Rules for us

• We respect the time and effort of researchers;
• We respond within 5 business days;
• We process reports within 10 business days after initial response;
• We may extend processing times, but you will be informed about any delays;
• We determine the reward amount within 10 business days after processing;
• We do our best to keep you updated on our progress throughout the review.

Rules for you

• Be an ethical hacker and respect the privacy of other users;
• Avoid privacy violations, data destruction, and any disruption or harm of any of our services;
• When testing web resources and APIs, use proper User-Agent HTTP headers and add an "X_Bug_Bounty: your_username" cookie parameter, this will help to prevent potential blocking of anomalous activity;
• When testing hh.ru, use the "Standoff" as your account's last name during account registration to avoid potential account suspension;
• Automated scanning tools must be limited to 30 rps per target host, combining all tools and parallel threads;
• Review all program rules before starting your research;
• Present vulnerability information clearly and efficiently;
• Notify and coordinate vulnerabilities that may affect other service users via bugbounty@hh.ru email. After testing, remain available for 2 hours in case of a security incident.

Scope

• hh.ru
• api.hh.ru
• dev.hh.ru
• talantix.ru

Setka

• setka.ru
• api.setka.ru

• Setka on RuStore: https://www.rustore.ru/catalog/app/ru.setka
• Setka on Google Play: https://play.google.com/store/apps/details?id=com.setka&hl=ru
• Setka on App Store: https://apps.apple.com/ru/app/сетка-соцсеть-для-нетворкинга/id1641109721

Vulnerability Rewards

hh.ru Does Not Pay Rewards For:

• Security scanner reports and other automated tool outputs;
• Information about IP addresses, DNS records, and open ports;
• Issues and vulnerabilities based on product version without demonstrating exploitation;
• Vulnerabilities blocked by security tools without demonstrating bypass (e.g., WAF);
• Reports on insecure SSL/TLS ciphers without demonstrating exploitation;
• Vulnerabilities previously reported by other participants (duplicate reports);
• 0-day and 1-day vulnerabilities publicly disclosed less than 30 days ago, and vulnerabilities with CVSS above 8 disclosed less than 14 days ago;
• Self-XSS and other vulnerabilities that don't directly impact users or application data;
• Vulnerabilities requiring browser versions released 6+ months prior to report submission (or no longer supported);
• CORS misconfiguration without demonstrating exploitation;
• Disclosure of username, email, or phone number existence in the system;
• Disclosure of technical or non-sensitive information (e.g., product version, software used, stack traces);
• Tabnabbing;
• Clickjacking;
• CSP-related reports for domains without CSP or domain policies with unsafe-eval and/or unsafe-inline;
• Attacks requiring full access to a local account, browser profile or physical device;
• Disclosure of user confidential information through external resources not controlled by hh.ru, such as for example spyware data;
• Vulnerabilities requiring complex or unlikely user interaction scenarios;
• Missing best practices in DNS and mail service configuration (DKIM/DMARC/SPF/TXT);
• Broken links to social media pages or unclaimed social media links and similar pages;
• Ability to perform actions, which are unavailable through the UI without identified security risks;
• Ability to create user accounts without restrictions;
• User enumeration;
• Disclosure of public user information;
• Missing notifications for important user actions;
• Leakage of sensitive tokens (e.g., password reset tokens) to trusted third parties over secure connections (HTTPS);
• Reports related to hh.ru mobile application security;
• Issues unrelated to security (for non-security issues, contact technical support at https://feedback.hh.ru/ticket/add);
• Missing rate limits that don't affect business processes;
• Spam;
• Race conditions that don't impact business processes.

Participant Requirements

1. All interested researchers aged 18 and above may participate in the program.
2. Researchers aged 14 to 18 may participate only with written consent from a parent or legal guardian.
3. hh.ru employees and their family members are not eligible to participate.

hh.ru Obligations

1. Prioritize security tasks and promptly address discovered vulnerabilities.
2. Respect researchers and not obstruct report disclosure without clear justification.
3. Not make unfounded accusations against researchers related to program participation.

Public Vulnerability Disclosure

Prohibited Actions

• Accessing, modifying, destroying, or disclosing another user's data without their consent, including any confidential information accidentally obtained during vulnerability research or demonstration. Intentional access to such information is prohibited and may be considered illegal;
• Affecting other users' accounts without their permission;
• Using discovered vulnerabilities for personal gain;
• Using vulnerability testing tools that automatically generate significant traffic volumes leading to resource exhaustion attacks;
• Conducting attacks that harm service integrity and availability (e.g., DoS attacks, brute-force attacks), or attempting to exploit vulnerabilities aimed at resource exhaustion. Report such issues to the hh.ru security team, who will conduct testing in a test environment;
• Conducting physical attacks on personnel, data centers, and company offices;
• Conducting attacks on hh.ru systems using social engineering techniques (phishing, vishing, etc.) and spam campaigns targeting clients, partners, and employees;
• Investigating server infrastructure where is hosted our web applications;
• Disclosing vulnerability information before public disclosure by hh.ru.

RCE Testing Policy

• Executing commands: ifconfig (ipconfig), hostname, whoami, id;
• Reading contents of /etc/passwd and /proc/sys/kernel/hostname (drive:/boot.ini, drive:/install.ini);
• Creating an empty file in the current user's directory.

SQL Injection Testing Policy

• Retrieving current database information (SELECT database()), its version (SELECT @@version), current user (SELECT user(), SELECT system_user()), or hostname (SELECT @@hostname);
• Retrieving database schema (SELECT table_schema), table list (SELECT table_name), and column names (SELECT column_name);
• Executing mathematical, conversion, or logical queries (including SLEEP) without extracting data (except those listed above).

File Upload and Read Policy

• Modifying, deleting, or replacing any files on the server (including system files), except those associated with your account or an account whose owner has explicitly consented;
• Uploading files that may cause denial of service (e.g., large files);
• Uploading malicious files (e.g., malware or spyware).

Report Requirements

Required Report Contents:

• Vulnerability description;
• Type of vulnerability discovered;
• CVE (if applicable);
• CVSS severity analysis;
• Detailed reproduction steps (with request examples);
• Vulnerable application URL;
• Assessment of potential damage and risks to the company and its systems;
• Remediation recommendations;
• POC: screenshots, video, code snippets, request examples (for screenshots and video, file format compatibility with the platform is especially important. Links to external sources are prohibited).