VKontakte

Company: VK

VK is the largest social network in Russia and the CIS. Our mission is to connect people, services and companies by creating simple and convenient communication tools.

Program description

Supported languages:

English
Russian

Bounty rules:

The Bug Bounty program only accepts and pays for reports on vulnerabilities previously unknown to the VK team.

The types of vulnerabilities eligible for bounties are listed in the "Maximum bounty" table at the end of the rules for the Bug Bounty program rules.

The bounty amounts shown in the description are for reference only.

The applicability and amount of a bounty may depend on the severity of the problem, novelty, likelihood of use, environment, and/or other factors.

The VK security team makes a bounty decision for each report individually.

Any vulnerabilities not listed in the "Maximum bounty" table are paid for at the discretion of the program owner.

Scope of the Bug Bounty program:

Mobile apps:

VK App Android, VK Me Android, VK Admin Android, VK Messenger (Android and iOS), VK App iOS, VK Me iOS, VK Admin iOS.

Official apps communities:

VK App for iPhone: https://vk.com/iphone_app
VK App for Android: https://vk.com/android_app
VK Admin: https://vk.com/vkadmin
VK Messenger: https://vk.com/desktop_app

Domains:

vk.com, m.vk.com, api.vk.com, login.vk.com, oauth.vk.com
*.vk.me
*.vk.cc
*.vk.link
id.vk.com
dev.vk.com
platform.vk.com
web.vk.me

Content:
*.vkontakte.(ru|com), *.vk-cdn.net, *.userapi.com,
*.vkuser.net, *.vkuseraudio.(com|net),
*.vkuservideo.(com|net), *.vkuserlive.(com|net)

Important:

For questions not related to this program, please contact our support.

Public 0-day/1-day vulnerabilities may be considered duplicates for several weeks after a vulnerability is published if our team knows about the vulnerability from open sources and we are working to eliminate or fix it.

Bug reports submitted by current or former employees (up to one year from the end of employment) of the VK Group are accepted without payment.

When testing RCE, SQLi, LFI, LFR, or SSTI, only the use of the MINIMUM possible POC (sleep, reading /etc/passwd, curl) is allowed. If you want to test the possibility of privilege elevation on a server, please create a report and write that you want to elevate privileges.

Publishing or disclosing bug report details without approval from VK's information security team is prohibited. We reserve the right to refuse any request for public disclosure of the report.

Limitations on the scope of the Bug Bounty program:

When testing, it is recommended to limit scanning tools to 10 requests per second.

We do not accept or review:

Bug reports from vulnerability scanners and other automated tools;
Disclosure of information that is not confidential, for example, the version of a product;
Disclosure of information about a user that is public, for example, a user's nickname;
Bug reports based on the version of a product/protocol (e.g. TLS version) without demonstrating the actual presence of a vulnerability;
Bug reports about a missing security mechanism/current best practice (e.g. missing - CSRF token, framing/clickjacking protection) without demonstrating an actual impact on the security of users or the system;
Messages about published and unpublished SPF and DMARC policies;
Cross-site request forgery leading to logout (logout CSRF);
Vulnerabilities in partner products or services, unless Mail.Ru or VK.com users/accounts are directly affected;
Security of rooted, jailbroken, or otherwise modified devices and applications;
Ability to reverse engineer an application, or the lack of binary protection;
Open redirection vulnerabilities are accepted only if a security impact is identified, such as the possibility of stealing an authorization token;
Injecting unformatted text, audio, images, or video into a server response outside of the user interface (for example, into JSON data or an error message), unless doing so replaces the user interface, changes the behavior of the user interface, or results in other negative consequences;
Same site scripting, reflected downloads, and similar attacks with questionable impact;
CSP-related bug reports for domains without CSPs and domain policies with unsafe-eval and/or unsafe-inline;
IDN homograph attacks;
XSPA (scanning the IP addresses/ports of external networks);
Excel CSV formula injection;
Scripting in PDF documents;
Attacks that require full access to a local account or browser profile;
Attacks based on scenarios where a vulnerability in a third-party site or application is required as a prerequisite and is not demonstrated;
Theoretical attacks without proof of feasibility;
Denial of service (DoS) vulnerabilities associated with sending a large volume of requests or data (flooding);
Ability to send a large number of messages;
Ability to send spam or a malware file;
Disclosure of information through external links not controlled by Mail.Ru or VK.com (for example, Google dorking of private protected areas of robots.txt);
Disclosure of unused or properly restricted JS API keys (for example, an API key for an external map service);
Ability to perform an action not available through the user interface and without identified security risks;
Vulnerabilities associated with the use of phishing and other social engineering techniques;
Disclosure of /metrics or /status without a demonstrated information security threat (for example, disclosure of private API methods, tokens);
Blind SSRF vulnerabilities without demonstrating a threat to the service's information security in the report (DNS pingback is not enough);
SSRF vulnerabilities that involve sending requests via rentgen*.smailru.net, snipster*.go.mail.ru, mpr.m.smailru.net, or other proxies specifically designed to protect against SSRF;
Vulnerabilities that disclose only user accounts but not passwords or other personal data.

We consider bug reports as informational if:

The vulnerability discloses information about hacked accounts of external users for Mail.Ru or VK.com services;
The vulnerability is identified in a service independently hosted by the user (Mail.Ru\VK CS hosting network, hosting of gaming team resources, hosting of student or laboratory work for educational projects, etc.).

Maximum bounty:

Vulnerability	VK ID*	VKcom**	All Others
Remote Code Execution (RCE), server-side	3 600 000 ₽	2 000 000 ₽	1 200 000 ₽
Privacy Bypass	3 000 000 ₽	2 000 000 ₽	1 000 000 ₽
Remote Code Execution (RCE), mobile app	300 000 ₽	300 000 ₽	300 000 ₽
SQL Injection (SQLi)	1 500 000 ₽	1 200 000 ₽	900 000 ₽
Local/Remote File Inclusion (LFI, RFI)	600 000 ₽	600 000 ₽	600 000 ₽
XML External Entity (XXE)	600 000 ₽	600 000 ₽	600 000 ₽
Server-Side Request Forgery (SSRF)	600 000 ₽	600 000 ₽	600 000 ₽
Server-Side Request Forgery (SSRF), blind	180 000 ₽	180 000 ₽	180 000 ₽
Insecure Direct Object Reference (IDOR)	60 000 ₽	60 000 ₽	60 000 ₽
Cross-Site Scripting (XSS)	60 000 ₽	60 000 ₽	60 000 ₽
Open Redirect	18 000 ₽	18 000 ₽	18 000 ₽

*VK ID — the single sign-on service for all VK ecosystem projects

***Vkcom - the largest Russian social network and content platform *

Vulnerabilities in Android applications can also participate in the Google Play Bug Bounty program.

Self-XSS, XSS specific to non-common browsers (e.g. IE), blocked CSPs and other vectors without proven script execution are generally accepted without reward.

Launched August 8, 2022

Edited 11:59

Program format

Vulnerabilities

Reward for vulnerabilities

up to ₽3.6M

Excl. tax

Top hackers

Overall ranking

Score

@azimoff

38K