Bounty program rules.
The bounty amounts shown in the description are for reference only.
The applicability and amount of a bounty may depend on the severity of the problem, novelty, likelihood of use, environment, and/or other factors.
The VK security team makes a bounty decision for each message individually.
Any vulnerabilities not listed in the "Bounty amount" table are paid for at the discretion of the program owner.
skillfactory.ru, *.skillfactory.ru, *.skillfactory.tech
Bugs identified at petfriends.skillfactory.ru, *.contented.ru, lms.skillfactory.ru domains and 51.250.89.234, 51.250.92.227 adress can be accepted without payment / as informational.
hacker-ctf-main.skillfactory.ru
Bugs identified on demo stands, dev infrastructure, domains used for training, delegated, externally hosted domains and partner services are accepted as informational and are not paid for.
Public 0-day/1-day vulnerabilities may be considered duplicates for several weeks after a vulnerability is published if our team knows about the vulnerability from open sources and we are working to eliminate or fix it.
Bug reports submitted by current or former employees (up to one year from the end of employment) of the VK Group are accepted without payment.
When testing RCE, SQLi, LFI, LFR, or SSTI, only the use of the MINIMUM possible POC (sleep, reading /etc/passwd, curl) is allowed. If you want to test the possibility of privilege elevation on a server, please create a report and write that you want to elevate privileges.
Publishing or disclosing bug report details without approval from VK's information security team is prohibited. We reserve the right to refuse any request for public disclosure of the report.
MitM and local attacks, open redirects, insufficient session validation, handling cookies after logout, etc. are not accepted unless additional vectors are defined (e.g., the ability to steal a session token via a remote vector for open redirects).
When testing, it is recommended to limit scanning tools to 10 requests per second.
Vulnerabilities | Maximum Bounty |
---|---|
Remote code execution (RCE) | 250 000 ₽ |
Server-side Injections (SQLi or an alternative) | 125 000 ₽ |
Access to and work with local files (LFR, RFI, XXE) without jail / chroot / file type restrictions | 125 000 ₽ |
RCE/LFI in the dev infrastructure / isolated or virtualized process | 50 000 ₽ |
Non-blind SSRF (with the ability to read the response text), except for dedicated proxies | 50 000 ₽ |
Blind SSRF, except for dedicated proxies | 20 000 ₽ |
Server-side vulnerability involving disclosure (e.g. memory leaks / IDORs) of critical or highly sensitive application data | 10 000 ‑ 125 000 ₽ |
Server-side vulnerability involving disclosure (e.g. memory leaks / IDORs) of protected personal data or sensitive client information | 10 000 ‑ 100 000 ₽ |
Server-side vulnerability involving disclosure (e.g. memory leaks / IDORs) of sensitive application or infrastructure data / organizational role privilege escalation | 10 000 ‑ 100 000 ₽ |
Admin/support authentication bypass | 100 000 ₽ |
Blind XSS in the admin/support interface | 75 000 ₽ |
Cross Site Scripting (XSS) | 0 ‑ 5 000 ₽ |
Detailed error output, local installation path, phpinfo() output, performance counters, etc. are not considered confidential; such messages are usually accepted without payment of a bounty. Messages about disclosure of software versions are not accepted.