Banner object (1)

Hack and Take the Cash !

751 bounties in database
21/04/2014 logo


100 $

Accepted languages:
???????? English
???????? Русский

Scope rules

The program 's scope is limited to technical vulnerabilities in the company's critical web services or mobile apps.

To report problems accessing your account or non-security issues, please contact customers support __.

For all participating mobile and desktop applications :
Vulnerabilities are only accepted for Android 5.0+ and iOS 9.3+ versions supported by application and vendor- and application-supported versions of Desktop OSes updated with latest vendor patches.
Vulnerabilities in Android applications are also eligible for Google Play Bug Bounty.

Bugs common for both Mail.Ru and MyMail application / serverside are usually accepted as a single bug.

These projects are covered by standalone bug bounty programs:: Agent and ICQ -
VKontakte - -
Odnoklassniki - - __- Wamba Bug Bounty Program __

A list of the projects can be found here:
Mail.Ru: __
My.Com: __

What is not within the scope of the program?

If you find a vulnerability that does not concern one of the projects listed above, we will be happy to investigate it and thank you for reporting it to us, you will be listed in our Hall of Fame. In this case, a reward is granted on a case by case basis for most critical vulnerabilities only.

We do not accept/review reports with:

  • Vulnerability scanners and another automated tools reports
  • Disclosure of non sensitive information, such as product version
  • Disclosure of public user information, such as nick name / screen name
  • Reports based on product/protocol version without demonstration of real vulnerability presence
  • Reports of missed protection mechanism / best current practice (e.g. no CSRF token, framing/clickjacking protection) without demonstration of real security impact for user or system
  • Reports regarding published and non-publised SPF and DMARC policies
  • Logout CSRF
  • Vulnerabilities of partner products or services if Mail.Ru users / accounts are not directly affected
  • Missed SSL or another BCP for products beyond the main scope
  • Security of rooted, jailbreaked or otherwise modified devices and applications
  • Ability to reverse-engineer an application, lack of binary protection
  • Open redirects on dedicated redirectors (,, and alike) are not accepted. Open redirects for product domains are accepted, but are not qualified for reward unless there is additional security impact, e.g. ability to steal authentication token.
  • Plain text, sound, image, video injection into server's reply outside of UI (e.g. in JSON data or error message) if it doesn't lead to UI spoofing, UI behavior modification or another negative impact.
  • Same site scripting, reflected download and similar attacks with questionable impact
  • CSP related reports for domains without CSP and domain policies with unsafe eval and/or unsafe inline
  • IDN homograph attacks
  • IP/port scanning to external networks
  • Excel CSV formula injection
  • Attack which require full access to local account or browser profile
  • Denial of Service vulnerabilities
  • Ability to send large amount of messages
  • Ability to send spam or malware file
  • Information disclosure via external references outside of Mail.Ru control (e.g. search dorks to private robots.txt protected areas)

Reports considered as informative:

  • User-introduced vulnerabilities in hosted services (Mail.Ru hosting network, MCS "Infra" public cloud computing hosts, gaming teams hosting, hosted student works for educational projects, etc)
  • Information on compromised user accounts

We will not pay a reward (and we will be really upset) if we detect:

  • Physical tampering with Mail.Ru Group's data centers or offices
  • Social engineering directed at the company's employees
  • Breaking into the company's infrastructure and using the information obtained to report vulnerabilities

Please use your own accounts to conduct your research. Do not try to gain access to others' accounts or any confidential information.

How do I submit a bug report?

A bug report must give a detailed description of the discovered vulnerability and brief steps to reproduce it, or a working proof-of-concept.

If you do not describe the vulnerability in sufficient detail, the discovery process is significantly prolonged and that doesn't help anybody. It's also very desirable if researcher can explain how exactly he or she found a given vulnerability.

How are bug reports examined?

Reports about vulnerabilities are examined by our security analysts. Our analysis is always based on worst case exploitation of the vulnerability, as is the reward we pay.

Reports are reviewed within 15 days (this is a maximum period - we'll probably respond sooner).
If you prefer to remain anonymous, we recommend using an alias when submitting bug reports.

Reward payment

We will pay you a reward if you are the first person to report a given vulnerability.

A message will appear in your bug report, indicating that the vulnerability you reported has been confirmed and a reward has been granted. We may also ask you clarifying questions there or request additional information. Please keep track of your ticket.

Minimum reward for a vulnerability report: $100.

Payments are made through HackerOne.

Vulnerability disclosure

Vulnerability must be disclosed only with accordance with HackerOne disclosure policy.
Request for vulnerability disclosure must be submitted via HackerOne report interface. We usually disclosure reports within 4 weeks after disclosure request or fixing time, but we can request up to 3 months of additional time before vulnerability details are published. This time is required to distribute the fixed version and check it for regressions.
No vulnerability disclosure, including partial is allowed before vulnerability is disclosed on HackerOne.
If any sensitive information including (but not limited to) infrastructure and implementation details, internal documentation procedures and interfaces, source code, user and employees data accidentally obtained during vulnerability research or demonstration must not be disclosed. Intentional access to this information is strongly prohibited.
We do not disclosure and do not grant you any rights to disclosure vulnerabilities in 3rd party products or services, unless these rights are explicitly given to you by affected 3rd party.

Hall of Fame

List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2019