Mail.ru Group

  • $150 – $60,000 per vulnerability
  • Safe harbor
  • Managed by Bugcrowd

Program stats

5 vulnerabilities rewarded

Validation within 2 days
75% of submissions are accepted or rejected within 2 days

Latest hall of famers

Recently joined this program

No technology is perfect and Mail.ru believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our applications. Good luck, and happy hunting!

Accepted languages:
🇬🇧 English
🇷🇺 Русский

Ratings

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Rewards

All amounts are for reference purposes only. Reward applicability and reward amount may depend on problem severity, novelty, exploitation probability, environmental and other factors. Reward decision is made by Mail.Ru security team for each report individually.


Mail.ru authentication center, mail, content and news projects

Vulnerability Main Scope Content
Remote code execution (RCE) $40000 $60000
Injections (SQLi or equivalent) $30000 $50000
Local files access and manipulation (LFR, RFI, XXE) without jail/chroot/file type restrictions $30000 $50000
RCE in standalone isolated / virtualized single-purpose process (e.g. image conversion) $7500 $40000
SSRF, non-blind (with ability to read reply text), except dedicated proxies $10000 $35000
SSRF, blind, except dedicated proxies $2000 $15000
Serverside vulnerability with information disclosure (e.g. memory Leaks / IDORs) of application critical or highly confidential data (e.g. sessions, accounts, passwords, credit cards, e-mail messages) $12500 $45000
Serverside vulnerability with information disclosure (e.g. memory Leaks / IDORs) of protected personal data or sensitive client information $7500 $35000
Serverside vulnerability with information disclosure (e.g. memory Leaks / IDORs) of sensitive application or infrastructure data / role privilege escalation within organization / insecure installation of maintained VM image or software package (MCS)* $1000 - $7500 $150 - $35000
Admin / support interface authentication bypass $3000 $30000
Admin / support interface blind XSS $2000 $25000
Cross-Site Scripting (XSS) on e-mail reading via message content (except AMP) $2000 $0
Cross-Site Scripting (XSS) ** $1000 $0
Cross-Site Request Forgery (СSRF, Flash crossdomain requests) $150 - $1000 $0
Mobile application local account compromise or full data access $1000 $0
Remote DoS against mobile or desktop application (persistent/non persistent) $0 $0
SDC*** technique bypass for critical projects $1500 $0

* verbose error outputs, local installation path disclosure, phpinfo() output, performance counters, etc are not considered as sensitive, reports like these are usually accepted without bounty. Software version disclosure reports are not accepted.
** self-XSS, XSS specific to non-common browsers (e.g. IE), blocked by CSP and another vectors without proven script execution are usually accepted without bounty. Unused subdomain takeover is considered under same severity / conditions as parent domain XSS.
*** SDC is explained here, reports are accepted for SDC-aware domains with critical data (e|m|tel|touch|light|cloud|calendar|biz).mail.ru. SDC bypass is direct or indirect (through SDC-anaware domain) access to product-specific API of these projects without valid sdc/sdcs cookie without access to auth.mail.ru ssdc cookie or valid user's credentials. SDC is web based, attacks via e.g. mobile applications are not considered.

AliExpress

AliExpress scope only awards critical serverside vulnerabilities, if vulnerability compromises the infrastructure (e.g. RCE, SQLi, LFR, SSRF, etc) or data outside of project's scope (e.g. personal information) via serverside vector.

Clientside vulnerabilities (XSS, CSRF) and business logic specific bugs, including privilege escalations within the product are accepted without bounty.
MitM and local attacks, user enumeration on registration/recovery, open redirections, insufficient session expiration, cookies working after logout etc are not accepted unless there are additional vectors identified (e.g. ability to steal the session token via remote vector for open redirection).

Vulnerability AliExpress
Remote code execution (RCE) $8000
Injections (SQLi or equivalent) $4000
Local files access and manipulation (LFR, RFI, XXE) without jail/chroot/file type restrictions $4000
RCE in standalone isolated / virtualized single-purpose process (e.g. image conversion) $4000
SSRF, non-blind (with ability to read reply text), except dedicated proxies $4000
SSRF, blind, except dedicated proxies $1000
Serverside vulnerability with information disclosure (e.g. memory Leaks / IDORs) of application critical or highly confidential data (e.g. sessions, accounts, passwords, credit cards, e-mail messages) $4000
Serverside vulnerability with information disclosure (e.g. memory Leaks / IDORs) of protected personal data or sensitive client information $2000
Serverside vulnerability with information disclosure (e.g. memory Leaks / IDORs) of sensitive application or infrastructure data * $0-$2000
Admin / support interface authentication bypass $2000
Admin / support interface blind XSS $1200

* verbose error outputs, local installation path disclosure, phpinfo() output, etc are not considered as sensitive, reports like these are usually accepted without bounty. Software version disclosure reports are not accepted.

