The program's scope is limited to technical vulnerabilities in the company's web services or mobile apps.
To report problems accessing your account or non-security issues, please contact customers support __.
We are currently offering a reward for finding vulnerabilities in the company's critical web services:
Hint: you can switch interface language __
enumeration in SMTP):
Mail.ru Mail for iOS __
Mail.ru Mail for Android __
Mail.ru Cloud for iOS __
Mail.ru Cloud for Android __
Mail.ru Calendar for Android __
Код Доступа Mail.Ru for Android __
Код Доступа Mail.Ru for iOS __
Vulnerabilities are only accepted for Android 5.0 and later and iOS 9.3 and
later and supported versions of Desktop OSes updated with latest vendor
Vulnerabilities in Android applications are also eligible for Google Play Bug Bounty.
Bugs common for both Mail.Ru and MyMail application / serverside are usually accepted as a single bug.
Different My.Com's applications and web services are outside of bug bounty scope
(Delivery Club runs preliminary bug bounty program with only high severity bugs eligible. BCP reports, e.g. SSL-related issues are not accepted.)
In time, we will add more and more of the company's projects to our bug bounty program.
You can also participate in the separate bug bounty program's for
Mail.ru Agent and ICQ - icq.com https://hackerone.com/icq
VKontakte - vk.com - https://hackerone.com/vkcom
Odnoklassniki - ok.ru - https://hackerone.com/ok
love.mail.ru __is developed and supported by Wamba company and falls under Wamba Bug Bounty Program __
If you find a vulnerability that does not concern one of the projects listed above, we will be happy to investigate it and thank you for reporting it to us, you will be listed in our Hall of Fame. In this case, a reward is granted on a case by case basis for most critical vulnerabilities only.
We do not accept/review reports with:
Reports considered as informative:
We will not pay a reward (and we will be really upset) if we detect:
Please use your own accounts to conduct your research. Do not try to gain access to others' accounts or any confidential information.
A bug report must give a detailed description of the discovered vulnerability and brief steps to reproduce it, or a working proof-of-concept.
If you do not describe the vulnerability in sufficient detail, the discovery process is significantly prolonged and that doesn't help anybody. It's also very desirable if researcher can explain how exactly he or she found a given vulnerability.
Reports about vulnerabilities are examined by our security analysts. Our analysis is always based on worst case exploitation of the vulnerability, as is the reward we pay.
Reports are reviewed within 15 days (this is a maximum period - we'll probably
If you prefer to remain anonymous, we recommend using an alias when submitting bug reports.
We will pay you a reward if you are the first person to report a given vulnerability.
Additionally, at least 3 months must pass from when you report the vulnerability before you publish details of the vulnerability. We ask this of you so that we have sufficient time to respond to you and fix the vulnerability.
A message will appear in your bug report, indicating that the vulnerability you reported has been confirmed and a reward has been granted. We may also ask you clarifying questions there or request additional information. Please keep track of your ticket.
Minimum reward for a vulnerability report: $100.
Payments are made through HackerOne.
Vulnerability must be disclosed only with accordance with HackerOne disclosure
Request for vulnerability disclosure must be submitted via HackerOne report interface.
No vulnerability disclosure, including partial is allowed before vulnerability is disclosed on HackerOne.
If any sensitive information including (but not limited to) infrastructure and implementation details, internal documentation procedures and interfaces, source code, user and employees data accidentally obtained during vulnerability research or demonstration must not be disclosed. Intentional access to this information is strongly prohibited.
Contact us if you want more information.