Mail.Ru

target_in_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
*.delivery-club.ru URL high high high critical
Delivery Club runs preliminary bug bounty program with only high severity serverside bugs eligible. Clientside bugreports (XSS, CSRF) are accepted without monetary reward. BCP reports, e.g. SSL-related issues are not accepted. Please read program rules for categories of the bugs accepted.
*.lootdog.io URL high high high critical
Loot Dog runs preliminary bug bounty program with only high severiy bugs eligible. BCP reports, e.g. SSL-related issues are not accepted. Please read program rules for categories of the bugs accepted.
3rd party or partner service used or branded by Mail.Ru OTHER low low low medium
3rd party projects and services are not covered by bug bounty terms and rules. Researchers must follow rules and service agreement published by resource being investigated. Mail.Ru does not authorize researcher or provide him permissions in any form to research third party resources for vulnerabilities, all permissions must be acquired by researcher directly from third party or partner. Only reports affecting mail.ru services or customers are accepted. Vulnerability information for third party product or service can not be disclosed within Mail.Ru bug bounty program.
Another Mail.Ru subdomain OTHER medium medium medium critical
Reports for non-listed Mail.Ru projects are accepted, but are not currently eligible for bounty. In some cases, bounty may be awarded on the individual basis for high-severity serverside vulnerabilities. Please read program rules for categories of the bugs accepted.
Another project / domain acquired by Mail.Ru OTHER medium medium medium critical
Reports for acquired non-listed Mail.Ru projects, including, but not limited to delivery-club.ru, beepcar.ru, youla.io, maps.me, etc are accepted, but are not currently eligible for bounty. In some cases, bounty may be awarded on the individual basis for high-severity serverside vulnerabilities. Please read program rules for categories of the bugs accepted.
Mail.Ru networking infrastructure HARDWARE high high high critical
Please read program rules for categories of the bugs accepted no version disclosure / same site scripting / etc
My.Com - another projects OTHER medium medium medium critical
Reports for non-listed My.Com projects are accepted, but are not currently eligible for bounty. In some cases, bounty may be awarded on the individual basis for high-severity serverside vulnerabilities. Please read program rules for categories of the bugs accepted.
My.Com MyMail backend OTHER high high high critical
Please read program rules for categories of the bugs accepted.
My.Com networking infrastructure HARDWARE high high high critical
Please read program rules for categories of the bugs accepted no version disclosure / same site scripting / etc
account.mail.ru URL high high high critical
Mail.Ru Account Management center Please read program rules for categories of the bugs accepted
auth.mail.ru URL high high high critical
Mail.Ru Authentication center Please read program rules for categories of the bugs accepted
biz.mail.ru URL high high high critical
Mail.Ru B2B services Please read program rules for categories of the bugs accepted
calendar.mail.ru URL high high high critical
Mail.Ru Calendar Please read program rules for categories of the bugs accepted
cloud.mail.ru URL high high high critical
Mail.Ru Cloud Please read program rules for categories of the bugs accepted
com.my.mail GOOGLE_PLAY_APP_ID high high high critical
MyCom MyMail for Android Please read program rules for categories of the bugs accepted Do not report bug which are common for MyMail and Mail.Ru Mail
com.my.mymail APPLE_STORE_APP_ID high high high critical
MyCom MyMail for iOS Please read program rules for categories of the bugs accepted Do not report bug which are common for MyMail and Mail.Ru Mail
e.mail.ru URL high high high critical
Mail.Ru Web Mail Please read program rules for categories of the bugs accepted
emx.mail.ru URL high high high critical
Mail.Ru B2B SMTP MX server Please read program rules for categories of the bugs accepted
health.mail.ru URL high high high critical
Mail.Ru Health Subdomains are not included Please read program rules for categories of the bugs accepted
ideas.mail.ru URL low low high critical
Mail.Ru Ideas for Bis Please read program rules for categories of the bugs accepted
imap.mail.ru URL high high high critical
Mail.Ru IMAPv4 server Please read program rules for categories of the bugs accepted
light.mail.ru URL medium high medium critical
Mail.Ru Web Mail for older browsers Please read program rules for categories of the bugs accepted
m.mail.ru URL medium high medium critical
Mail.Ru Web Mail for older smartphones Please read program rules for categories of the bugs accepted
mail.ru URL high low high critical
Mail.Ru portal page. Only https://mail.ru/ portal page is covered by this asset, no subdomains included. Review bug bounty program's rules for categories of bugs accepted.
