Vulnerability search program

We deeply care about the security of our products and our users’ data. Therefore we encourage public search of security issues and responsible disclosure. Below are the rules of our bug bounty program.

General information

  • We are interested in information about vulnerabilities found in all our products.
  • The first researcher to report a previously unknown vulnerability in any of these services will receive a swag and may receive a monetary reward. The value of the reward depends on the potential consequences caused by the attack and the quality of the report provided.
  • When looking for vulnerabilities, please avoid compromising the confidentiality and integrity of the data and the availability of our products. Do not perform automated brute force attacks, denial of service attacks (DoS and DDoS), do not send spam to our users, do not engage in social engineering and phishing of our employees and contractors. Contacting technical support and submitting any forms that will be processed by our employees are strictly prohibited.
  • If you find a vulnerability, please let us know via the form below. We will review your request within 5 business days and get back with the results.
  • Don’t disclose reported security issues to anyone without our permission.

Report vulnerability

Vulnerability evaluation

We individually evaluate all vulnerabilities using VRT and our expertise..

We do not consider or accept as vulnerabilities:

  • reports from security scanners and other automatic scanning tools;
  • reports without a description of the exploitation scenario (for example, based only on product or protocol versions);
  • reports without a description of the potential consequences (for example, based on the absence of a security control or non-compliance with the recommendations - “absence of a CSRF token”);
  • reports about missing security headers.

Extended program rules for RuCTFE participants of the month of vulnerability search in Kontur.

Русская версия