Extended scope

Extended scope only awards critical serverside vulnerabilities, if vulnerability compromises the infrastructure (e.g. RCE, SQLi, LFR, SSRF, etc) or compromises data outside of project's scope (e.g. personal information) via serverside vector.

Clientside vulnerabilities (XSS, CSRF) and business logic specific bugs, including privilege escalations within the product are accepted without bounty.
MitM and local attacks, user enumeration on registration/recovery, insufficient session expiration, cookies working after logout etc are not accepted unless additional impact is identified

Vulnerability Ext. A Ext. B Ext. O
Remote code execution (RCE) $60000 $40000 $200 - $2000
Injections (SQLi or equivalent) $50000 $20000 $150 - $1000
Local files access and manipulation (LFR, RFI, XXE) without jail/chroot/file type restrictions $50000 $20000 $150 - $1000
RCE in dev. infrastructure (not very common in our program) / virtualized single-purpose process (e.g. image conversion) $40000 $17500 $150 - $1000
SSRF, non-blind (with ability to read reply text), except dedicated proxies $35000 $17500 $0 - $1000
SSRF, blind, except dedicated proxies $15000 $8000 $0
Serverside vulnerability with information disclosure (e.g. memory Leaks / IDORs) of application critical or highly confidential data (e.g. sessions, accounts, passwords, credit cards, e-mail messages) $45000 $18000 $150 - $1000
Serverside vulnerability with information disclosure (e.g. memory Leaks / IDORs) of protected personal data or sensitive client information $35000 $10000 $150 - $500
Serverside vulnerability with information disclosure (e.g. memory Leaks / IDORs) of sensitive application or infrastructure data * $150 - $35000 $0 - $10000 $0 - $500
Admin / support interface authentication bypass $30000 $10000 $0 - $500
Admin / support interface blind XSS $25000 $8000 $0

* verbose error outputs, local installation path disclosure, phpinfo() output, etc are not considered as sensitive, reports like these are usually accepted without bounty. Software version disclosure reports are not accepted.

Ext. A Projects

Extended A scope has a projects table for helping you search vulnerabilities.

Project Domain
Corporate website corp.mail.ru
RB Mail rb.mail.ru
Rating top.mail.ru
Money money.mail.ru
Terra bank tbank.mail.ru
Combo combo.mail.ru
Notify apinotify.mail.ru
Blog blog.mail.ru
Youla youla.ru, am.ru
Check fines gibdd.mail.ru
Help help.mail.ru
Target target.my.com
Tracker tracker.my.com

Ext. B Projects

Extended B scope has a projects table for helping you search vulnerabilities.

Project Domain
Boosty boosty.to
Education service geekbrains gb.ru
33 Elephants 33slona.ru
All Cups cups.mail.ru
Warface warface.com
Hustle Castle hc.my.games
Left of Survive lts.my.com
Zero City zc.my.games
Conqueror's Blade conqblade.com
Lost Ark la.mail.ru
Skyforge sf.mail.ru
Space Justice sj.my.games
Crossfire cfire.ru
Dino Squad pixonic.com
Allods allods.mail.ru
Evolution 2: Battle for Utopia evo2.my.games
Perfect World pw.mail.ru
Juggernauts Wars jw.my.games
Jungle Heat jh.my.com
MGVC mgvc.com
Player One games.mail.ru
Pixonic pixonic.com
IT Territory it-territory.ru
Pushkin Studio my.games
Allods Team allods.mail.ru
Studio Nord my.games
VK Work *.vkrabota.ru (including *.worki.ru and *.iconjob.co).
Whalekit my.games
BIT.GAMES bit.games
Armata armata.my.games
Online .Net Development Championship znakcup.ru
Warface wf.mail.ru

Scope rules

The program's scope is limited to technical vulnerabilities in the company's critical web services or mobile apps. To report problems accessing your account or non-security issues, please contact customers support.

