YooMoney

RESPONSE TIME

• Response time (from the moment information is received): up to 5 business days.
• Report processing time (from the moment all information on the report is received): up to 10 business days.
• Reward payment time (from the moment the report is processed): up to 20 business days.

SCOPE

• *.yoomoney.ru
• *.yookassa.ru
• *.yoobusiness.ru

• YooMoney Wallet for Android: https://promo.yoomoney.ru/app
• YooKassa for Android: https://promo.yookassa.ru/app

PRIORITY VULNERABILITIES

• Remote Code Execution (RCE);
• Injection vulnerabilities (for example, SQL or XML injection);
• LFR / LFI / RFI (Local File Read / Local File Inclusion / Remote File Inclusion);
• SSRF (Server-Side Request Forgery);
• Authentication/authorization flaws;
• IDOR (Insecure Direct Object References);
• Account takeover;
• Business logic flaws;
• Access control vulnerabilities;
• Exposure of sensitive information;
• XSS (Cross-Site Scripting) and CSRF (Cross-Site Request Forgery) that affect sensitive data.

VULNERABILITIES NOT ELIGIBLE FOR REWARD

• Issues and bugs that are not security-related;
• Reports about vulnerabilities in services that are not operated by YooMoney;
• Reports based on a product/protocol version with no demonstration of a real exploitability;
• 0-day or 1-day vulnerabilities that have been publicly disclosed less than 7 days ago;
• Phishing, social engineering, and scenarios that require physical access to a user’s device;
• Reports about fraud schemes or misuse of legitimate YooMoney functionality;
• Disclosure of technical or non-sensitive information (for example, product versions, used software, stacktrace);
• Raw reports from scanners and other automated tools;
• Information about IP addresses, DNS records and open ports;
• Vulnerabilities that require a complex or unlikely user interaction to exploit;
• Improbable or theoretical attacks without proof of possibility;
• Attacks that require performing MITM or physical proximity on another user's connection (e.g., NFC, Bluetooth, Wi‑Fi attacks, shoulder surfing);
• Reports about weaknesses related to 4–6 digit codes.

• Self-XSS, XSS in unpopular or outdated browsers, Flash-based XSS;
• CSRF and XSS without impact on confidential data;
• Open Redirect without an additional attack vector;
• Attacks requiring full access to a local account or browser;
• Self-inflicted content changes on a page ;
• Tabnabbing;
• Full Path Disclosure;
• Clickjacking;
• Absence of Best security practices ;
• Non-compliance with best practices in email configuration;
• Reports related to CSP policy configuration;
• Insecurely configured TLS or SSL;
• Ability to send unlimited text messages and emails;
• Rate-limit vulnerabilities or brute-force attacks on unauthenticated resources;
• Bypassing brute-force protection mechanisms;
• DOS attacks related to sending large numbers of requests or data;
• Disclosure of the existence of a username, email, or phone number in the system;
• Reports about publicly accessible login panels;
• Reports about public availability of https://repo.yoomoney.ru/, https://git.yoomoney.ru/

• Source code and binary frameworks hosted in these repositories are intended for public access. Reports about disclosure of information in these repositories will be accepted only if secrets (passwords, private keys, tokens, etc.) are discovered.

• Disclosure of limited API keys in JS code.

• Possibility of decompiling/reversing the mobile app, Frida injections, code modifications
• Bypassing root and jailbreak checks
• Tapjacking
• Task hijacking
• Exported activities, receivers, services discovery unless it leads to unauthorized access
• Screenshots with sensitive information from the app
• Absence of SSL pinning
• Vulnerabilities that require malware, root, or jailbreak
• Disclosure of non-sensitive information on the device
• Requesting excessive permissions
• Absence of protective flags in native libraries
• Vulnerabilities in dependencies without direct impact
• Disclosure of API keys that do not lead to user data leakage or financial loss
• Use of weak cryptography/protection measures

REPORT FORMAT

• Description of the vulnerability
• Type of vulnerability discovered
• URL of the vulnerable application
• Steps to reproduce (with sample requests)
• Screenshots or video confirming the vulnerability
• Severity analysis
• Remediation recommendations

RULES

• Use only your own accounts or accounts of users who have explicitly given consent for testing. Do not attempt to access any confidential information or accounts that belong to other people;
• Any activity that may damage the company’s applications, infrastructure, customers or partners is prohibited;
• For proof-of-concept purposes, use the minimal actions necessary to confirm a vulnerability. If testing may affect other users or system availability, contact us for permission. Further exploitation of vulnerabilities is strictly forbidden;
• Social engineering directed at YooMoney employees, partners, contractors or users is prohibited;
• Physical attacks against the company or its infrastructure are prohibited;
• Exploitation of vulnerabilities after testing is complete is prohibited;
• Automated scanning must be limited to 5 requests per second.

• Executing commands: ifconfig (ipconfig), hostname, whoami;
• Reading files: "/etc/passwd" and "/proc/sys/kernel/hostname" (or "drive:/boot.ini", "drive:/install.ini");
• Creating an empty file in the current user's working directory.
  Any other actions require prior approval from the YooMoney security team.

• Retrieving information about the current database (SELECT database()), its version (SELECT @@version), current user (SELECT user(), SELECT system_user()), or host name (SELECT @@hostname);
• Retrieving database scheme (SELECT table_schema), list of tables (SELECT table_name), and column names (SELECT column_name).
  Any other actions require prior approval from the YooMoney security team.

• Modifying, changing, deleting, or replacing any files on the server (including system files), except files associated with the researcher’s account or with a user account that has explicitly given consent, provided this does not disrupt the service or its parts;
• Uploading files that could cause denial of service (for example, very large files or a very large number of files);
• Uploading malicious files (for example, malware or spyware).

• Reading only these files:"/etc/passwd" and "/proc/sys/kernel/hostname" (or "drive:/boot.ini", "drive:/install.ini").
  Any other actions require prior approval from the YooMoney security team.

DISCLOSURE RULES

• Disclosure of discovered vulnerabilities or any information regarding the report without written permission from the YooMoney security team is prohibited;
• Submit reports only through the platform form;
• We reserve the right to decline any request for public disclosure of a report.

DUPLICATE REPORTS POLICY

CRITICALITY DETERMINATION RULES

• The privileges an attacker needs to exploit the issue;
• How difficult it is to discover and exploit the vulnerability;
• Whether user interaction is required;
• Impact on integrity, availability, and confidentiality of affected data;
• Data integrity, availability, and confidentiality requirements for the affected data;
• Impact on business and reputational risk;
• How many users would be affected by the vulnerability.
  One of the tools we use for analysis is the CVSS v3.1 scoring calculator.

REWARD