Banner object (1)

Hack and Take the Cash !

693 bounties in database
21/04/2014

Reward

100 $ 

Mail.ru

Accepted languages:
???????? English
???????? Русский


Program scope

The program's scope is limited to technical vulnerabilities in the company's web services or mobile apps.

To report problems accessing your account or non-security issues, please contact customers support __.

We are currently offering a reward for finding vulnerabilities in the company's critical web services:

Mail.ru main portal page __

mail.ru

Mail.ru Mail __

Hint: you can switch interface language __

mail.ru
e.mail.ru
.e.mail.ru
touch.mail.ru
.touch.mail.ru
m.mail.ru
.m.mail.ru
tel.mail.ru
.tel.mail.ru
light.mail.ru
.light.mail.ru
octavius.mail.ru
.octavius.mail.ru

POP3/SMTP/IMAP except protocol weakness (e.g. sender spoofing or user

enumeration in SMTP):

smtp.mail.ru
mxs.mail.ru
pop.mail.ru
imap.mail.ru

Mail.ru Cloud __

cloud.mail.ru
*.cloud.mail.ru

Mail.ru Calendar __

calendar.mail.ru
*.calendar.mail.ru

Mail.ru for business __

biz.mail.ru
.biz.mail.ru
edu.mail.ru
.edu.mail.ru
ideas.mail.ru
*.ideas.mail.ru

Mail.ru authorization center __

auth.mail.ru
.auth.mail.ru
o2.mail.ru
.o2.mail.ru
account.mail.ru
.account.mail.ru
swa.mail.ru
.swa.mail.ru

Mail.Ru content services

health.mail.ru

Mail.ru mobile apps for iOS and Android

Mail.ru Mail for iOS __
Mail.ru Mail for Android __
Mail.ru Cloud for iOS __
Mail.ru Cloud for Android __
Mail.ru Calendar for Android __
Код Доступа Mail.Ru for Android __
Код Доступа Mail.Ru for iOS __

Vulnerabilities are only accepted for Android 5.0 and later and iOS 9.3 and later and supported versions of Desktop OSes updated with latest vendor patches.
Vulnerabilities in Android applications are also eligible for Google Play Bug Bounty.

My.com's MyMail applications and serverside

MyMail for iOS __
MyMail for Android __
MyMail mail server backends

Bugs common for both Mail.Ru and MyMail application / serverside are usually accepted as a single bug.

Different My.Com's applications and web services are outside of bug bounty scope

LootDog.io Web application __

lootdog.io
*.lootdog.io

Delivery-Club.ru Web application __

delivery-club.ru
*.delivery-club.ru
(Delivery Club runs preliminary bug bounty program with only high severity bugs eligible. BCP reports, e.g. SSL-related issues are not accepted.)

In time, we will add more and more of the company's projects to our bug bounty program.

You can also participate in the separate bug bounty program's for
Mail.ru Agent and ICQ - icq.com https://hackerone.com/icq
VKontakte - vk.com - https://hackerone.com/vkcom
Odnoklassniki - ok.ru - https://hackerone.com/ok
love.mail.ru __is developed and supported by Wamba company and falls under Wamba Bug Bounty Program __

What is not within the scope of the program?

If you find a vulnerability that does not concern one of the projects listed above, we will be happy to investigate it and thank you for reporting it to us, you will be listed in our Hall of Fame. In this case, a reward is granted on a case by case basis for most critical vulnerabilities only.

We do not accept/review reports with:

  • Vulnerability scanners and another automated tools reports
  • Disclosure of non sensitive information, such as product version
  • Disclosure of public user information, such as nick name / screen name
  • Reports based on product/protocol version without demonstration of real vulnerability presence
  • Reports of missed protection mechanism / best current practice (e.g. no CSRF token, framing/clickjacking protection) without demonstration of real security impact for user or system
  • Reports regarding published and non-publised SPF and DMARC policies
  • Logout CSRF
  • Vulnerabilities of partner products or services if Mail.Ru users / accounts are not directly affected
  • Missed SSL or another BCP for products beyond the main scope
  • Security of rooted, jailbreaked or otherwise modified devices and applications
  • Ability to reverse-engineer an application, lack of binary protection
  • Open redirects on dedicated redirectors (r.mail.ru, click.mail.ru, go.mail.ru and alike) are not accepted. Open redirects for product domains are accepted, but are not qualified for reward unless there is additional security impact, e.g. ability to steal authentication token.
  • Plain text, sound, image, video injection into server's reply outside of UI (e.g. in JSON data or error message) if it doesn't lead to UI spoofing, UI behavior modification or another negative impact.
  • Same site scripting, reflected download and similar attacks with questionable impact
  • CSP related reports for domains without CSP and domain policies with unsafe eval and/or unsafe inline
  • IDN homograph attacks
  • IP/port scanning to external networks
  • Excel CSV formula injection
  • Attack which require full access to local account or browser profile
  • Denial of Service vulnerabilities
  • Ability to send large amount of messages
  • Ability to send spam or malware file
  • Information disclosure via external references outside of Mail.Ru control (e.g. search dorks to private robots.txt protected areas)

Reports considered as informative:

  • User-introduced vulnerabilities in hosted services (Mail.Ru hosting network, MCS "Infra" public cloud computing hosts, gaming teams hosting, hosted student works for educational projects, etc)
  • Information on compromised user accounts

We will not pay a reward (and we will be really upset) if we detect:

  • Physical tampering with Mail.Ru Group's data centers or offices
  • Social engineering directed at the company's employees
  • Breaking into the company's infrastructure and using the information obtained to report vulnerabilities

Please use your own accounts to conduct your research. Do not try to gain access to others' accounts or any confidential information.

How do I submit a bug report?

A bug report must give a detailed description of the discovered vulnerability and brief steps to reproduce it, or a working proof-of-concept.

If you do not describe the vulnerability in sufficient detail, the discovery process is significantly prolonged and that doesn't help anybody. It's also very desirable if researcher can explain how exactly he or she found a given vulnerability.

How are bug reports examined?

Reports about vulnerabilities are examined by our security analysts. Our analysis is always based on worst case exploitation of the vulnerability, as is the reward we pay.

Reports are reviewed within 15 days (this is a maximum period - we'll probably respond sooner).
If you prefer to remain anonymous, we recommend using an alias when submitting bug reports.

Reward payment

We will pay you a reward if you are the first person to report a given vulnerability.

Additionally, at least 3 months must pass from when you report the vulnerability before you publish details of the vulnerability. We ask this of you so that we have sufficient time to respond to you and fix the vulnerability.

A message will appear in your bug report, indicating that the vulnerability you reported has been confirmed and a reward has been granted. We may also ask you clarifying questions there or request additional information. Please keep track of your ticket.

Minimum reward for a vulnerability report: $100.

Payments are made through HackerOne.

Vulnerability disclosure

Vulnerability must be disclosed only with accordance with HackerOne disclosure policy.
Request for vulnerability disclosure must be submitted via HackerOne report interface.
No vulnerability disclosure, including partial is allowed before vulnerability is disclosed on HackerOne.
If any sensitive information including (but not limited to) infrastructure and implementation details, internal documentation procedures and interfaces, source code, user and employees data accidentally obtained during vulnerability research or demonstration must not be disclosed. Intentional access to this information is strongly prohibited.

Thanks
Gift
Hall of Fame
Reward


List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2019