Supported languages:

• English
• Russian

Bounty rules:

Bug Bounty program's scope:

Domains:

Important:

Limitations on the Bug Bounty program's scope:

We do not accept or review:

• Bug reports from vulnerability scanners and other automated tools;
• Disclosure of information that is not confidential, for example, the version of a product;
• Disclosure of information about a user that is public, for example, a user's nickname;
• Bug reports based on the version of a product/protocol (e.g. TLS version) without demonstrating the actual presence of a vulnerability;
• Bug reports about a missing security mechanism/current best practice (e.g. missing - CSRF token, framing/clickjacking protection) without demonstrating an actual impact on the security of users or the system;
• Messages about published and unpublished SPF and DMARC policies;
• Cross-site request forgery leading to logout (logout CSRF);
• Vulnerabilities in partner products or services, unless Mail.Ru or VK.com users/accounts are directly affected;
• Security of rooted, jailbroken, or otherwise modified devices and applications;
• Ability to reverse engineer an application, or the lack of binary protection;
• Open redirection vulnerabilities are accepted only if a security impact is identified, such as the possibility of stealing an authorization token;
• Injecting unformatted text, audio, images, or video into a server response outside of the user interface (for example, into JSON data or an error message), unless doing so replaces the user interface, changes the behavior of the user interface, or results in other negative consequences;
• Same site scripting, reflected downloads, and similar attacks with questionable impact;
• CSP-related bug reports;
• IDN homograph attacks;
• XSPA (scanning the IP addresses/ports of external networks);
• Excel CSV formula injection;
• Scripting in PDF documents;
• Attacks that require full access to a local account, browser profile or physical access to the device;
• Attacks based on scenarios where a vulnerability in a third-party site or application is required as a prerequisite and is not demonstrated;
• Theoretical attacks without proof of feasibility;
• Denial of service (DoS) vulnerabilities, for example - sending a large volume of requests or data (flooding);
• Ability to send a large number of messages;
• Ability to send spam or a malware file (for example, registration or password recovery spam);
• Disclosure of information through external links not controlled by Mail.Ru or VK.com (for example, Google dorking of private protected areas of robots.txt);
• Disclosure of unused or properly restricted JS API keys (for example, an API key for an external map service);
• Ability to perform an action not available through the user interface and without identified security risks;
• Vulnerabilities associated with the use of phishing and other social engineering techniques;
• Disclosure of /metrics, /status, htaccess or similar without a demonstrated information security threat (for example, disclosure of private API methods, tokens);
• Blind SSRF vulnerabilities without demonstrating a threat to the service's information security in the report;
• EXIF metadata in images;
• SSRF vulnerabilities that involve sending requests via rentgen*.smailru.net, snipster.*.go.mail.ru, mpr*.m.smailru.net, rs-proxy*.i.smailru.net or other proxies specifically designed to protect against SSRF;
• Vulnerabilities that disclose only user accounts but not passwords or other personal data.

We consider bug reports as informational if:

• The vulnerability discloses information about hacked accounts of external users for Mail.Ru or VK.com services;
• The vulnerability is identified in a service independently hosted by the user (Mail.Ru\VK Cloud hosting network, hosting of gaming team resources, hosting of student or laboratory work for educational projects, etc.).

Rewards: