The program 's scope is limited to technical vulnerabilities in the company's critical web services or mobile apps.
To report problems accessing your account or non-security issues, please contact customers support __.
Main scope includes company's critical web services:
mail.ru (without subdomains)
Hint: you can switch interface language __
enumeration in SMTP):
For all participating mobile and desktop applications :
Vulnerabilities are only accepted for Android 5.0+ and iOS 9.3+ versions supported by application and vendor- and application-supported versions of Desktop OSes updated with latest vendor patches.
Vulnerabilities in Android applications are also eligible for Google Play Bug Bounty.
We accept only vulnerabilities, which affect Atom and do not affect vanila Chromium. How to check if your vulnerability applicable:
Mail.ru Mail for iOS __
Mail.ru Mail for Android __
Mail.ru Cloud for iOS __
Mail.ru Cloud for Android __
Mail.ru Calendar for Android __
Код Доступа Mail.Ru for Android __
Код Доступа Mail.Ru for iOS __
Bugs common for both Mail.Ru and MyMail application / serverside are usually accepted as a single bug.
Different My.Com's applications and web services are in extended scope.
Projects not listed above are in extended scope except projects covered by standalone bug bounty programs:
Mail.ru Agent and ICQ - icq.com
VKontakte - vk.com - https://hackerone.com/vkcom
Odnoklassniki - ok.ru - https://hackerone.com/ok
love.mail.ru __- Wamba Bug Bounty Program __
If you find a vulnerability that does not concern one of the projects listed above, we will be happy to investigate it and thank you for reporting it to us, you will be listed in our Hall of Fame. In this case, a reward is granted on a case by case basis for most critical vulnerabilities only.
We do not accept/review reports with:
Reports considered as informative:
We will not pay a reward (and we will be really upset) if we detect:
Please use your own accounts to conduct your research. Do not try to gain access to others' accounts or any confidential information.
A bug report must give a detailed description of the discovered vulnerability and brief steps to reproduce it, or a working proof-of-concept.
If you do not describe the vulnerability in sufficient detail, the discovery process is significantly prolonged and that doesn't help anybody. It's also very desirable if researcher can explain how exactly he or she found a given vulnerability.
Reports about vulnerabilities are examined by our security analysts. Our analysis is always based on worst case exploitation of the vulnerability, as is the reward we pay.
Reports are reviewed within 15 days (this is a maximum period - we'll probably
If you prefer to remain anonymous, we recommend using an alias when submitting bug reports.
We will pay you a reward if you are the first person to report a given vulnerability.
A message will appear in your bug report, indicating that the vulnerability you reported has been confirmed and a reward has been granted. We may also ask you clarifying questions there or request additional information. Please keep track of your ticket.
Minimum reward for a vulnerability report: $100.
Payments are made through HackerOne.
Vulnerability must be disclosed only with accordance with HackerOne disclosure
Request for vulnerability disclosure must be submitted via HackerOne report interface. We usually disclosure reports within 4 weeks after disclosure request or fixing time, but we can request up to 3 months of additional time before vulnerability details are published. This time is required to distribute the fixed version and check it for regressions.
No vulnerability disclosure, including partial is allowed before vulnerability is disclosed on HackerOne.
If any sensitive information including (but not limited to) infrastructure and implementation details, internal documentation procedures and interfaces, source code, user and employees data accidentally obtained during vulnerability research or demonstration must not be disclosed. Intentional access to this information is strongly prohibited.
We do not disclosure and do not grant you any rights to disclosure vulnerabilities in 3rd party products or services, unless these rights are explicitly given to you by affected 3rd party.
Contact us if you want more information.