RBK.money Bug Bounty program policy
If you found a security vulnerability at any of RBK.money services, let us know. We will review all legitimate reports and do our best to quickly fix the issue. Before reporting vulnerability, check out the materials on this page including information disclosure policy, conditions for obtaining a reward and vulnerabilities that should not be reported.
Program scope and terms
The Program's scope involves the following RBK.money domains:
If you find a vulnerability on another our domain, the reward is assigned after investigation for critical vulnerabilities only. If you are unsure whether a service is eligible for a bounty or not, feel free to ask us.
- Use your own test accounts for vulnerability research. Do not interact with other accounts without their owner permission.
- Avoid breach of data confidentiality.
- Do not use discovered vulnerabilities for your own benefit. This includes demonstrating additional risks, attempting to disclose confidential data or finding other problems.
- Do not use any vulnerability testing tools that automatically generate very significant volumes of traffic.
- Do not perform any attack that could harm the reliability / integrity of our services or data (denial-of-service attacks, etc.).
- Do not try sneaking into RBK.money offices and data centers.
- Do not perform spamming and social engineering attacks against our clients and employees and do not carry out other similarly questionable things.
Any design or implementation vulnerability that substantially affects the confidentiality or integrity of data is likely to be in scope for the Program. Common examples include:
- server-side code execution vulnerabilities
- authentication or authorization vulnerabilities
- business logic vulnerabilities
- cross-site request forgery
- cross-site scripting
Depending on their impact, some of the reported vulnerabilities may not qualify. Although we review them on a case-by-case basis, there are some of the common low-risk vulnerabilities that typically do not earn a reward.
Scope of the Program is limited to technical vulnerabilities in our services and web applications.
We do not accept and review reports generated by automated vulnerability scanners and reports of:
- CSRF for non-significant actions (logout, etc.)
- Self-XSS without demonstration of real security impact for users or system
- framing and clickjacking vulnerabilities without a documented series of clicks that produce a real security impact
- lack of security mechanism / inconsistency with best practices without demonstration of real security impact
- not enforced SSL/TLS, use of insecure SSL/TLS ciphers
- attacks which require full access to passwords, tokens, browser profile or local system
- non-sensitive information disclosure (such as product or protocol version)
- bugs that don’t affect the latest version of modern browsers and bugs related to browser extensions
- vulnerabilities that only affect users with specific browsers
- attacks requiring exceedingly unlikely user interaction
- denial-of-service attacks or vulnerabilities related to rate limiting
- timing attacks, that prove the existence of a user account, etc.
- insecure cookie settings for non-sensitive cookies
- bugs in content / services that are not owned or operated by RBK.money (include third party services operating on our subdomains)
- vulnerabilities that RBK.money determines to be an accepted risk
- scripting or other automation, brute forcing of intended functionality and parameters (include invoice, url-shortener payment link brute forcing, etc.)
Vulnerability report requirements
By submitting a bug report you agree to comply with RBK.money information disclosure policy. The reports are accepted by email. Please send your report to email: [email protected], with subject: bugbountyRbk.
A bug report must contain a detailed description of the discovered vulnerability:
- vulnerable hosts and components
- discovered vulnerability and security impact
- reproduction steps
- attack scenario
- recommendations for remediation
Reproduction steps describes the exploitation process required, step-by-step, in the proper order.
Attack scenario describes details about how an attacker would use the bug you are submitting, any necessary conditions for it to work, and what the attacker would gain through a successful attack.
Reports that clearly and concisely identify the affected component, present a well-developed attack scenario, and include clear reproduction steps, will get triaged much faster.
We accept reports in Russian and English.
The minimum reward for a legitimate vulnerability report is 50$. The maximum reward depends on severity of the vulnerability.
In the event of duplicate reports, we award a bounty to the first person to submit vulnerability. Our recommendation to prevent your vulnerability to be a duplicate is to let us know as early as possible of bugs you find.
We use the following criteria for assessing vulnerabilities:
- report quality
- possibility of exploiting a vulnerability
- type of service in which vulnerability has been discovered
- assessment of financial, reputational and other risks arising from the presence of vulnerability
Our estimation of your findings is based on the worst possible consequences of the attack. For valid reports, RBK.money will determine rewards within the following ranges based on a number of criteria including CVSS score. Please review the Scope sections below for certain exclusions.
|RCE||SQLi / SSRF / XXE||Stored XSS / IDOR||XSS / CSRF|
|No financial impact||$1,000||$500||$200||$50|
A given bounty is only paid to one individual. Number of bug reports by one person of the Program is unlimited. RBK.money employees and their affiliates can't participate in the RBK.money bug bounty Program.
Information disclosure policy
Public or private disclosure of the details of any vulnerability found on RBK.money is allowed 30 days after vulnerability is fixed and only by prior written consent of RBK.money.
Request for vulnerability disclosure have to be sent to [email protected]. No vulnerability disclosure, including partial is allowed before getting approval from RBK.money side.
Any sensitive information accidently obtained during vulnerability research or demonstration should not be disclosed. This information includes (but not limited to): infrastructure and implementation details, internal documentation and interfaces, source code, user’s and employee’s data. Any intentional access to this information is strictly prohibited and shall be considered as illegal under the applicable law.