Welcome to Kontur bug bounty program!
We pay special attention to the security of our products and our users’ data. Therefore we encourage the public search of security issues and responsible disclosure. Below are the rules of our bug bounty program, please read them carefully.
We are pausing all payments for reports received from foreign researchers who are not in the Russian Federation and don't have a Russian bank card.
Rewards table
| Low | Medium | High | Critical |
|---|---|---|---|
| 3 500 — 10 000 ₽ | 10 000 — 50 000 ₽ | 50 000 — 100 000 ₽ | 100 000 — 150 000 ₽ |
The first researcher to report a previously unknown valid vulnerability may receive a reward. We offer monetary rewards and branded gifts. Our rewards are based on the severity of a vulnerability.
We individually evaluate all vulnerabilities using VRT and our expertise. The vulnerability severity might be lowered/increased depending on the actual possible attack impact.
Program rules
- Please provide detailed reports with reproducible steps and attack scenario. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
- When looking for vulnerabilities, please avoid compromising the confidentiality and integrity of the data and the availability of our products.
- Do not perform automated brute force attacks, denial of service attacks (DoS and DDoS), do not send spam to our users, do not engage in social engineering and phishing of our employees and contractors.
- Contacting technical support and submitting any forms that will be processed by our employees are strictly prohibited.
- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
- Issues that we are already aware of and fixing will not qualify for bounty payout.
- Don’t disclose reported security issues to anyone without our permission.
- Public 0-day vulnerabilities with an official patch for less than 2 months may be considered as a duplicate if they are known to our team from public sources.
Program scope
- Domains in scope:
- Vulnerabilities found in other Kontur domains are accepted too, but reward decisions are up to the discretion of Kontur.
- We are interested in vulnerabilities found in all our products.
Out of scope vulnerabilities
We do not consider or accept as vulnerabilities:
- Bugs which are not related to security.
- Social engineering issues.
- XSS, CSRF, CORS misconfiguration without security impact.
- Use of 3rd-party components with known vulnerabilities without valid POE (proof of exploitation) and POC.
- Reports from security scanners and other automatic scanning tools.
- Reports without an exploitation scenario description.
- Reports without a security impact description.
- Attacks requiring MITM or physical access to a user’s device.
Vulnerabilities list we might consider and accept without bounty:
- Missing best practices.
- Reports about missing security headers or cookie flags.
- Theoretical attacks without proof of exploitation.
- Content spoofing or text injection (except HTML injection).
- Non-sensitive information disclosure without security impact (e.g. software version, detailed error messages).
- Vulnerabilities in 3rd-party services, except for an insecure configuration.
- Vulnerabilities requiring root access or a specially modified device.
- Vulnerabilities affecting users of outdated browsers or platforms.
- Self-exploitation vulnerabilities.
- SMS and email spam.
If you find a vulnerability, please let us know via the form below. We will review your request within 5 business days and get back with the results.