EN

Tarantool

Company: VK
Tarantool combines an in-memory DBMS and a Lua server in a single platform providing ACID-compliant storage. The use cases for Tarantool vary from ultra-fast cache to product data marts and smart queue services.
Rewards are paid to individual entrepreneurs and self-employed persons
Program description

Supported languages:

  • English
  • Russian

Bounty rules:

We accept vulnerability reports only if the vulnerability was previously unknown to the VK team.
The types of vulnerabilities eligible for bounties are listed in the "Maximum bounty" section at the end of the rules for the Bug Bounty program rules.
The bounty amounts shown in the description are for reference only.
The applicability and amount of a bounty may depend on the severity of the problem, novelty, likelihood of use, environment, and/or other factors.
The VK security team makes a bounty decision for each message individually.
Any vulnerabilities not listed in the "Maximum bounty" section are paid for at the discretion of the program owner.

Scope of the Bug Bounty program:

Domains:

*.tarantoolplus.ru, *.tarantool.io

Out of scope:

We do not accept bugs detected on client installations, except for attack vectors to clients via *.tarantoolplus.ru and *.tarantool.io.

Important:

Errors detected in demo stands or other open-source solutions not in the VK infrastructure, as well as vulnerabilities in domains used for client training, are accepted as informational and are not paid for.
Bugs identified on demo stands, dev infrastructure, domains used for training, delegated, externally hosted domains and partner services are accepted as informational and are not paid for.
0-day/1-day vulnerabilities may be considered as a duplicate within several weeks after vulnerability details publication.
Bug reports submitted by current or former employees (up to one year from the end of employment) of the VK Group are accepted without payment.
When testing RCE, SQLi, LFI, LFR, SSTI it is allowed to use only MINIMALLY possible POC for proof (sleep, accessing /etc/passwd, curl).
Publishing or disclosing bug report and/or any details associated with VK products without approval from VK's information security team is prohibited. We reserve the right to refuse any request for public disclosure of the report.
Vulnerability testing should only be done on your own accounts.
 

Limitations on the Bug Bounty program's scope:

MitM and local attacks, open redirects, insufficient session validation, handling cookies after logout, etc. are not accepted unless additional vectors are defined (e.g., the ability to steal a session token via a remote vector for open redirects).
It is recommended to limit all scanning tools to 10 requests per second.

We do not accept or review:

  • Bug reports from vulnerability scanners and other automated tools;
  • Disclosure of information that is not confidential, for example, the version of a product;
  • Disclosure of information about a user that is public, for example, a user's nickname;
  • Bug reports based on the version of a product/protocol (e.g. TLS version) without demonstrating the actual presence of a vulnerability;
  • Bug reports about a missing security mechanism/current best practice (e.g. missing - CSRF token, framing/clickjacking protection) without demonstrating an actual impact on the security of users or the system;
  • Messages about published and unpublished SPF and DMARC policies;
  • Cross-site request forgery leading to logout (logout CSRF);
  • Vulnerabilities in partner products or services, unless Mail.Ru or VK.com users/accounts are directly affected;
  • Security of rooted, jailbroken, or otherwise modified devices and applications;
  • Ability to reverse engineer an application, or the lack of binary protection;
  • Open redirection vulnerabilities are accepted only if a security impact is identified, such as the possibility of stealing an authorization token;
  • Injecting unformatted text, audio, images, or video into a server response outside of the user interface (for example, into JSON data or an error message), unless doing so replaces the user interface, changes the behavior of the user interface, or results in other negative consequences;
  • Same site scripting, reflected downloads, and similar attacks with questionable impact;
  • CSP-related bug reports;
  • IDN homograph attacks;
  • XSPA (scanning the IP addresses/ports of external networks);
  • Excel CSV formula injection;
  • Scripting in PDF documents;
  • Attacks that require full access to a local account, browser profile or physical access to the device;
  • Attacks based on scenarios where a vulnerability in a third-party site or application is required as a prerequisite and is not demonstrated;
  • Theoretical attacks without proof of feasibility;
  • Denial of service (DoS) vulnerabilities, for example - sending a large volume of requests or data (flooding);
  • Ability to send a large number of messages;
  • Ability to send spam or a malware file (for example, registration or password recovery spam);
  • Disclosure of information through external links not controlled by Mail.Ru or VK.com (for example, Google dorking of private protected areas of robots.txt);
  • Disclosure of unused or properly restricted JS API keys (for example, an API key for an external map service);
  • Ability to perform an action not available through the user interface and without identified security risks;
  • Vulnerabilities associated with the use of phishing and other social engineering techniques;
  • Disclosure of /metrics, /status, htaccess or similar without a demonstrated information security threat (for example, disclosure of private API methods, tokens);
  • Blind SSRF vulnerabilities without demonstrating a threat to the service's information security in the report;
  • EXIF metadata in images;
  • SSRF vulnerabilities that involve sending requests via rentgen*.smailru.net, snipster.*.go.mail.ru, mpr*.m.smailru.net, rs-proxy*.i.smailru.net or other proxies specifically designed to protect against SSRF;
  • Vulnerabilities that disclose only user accounts but not passwords or other personal data.

