Main article: Bughunters Bug bounty Vulnerability scanning
"Bug hunting" is Yandex's ongoing program to reward ethical hackers - those who understand computer security, find vulnerabilities in IT companies' products and inform them of this for the award. In 2012, Yandex was the first in Russia to launch a similar program.
History
2024: Increasing the reward for bug hunters in smart devices to a million rubles
Yandex has expanded the Bug Hunt program for smart devices, adding changes to it in 2023 - Duo Max Station, Midi and TV Stations. The maximum amount of remuneration for the vulnerabilities found increased from 600 thousand to a million rubles. This will help attract more "white hackers" to test the devices for strength. Yandex announced this on February 7, 2024.
The focus is on finding errors in new devices. Specialists who can bypass their protection and find critical vulnerabilities will receive up to a million rubles. Yandex has also increased rewards for vulnerabilities found in other devices, such as the Mini Clock Station or Max Station. The amount depends on the criticality of the error.
In 2023, Yandex invested more than 6 billion rubles in digital security, which is twice as much as a year earlier. This money went to the development of secure storage systems, the development of technologies for protection against DDoS attacks and fraud, access management systems and other important areas.
"Bug hunting" is Yandex's ongoing vulnerability search program. Anyone can try to find a vulnerability in the company's products, report it and receive an award. This approach allows you to constantly increase the reliability of services and learn about possible risks in time.
2023
Payment of 70 million rubles to the participants of the program "Hunting for errors" for the year
In 2023, Yandex paid 70 million rubles to participants in the Hunt for Errors program. It is dedicated to finding vulnerabilities in the company's services and infrastructure. Yandex announced this on March 12, 2024. Compared to 2022, the total amount of payments almost doubled. This is due to the launch of competitions in various areas of "Hunting" with increased payments, an increase in awards and an increase in the number of program participants. In 2022, Yandex paid researchers about 40 million rubles.
In 2023, Yandex began paying increased rewards for vulnerabilities found, and also held several contests to find specific types of errors. When participating in competitions, awards can increase 10 times compared to regular payments.
Contests have become a big part of Bug Hunting - they help to multiply the number of reports and focus the attention of hunters on the most important security areas for Yandex. For example, one of the contests was devoted to protecting user data, the task of the "hunters" was to search for errors and vulnerabilities that could lead to the disclosure of sensitive information.
In 2024, the company will allocate at least 100 million rubles to reward ethical hackers. The development of the "Bug Hunt" program is an opportunity to attract more external specialists in order to further strengthen the protection of the company's services, promptly fixing the errors and vulnerabilities found.
We are interested in the growth of the Error Hunt audience, as this is an important part of testing our services for strength. The baghunter community consists of strong developers, researchers, security specialists. For them, vulnerability scanning is an opportunity to use their skills and strengthen the security of the services they use daily. For us, additional help in strengthening the protection of our services and user data, as well as the ability to assess the security of services with an independent look, "said Ivan Chalykin, a product security timlid at Yandex. |
Results of "Hunting for Mistakes" 2023
In 2023, 528 researchers took part in the "Hunt for Mistakes." They sent 736 error reports that complied with the rules of the program. For 378 unique and newly identified finds, researchers received payments. All critical errors have been fixed.
The largest payments of 2023 - 12 million, 7.5 million and 3.7 million rubles - fell on the competition to find critical vulnerabilities. For the entire year, the largest amount of 17 million rubles was earned by an ethical hacker who sent 41 unique reports. The second and third places were taken by hunters with a total amount of payments of 12 and 4.3 million rubles.
In 2023, reports in the XSS category became the most popular - a separate competition was held to search for them. Such vulnerabilities can be exploited by attackers to bypass site security policies and insert malicious code into web pages.
Yandex has opened a hunt for hackers for special "holes" in its services, the maximum reward is 2.8 million rubles
Yandex is launching a competition in the Bug Hunt program, in which ethical hackers will have to look for errors and vulnerabilities in Yandex services that can lead to the disclosure of sensitive information. The maximum reward for a critical vulnerability will be 2.8 million rubles - this is 5 times more than the usual payment for these categories of the program, Yandex representatives shared with TAdviser on August 1, 2023.
According to them, the amount of remuneration will depend on the criticality of the vulnerability, the ease of its use and the impact on the security of data of users and partners. The competition runs until August 31.
Bug hunters will be able to receive increased rewards for reports in two categories. The first is IDOR, or unsafe direct access to objects. These are vulnerabilities in site protection mechanisms through which attackers can access private information using errors in the API.
The second category of the competition is other technical errors and vulnerabilities that make it possible to access sensitive classified information. For example, personal bookmarks, personal promotional codes or draft articles.
As specified in Yandex, researchers are allowed to use only their own test accounts to check for possible vulnerabilities. You cannot try to access other users' information.
The company intends to give priority to the errors found during the competition and promptly correct them.
Lists of errors and vulnerabilities for "hunting," as well as the size of monetary awards for their detection, can be found on the website of the program "Hunting for Errors."
Yandex has increased the annual fund of the Bug Hunt program by 2.5 times - up to 100 million rubles
On June 22, 2023, Yandex announced that it would increase the total amount of payments in the Bug Hunt program in 2023. The company will allocate 100 million rubles to reward researchers who are looking for vulnerabilities in its products and infrastructure. The program helps to constantly strengthen the protection of services and quickly fix errors found.
At the same time, Yandex will continue to reward participants if the total payments exceed 100 million rubles, the company assures.
In 2023, as of June, Yandex had already paid 35.5 million rubles to hunters - most of the awards came in the January competition with a tenfold increase in payments for finds in the Remote Code Execution and SQL injection categories.
The largest awards of the competition are 12 million, 7.5 million and 3.7 million rubles. The amount of remuneration depends on the criticality of the vulnerability, the ease of its use and the impact on user data[1].
2022: Results of the "Bug Hunt" program in 2022
In 2022, Yandex decided to forever increase the reward for each vulnerability found by 2 times - for example, now the maximum reward for searching for SQL injections is not 450, but 900 thousand rubles.
The total amount of payments for the year amounted to 39.7 million rubles, the largest - 2 million, 1.2 million and 1 million rubles.
During the year, 414 researchers took part in the "Hunt for Mistakes." They sent 905 reports, of which 288 were unique and consistent with the rules of the program. In other cases, vulnerabilities and errors that other researchers or their own security team have already identified were indicated.
277 hunters received the award, the first to send unique reports. The most active participant sent 64 reports and received 43 payments. All errors found have been fixed, the company says.