Tarantool combines an in-memory DBMS and a Lua server in a single platform providing ACID-compliant storage. The use cases for Tarantool vary from ultra-fast cache to product data marts and smart queue services.
We accept vulnerability reports only if the vulnerability was previously unknown to the VK team.
The types of vulnerabilities eligible for bounties are listed in the "Maximum bounty" section at the end of the rules for the Bug Bounty program rules.
The bounty amounts shown in the description are for reference only.
The applicability and amount of a bounty may depend on the severity of the problem, novelty, likelihood of use, environment, and/or other factors.
The VK security team makes a bounty decision for each message individually.
Any vulnerabilities not listed in the "Maximum bounty" section are paid for at the discretion of the program owner.
*.tarantoolplus.ru, *.tarantool.io
We do not accept bugs detected on client installations, except for attack vectors to clients via *.tarantoolplus.ru and *.tarantool.io.
Errors detected in demo stands or other open-source solutions not in the VK infrastructure, as well as vulnerabilities in domains used for client training, are accepted as informational and are not paid for.
MitM and local attacks, open redirects, insufficient session validation, handling cookies after logout, etc. are not accepted unless additional vectors are defined (e.g., the ability to steal a session token via a remote vector for open redirects).
Bugs identified on demo stands, dev infrastructure, domains used for training, delegated, externally hosted domains and partner services are accepted as informational and are not paid for.
0-day/1-day vulnerabilities may be considered as a duplicate within several weeks after vulnerability details publication.
Bug reports submitted by current or former employees (up to one year from the end of employment) of the VK Group are accepted without payment.
When testing RCE, SQLi, LFI, LFR, SSTI it is allowed to use only MINIMALLY possible POC for proof (sleep, accessing /etc/passwd, curl).
Publishing or disclosing bug report details without approval from VK's information security team is prohibited. We reserve the right to refuse any request for public disclosure of the report.
It is recommended to limit all scanning tools to 10 requests per second.
Vulnerabilities | Tier 1* | Tier 2** |
---|---|---|
Remote code execution (RCE) | 600 000 ₽ | 120 000 ₽ |
Server-side Injections (SQLi or an alternative) | 300 000 ₽ | 60 000 ₽ |
Access to and work with local files (LFR, RFI, XXE) without jail / chroot / file type restrictions | 300 000 ₽ | 0 - 60 000 ₽ |
RCE/LFI in the dev infrastructure / isolated or virtualized process | 120 000 ₽ | 0 ₽ |
Non-blind SSRF (with the ability to read the response text), except for dedicated proxies | 240 000 ₽ | 30 000 ₽ |
Blind SSRF, except for dedicated proxies | 60 000 ₽ | 9 000 ₽ |
Server-side vulnerability involving disclosure (e.g. memory leaks / IDORs) of critical or highly sensitive application data | 180 000 ₽ | 9 000 - 60 000 ₽ |
Server-side vulnerability involving disclosure (e.g. memory leaks / IDORs) of protected personal data or sensitive client information | 120 000 ₽ | 9 000 - 60 000 ₽ |
Server-side vulnerability involving disclosure (e.g. memory leaks / IDORs) of sensitive application* or infrastructure data / organizational role privilege escalation | 9 000 ₽ - 120 000 ₽ | 9 000 - 60 000 ₽ |
Attacks that cause service availability disruption (e.g., DOS via buffer overflow) | 60 000 ₽ | 0 ₽ |
Admin/support authentication bypass | 120 000 ₽ | 30 000 ₽ |
Blind XSS in the admin/support interface | 60 000 ₽ | 18 000 ₽ |
Cross-site scripting (XSS) | 0 ₽ - 15 000 ₽ | 0 ₽ |
*Tier 1 - includes vulnerabilities found in *.tarantoolplus.ru and *.tarantool.io infrastructure, except for delegated and externally hosted domains and branded partner services.
**Tier 2 - includes the vulnerabilities of the latest Tarantool releases published on the https://github.com/tarantool/tarantool/
detailed error output, local installation path, phpinfo() output, performance counters, etc. are not considered confidential; such messages are usually accepted without payment of a bounty. Messages about disclosure of software versions are not accepted
Self-XSS, XSS specific to non-common browsers (e.g. IE), blocked CSPs and other vectors without proven script execution are generally accepted without reward..