REGULATIONS ON THE BUG BOUNTY PUBLIC CONTEST
(Version No. 7 March 06, 2023.)
Moscow
PREAMBLE
These Regulations on the Public Contest (hereinafter referred to as the Regulations) govern the organization and holding of the BUG BOUNTY public contest (hereinafter referred to as the Contest).
1. TERMS
The below terms and definitions used herein shall have the following meaning equally applicable to both the singular and the plural:
| Contestant | A legally capable individual aged 14 or older, acting on its own behalf and having completed a competitive task in accordance with the requirements hereof. Employees of the Organizer and/or its affiliated companies, any other persons involved in the organization of the Contest, members of their families and the author of the code, where a Vulnerability was found, citizens of the Ukraine, may not be Contestants. |
| Contest Committee | A number of persons composed of employees of the Organizer approved by the Organizer’s order to evaluate Results of the Contestants. |
| Task | Requirements to the content of the Result, the procedure of its transfer to the Organizer specified herein and terms posted in accordance with cl. 5 hereof. |
| Vulnerability | A technical deficiency of Yandex’s web services and applications, which makes it possible to challenge the integrity, availability or confidentiality of user information. |
| Result | A summary of completing the Task aimed at finding Vulnerability/-ies and sent by the Contestant to the Organizer within the timeframe specified in cl. 4 hereof. |
| Contest Winner | A Contestant, whom the Contest Committee decided to award following the evaluation of the Vulnerability he/she found. The number of winners is not limited. |
| Contestant | A legally capable individual aged 14 or older, acting on its own behalf and having completed a competitive task in accordance with the requirements hereof. Employees of the Organizer and/or its affiliated companies, any other persons involved in the organization of the Contest, members of their families and the author of the code, where a Vulnerability was found, citizens of the Ukraine, may not be Contestants. |
| Contest Committee | A number of persons composed of employees of the Organizer approved by the Organizer’s order to evaluate Results of the Contestants. |
| Task | Requirements to the content of the Result, the procedure of its transfer to the Organizer specified herein and terms posted in accordance with cl. 5 hereof. |
| Vulnerability | A technical deficiency of Yandex’s web services and applications, which makes it possible to challenge the integrity, availability or confidentiality of user information. |
| Result | A summary of completing the Task aimed at finding Vulnerability/-ies and sent by the Contestant to the Organizer within the timeframe specified in cl. 4 hereof. |
| Contest Winner | A Contestant, whom the Contest Committee decided to award following the evaluation of the Vulnerability he/she found. The number of winners is not limited. |
2. CONTEST AIMS AND OBJECTIVES
This Contest is open and pursues the following socially useful aim/-s and objective/-s: highlighting issues of information security of web services and applications, encouraging researches in this sphere, developing the community and generally promoting this branch.
3. CONTEST ORGANIZER
The Contest Organizer is YANDEX Limited Liability Company (OGRN: 1027700229193), place of business (legal and current address): 16 Leo Tolstoy St., Moscow, 119021, Russia.
4. CONTEST PERIOD AND PLACE
The Contest is held within the following time limits: from September 21, 2012 to December 31, 2025.
5. PROVISION OF INFORMATION ON CONTEST TERMS AND REQUIREMENTS TO RESULTS
5.1. Information on the terms of the Contest, the criteria, requirements and evaluation of the Results can be found on the website at: https://yandex.com/bugbounty
5.2. The Executor reserves the right to change the said terms in the manner stipulated by Art. 1058 of the Civil Code of the Russian Federation.
6. PARTICIPATION IN THE CONTEST
6.1. The Contestant shall apply for participation by clicking Submit after filling in data on the Result in the online form at: https://yandex.com/bugbounty/i/report
6.2. Acting as prescribed in cl. 6.1 hereof, the Contestant gives consent to the Organizer to process personal data specified in the login form and any other personal data sent by the Contestant to the Organizer as part of the Contest, for the purposes and on the conditions according to Privacy Policy (https://yandex.ru/legal/confidential). This consent shall be valid for three (3) years. The Finalists and Winners agree to have their public profiles created according to the Yandex Services User Agreement (https://yandex.ru/legal/rules), including the name and photo (the login and user icon), published on the website of the Organizer.
6.3. Additional data that shall be provided by the Contest Winners upon the Organizer’s request:
full name;
place of residence;
passport details;
date and year of birth;
- Insurance Number of Individual Ledger Account;
- ITN;
contact phone number;
bank details.
