Welcome to Kontur bug bounty program!
We deeply care about the security of our products and our users’ data. Therefore we encourage the public search of security issues and responsible disclosure. Below are the rules of our bug bounty program, please read them carefully.
We are pausing all payments for reports received from foreign researchers who are not in the Russian Federation and don't have a Russian bank card.
Rewards table
| Low | Medium | High | Critical |
|---|---|---|---|
| 3 500 — 7 000 ₽ | 7 000 — 35 000 ₽ | 35 000 — 70 000 ₽ | 70 000 — 105 000 ₽ |
The first researcher to report a previously unknown valid vulnerability may receive a reward. We offer monetary rewards and branded gifts. Our rewards are based on the severity of a vulnerability.
We individually evaluate all vulnerabilities using VRT and our expertise. The vulnerability severity might be lowered/increased depending on the actual possible attack impact.
Program rules
- Please provide detailed reports with reproducible steps and attack scenario. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
- When looking for vulnerabilities, please avoid compromising the confidentiality and integrity of the data and the availability of our products.
- Do not perform automated brute force attacks, denial of service attacks (DoS and DDoS), do not send spam to our users, do not engage in social engineering and phishing of our employees and contractors.
- Contacting technical support and submitting any forms that will be processed by our employees are strictly prohibited.
- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
- Issues that we are already aware of and fixing will not qualify for bounty payout.
- Don’t disclose reported security issues to anyone without our permission.
- Public 0-day vulnerabilities with an official patch for less than 2 months may be considered as a duplicate if they are known to our team from public sources.
Program scope
- Domains in scope:
- Vulnerabilities found in other Kontur domains are accepted too, but reward decisions are up to the discretion of Kontur.
- We are interested in vulnerabilities found in all our products.
Out of scope vulnerabilities
We do not consider or accept as vulnerabilities:
- Reports from security scanners and other automatic scanning tools.
- Reports without a description of the exploitation scenario.
- Reports without a description of the security impact.
- Reports about missing security headers.
- Clickjacking reports based on missing HTTP headers. Valid PoC and attack scenarios with real security impact are required.
- Missing best practices.
- Attacks requiring MITM or physical access to a user’s device.
- Vulnerabilities affecting users of outdated browsers or platforms.
- Self-exploitation vulnerabilities.
If you find a vulnerability, please let us know via the form below. We will review your request within 5 business days and get back with the results.