We consider bug reports as informational if:

  • The vulnerability is identified in a service independently hosted by the user (Mail.Ru\VK Cloud hosting network, hosting of gaming team resources, hosting of student or laboratory work for educational projects, etc.);
  • The vulnerability discloses information about hacked accounts of external users for Mail.Ru or VK.com services;

Maximum bounty:

VulnerabilitiesTier 1*Tier 2**
Remote code execution (RCE)1 000 000 ₽250 000 ₽
Server-side Injections (SQLi or an alternative)500 000 ₽125 000 ₽
Read local file content (LFR, RFI, XXE) without restrictions (jail/chroot/other file type restrictions)500 000 ₽125 000 ₽
RCE in the Dev infrastructure / isolated or virtualized process200 000 ₽0 ₽
Read local file content (LFR, RFI, XXE) in the Dev infrastructure / isolated or virtualized process50 000 ₽20 000 ₽
Non-blind SSRF (with the ability to read the response text), except for dedicated proxies200 000 ₽50 000 ₽
Blind SSRF, except for dedicated proxies50 000 ₽20 000 ₽
Server-side vulnerability involving disclosure (e.g. memory leaks / IDORs) of critical or highly sensitive application data10 000 ‑ 350 000 ₽10 000 ‑ 125 000 ₽
Server-side vulnerability involving disclosure (e.g. memory leaks / IDORs) of protected personal data or sensitive client information10 000 ‑ 250 000 ₽10 000 ‑ 100 000 ₽
Server-side vulnerability involving disclosure (e.g. memory leaks / IDORs) of sensitive application* or infrastructure data / organizational role privilege escalation10 000 ‑ 250 000 ₽10 000 ‑ 100 000 ₽
Attacks that cause service availability disruption (e.g., DOS via buffer overflow)100 000 ₽0 ₽
Admin/support authentication bypass250 000 ₽100 000 ₽
Blind XSS in the admin/support interface200 000 ₽75 000 ₽
Cross-site scripting (XSS)0 ‑ 20 000 ₽0 ‑ 5 000 ₽
*Tier 1 - includes vulnerabilities found in *.tarantoolplus.ru and *.tarantool.io infrastructure, except for delegated and externally hosted domains and branded partner services.
**Tier 2 - includes the vulnerabilities of the latest Tarantool releases published on the https://github.com/tarantool/tarantool/
Detailed error output, local installation path, phpinfo() output, performance counters, etc. are not considered confidential; such messages are usually accepted without payment of a bounty. Messages about disclosure of software versions are not accepted.
SSRF's are paid for only when demonstrate demonstrating a threat to the service's information security in the report.
Self-XSS, XSS specific to non-common browsers (e.g. IE), blocked CSPs and other vectors without proven script execution are generally accepted without reward. Subdomain takeovers are considered under the same severity/conditions as cross-site request forgery (CSRF).
Launched October 7, 2022
Edited April 16, 13:55
Program format
Vulnerabilities
Reward for vulnerabilities
up to ₽1M
Excl. tax
Top hackers
Overall ranking
Score
@cutoffurmind
14K
@kiojj
4.4K
@rivalsec
3.1K
Program statistics
₽2,309,525
Paid in total
₽104,978
Average payment
₽5,500
Paid in the last 90 days
51
Valid reports
60
Submitted reports
Description
Vulnerabilities
Ranking
Versions