A list of the projects can be found here:
Mail.Ru: https://mail.ru/all
My.Com: https://my.com/

We will not pay a reward (and we will be really upset) if we detect:

  • Physical tampering with Mail.Ru Group's data centers or offices
  • Social engineering directed at the company's employees
  • Breaking into the company's infrastructure and using the information obtained to report vulnerabilities
  • Attempt to access arbitrary user's account or data or another vulnerability post-exploitation not required to demonstrate the bug presence
  • Distributed network/request flooding and another resources exhaustion attacks. Automated scanning tools must be limited to 5 request per second (300 requests per minute) to one target host summing up all tools and threads running in parallel and must not exceed 5 parallel requests at the same time (5 threads).

Please use your own accounts, phone numbers, etc to conduct your research. Do not try to gain access to others' accounts or any confidential information.

Re-active protection

Remember you are testing production environment which is being used, supported and monitored. To prevent negative reaction, conduct your research in responsible, less intrusive way and reasonably limit impact from your tests for users, moderators and administrators.
Aggressive security scans and tests may trigger alerts and result in re-active measures being enforced, e.g. account, phone number or IP may be blocked. Automated abuse reporting tools are not used by Mail.ru, but in some cases, if attack resembles the real intrusion attempt manual abuse report may be sent by administrator.
We believe moderation and monitoring processes must not be impacted by bug bounty and security team does not interfere with moderation and abuse reporting decisions for individual cases.

How do I submit a bug report?

A bug report must give a detailed description of the discovered vulnerability and brief steps to reproduce it, or a working proof-of-concept. Video and screenshots can illustrate bug report, but can not replace it.

If you do not describe the vulnerability in sufficient detail, the discovery process is significantly prolonged and that doesn't help anybody. It's also very desirable if researcher can explain how exactly he or she found a given vulnerability.

How are bug reports examined?

Reports about vulnerabilities are examined by our security analysts. Our analysis is always based on worst case exploitation of the vulnerability, as is the reward we pay.

Reports are reviewed within 15 days (this is a maximum period - we'll probably respond sooner).
If you prefer to remain anonymous, we recommend using an alias when submitting bug reports.

Participating reports

Only reports reported via bug bounty platform interface may be considered for a bounty. A date/time of report on bug bounty platform is considered as a date/time of the report.

Duplicate reports

Different exploitation vectors for the same bug or similar bugs may be considered duplicating if security team believes information provided for a single vector/bug is enough to fix all vectors or bugs reported.
Report for known or duplicating vulnerability is considered as Duplicate. Duplicate report is not eligible for monetary reward. Report can be either a duplicate of another report from any bug bounty platform or a duplicate of the problem internally tracked by Mail.Ru security team. Usually, access to original report or some information from internal task tracker is provided to reporter of Duplicate. In some cases information may not be provided, if a Duplicate contains less information or less critical exploitation vector than original report.
The report is considered as a duplicated to another report from any bug bounty platform, if there is original report is in "New" or "Triaged" state with an earlier report date/time or lower report number of if it updates the report in "N/A" or "Need more info" state and original report is in "N/A" or "Need more info" state for less than 1 week or sufficient information is provided in original report by researcher since the report is transferred to "N/A" or "Need more info" state.
The report is considered as a duplicate to internal task if there is a task in internal task tracker which is tracked by Mail.Ru security team on the time of the duplicate report.

Also, public 0-day/1-day vulnerabilities may be considered as a duplicate within few days after vulnerability details publication, if vulnerability is known to our team from public sources and we are working to mitigate or patch it.

Invalid reports

Report in "N/A" or "Need more info" state which is stale in this state for more than a week without sufficient new information provided is considered as invalid and does not participate in bug bounty.

Reward payment

We will pay you a reward if you are the first person to report a given vulnerability.

The bounty decision will be made within 30 days after triage (this is a maximum period - we'll probably award sooner). A message will appear in your bug report, indicating that the vulnerability you reported has been confirmed and a reward has been granted.

Payments are made through Bugcrowd.

Vulnerability disclosureссссиси

Vulnerability must be disclosed only with accordance with bug bounty platform disclosure policy.
Request for vulnerability disclosure must be submitted via bug bounty platform report interface. We usually disclosure reports within 4 weeks after disclosure request or fixing time, but we can request up to 3 months of additional time before vulnerability details are published. This time is required to distribute the fixed version and check it for regressions.
No vulnerability disclosure, including partial is allowed before vulnerability is disclosed on bug bounty platform.
If any sensitive information including (but not limited to) infrastructure and implementation details, internal documentation procedures and interfaces, source code, user and employees data accidentally obtained during vulnerability research or demonstration must not be disclosed. Intentional access to this information is strongly prohibited.
Mail.ru does not disclosure and do not grant you any rights to disclosure vulnerabilities in 3rd party products or services, unless these rights are explicitly given to you by affected 3rd party.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.