6.4. The Contestant shall not publish on the Internet or otherwise distribute the Results within 90 days from the date of the Results’ submission to the Organizer and shall make all possible efforts to prevent the third parties access to the Results. Otherwise, the Organizer reserves the right to refuse to grant the award to the Contestant.
7. PROCEDURE FOR DETERMINING THE WINNERS
7.1. A contest committee consisting of employees of the Organizer shall be established to evaluate Vulnerabilities. Members of the Committee shall be approved by the Organizer’s CFO.
7.2. The Contest Winners for each prize-winning place shall be determined by the Contest Committee at its own discretion.
7.3. Awards will be given only to those Contestants, who reported previously unknown vulnerabilities to the Organizer.
7.4. The Organizer shall notify the Contestant of the results of evaluation of the Vulnerability and the decision made by the Committee within thirty (30) days from the date, on which the Organizer received the Contestant’s report of the Vulnerability found.
8. SUMMARIZING THE CONTEST RESULTS
The Contest results will be summed up by posting information on the Winners on the Website at https://yandex.com/bugbounty/i/hall-of-fame
9. PRIZES
9.1. Prizes shall be provided by the Contest Organizer.
9.2. The Winners shall receive prizes in the amount defined in the Program scope and reward amounts section on the Website at: https://yandex.com/bugbounty (hereinafter referred to as the Prize). The Organizer reserves the right to change the amount of the prizes on a quarterly basis.
9.3. The Prize shall be paid by the Organizer within three (3) months from the date of announcing the results of evaluation of the Vulnerability found to the Contestant pursuant to cl. 7.4 hereof and provided the Winner submitted the documents listed in cl. 10.2 hereof in the manner stipulated in cl. 10.3 hereof.
The amounts mentioned in cl. 9.2 above include personal income tax that will be calculated, deducted and paid by the Organizer in conformity with the laws of the Russian Federation.
10. PROCEDURE FOR RECEIVING THE PRIZES
10.1. The Contest Organizer shall give the Prizes to the Winners by means of transfer of funds using the bank details specified by the Winner pursuant to cl. 6.1 hereof. In this respect, if the Winner is a foreign citizen, the funds shall be transferred to a bank account in US dollars at the rate set by the Central Bank of the Russian Federation for the date of payment.
10.2. To receive the Prize, the Winner shall provide the following documents and information within ten (10) days of the Organizer’s notice:
a copy of his/her passport or any other document certifying his/her identity and place of registration;
consent of his/her legal representative to processing of personal data (for persons aged between 14 and 18);
Confirmation of bank details, previously specified by the Contestant according to the cl. 6.1., or update of bank details.
10.3. . The documents and information shall be provided by the Winner to the Organizer at the Organizer’s place of business (cl. 3 hereof) on working days from 10.00 a.m. to 7.00 p.m. by mail to 16 Leo Tolstoy St., Moscow 119021 (marked “Vulnerability Detection in Yandex”) or electronically via the relevant form on the Website at: https://yandex.com/bugbounty/i/payment-settings.
11. FINAL PROVISIONS
11.1. The Contest shall be organized and held in the territory of the Russian Federation in conformity with the laws of the Russian Federation.
11.2. Registration of the Contestant in the manner described in cl. 6.1 hereof shall mean his/her unconditional acceptance of all terms of the Contest and these Regulations.
11.3. If the Contestant fails to provide the documents and information listed in cl. 10.2 hereof, in full, and if the Winner provides to the Organizer unreliable, incomplete or knowingly false information or in case of any other violations of these Regulations, the Prize shall not be paid to the Winner.
11.4. In all matters not covered by these Regulations the Parties shall be guided by the current laws of the Russian Federation.
11.5. All disputes and disagreements arising out of or in connection with the organization and holding of the Contest shall be settled by means of negotiations. Any disputable issues not resolved through negotiations shall be settled in court at the Organizer’s place of business.
11.6. The official text of the Regulations is only the Russian version, other versions in different languages are provided exclusively for Participants information.
Previous version of the document: https://yandex.ru/legal/yandex_bug_bounty_terms_conditions/11032021.
Previous version of the document: https://yandex.ru/legal/yandex_bug_bounty_terms_conditions/27092019.
Previous version of the document: https://yandex.ru/legal/yandex_bug_bounty_terms_conditions/21122018.
Previous version of the document: https://yandex.ru/legal/yandex_bug_bounty_terms_conditions/23082016.