mxs.mail.ru URL high high high critical
Mail.Ru SMTP MX server Please read program rules for categories of the bugs accepted
o2.mail.ru URL high high high critical
Mail.Ru OAuth2 Authentication center Please read program rules for categories of the bugs accepted
pop.mail.ru URL high high high critical
Mail.Ru POP3 server Please read program rules for categories of the bugs accepted
ru.mail.auth.totp GOOGLE_PLAY_APP_ID high high high critical
Mail.Ru Access Code (Код Доступа) application Please read program rules for categories of the bugs accepted Cached data storage reports for non-authentication data and certificate pinning reports are not currently accepted.
ru.mail.calendar GOOGLE_PLAY_APP_ID medium medium medium critical
Mail.Ru Calendar Android application Please read program rules for categories of the bugs accepted Cached data storage reports for non-authentication data and certificate pinning reports are not currently accepted.
ru.mail.cloud GOOGLE_PLAY_APP_ID high high high critical
Mail.Ru Cloud Android application Please read program rules for categories of the bugs accepted Cached data storage reports for non-authentication data and certificate pinning reports are not currently accepted.
ru.mail.mail APPLE_STORE_APP_ID high high high critical
Mail.Ru Mail iOS application Please read program rules for categories of the bugs accepted Cached data storage reports for non-authentication data and certificate pinning reports are not currently accepted.
ru.mail.mailapp GOOGLE_PLAY_APP_ID high high high critical
Mail.Ru Mail Android application Please read program rules for categories of the bugs accepted Cached data storage reports for non-authentication data and certificate pinning reports are not currently accepted.
ru.mail.mrcalendar APPLE_STORE_APP_ID high high high critical
Mail.Ru Calendar iOS application Please read program rules for categories of the bugs accepted Cached data storage reports for non-authentication data and certificate pinning reports are not currently accepted.
ru.mail.mrcloud APPLE_STORE_APP_ID high high high critical
Mail.Ru Cloud iOS application Please read program rules for categories of the bugs accepted Cached data storage reports for non-authentication data and certificate pinning reports are not currently accepted.
smtp.mail.ru URL high high high critical
Mail.Ru SMTP submission server Please read program rules for categories of the bugs accepted
swa.mail.ru URL high high high critical
Mail.Ru Authentication center Please read program rules for categories of the bugs accepted
tel.mail.ru URL low high low critical
Mail.Ru Web Mail for older phones Please read program rules for categories of the bugs accepted
touch.mail.ru URL high high high critical
Mail.Ru Web Mail for touch devices Please read program rules for categories of the bugs accepted
Main scope OTHER high high high critical
Do not use this asset for reporting
Out-of-scope OTHER critical
Do not use this asset for reporting
Another Mail.Ru subdomain (except subdomains delegated to external entities) OTHER medium medium medium critical
Reports for non-listed Mail.Ru projects are accepted, but only critical serverside vulnerabilities (RCE, XXE/SQLi,, etc) are eligible for bounty. Clientside vulnerabilities (XSS, CSRF) and application-specific business logic vulnerabilities are accepted without bounty. Please read program rules for categories of the bugs accepted.
Delegated subdomain or branded partner service OTHER low low low medium
3rd party projects and services are not covered by bug bounty terms and rules. Researchers must follow rules and service agreement published by resource being investigated. Mail.Ru does not authorize researcher or provide him permissions in any form to research third party resources for vulnerabilities, all permissions must be acquired by researcher directly from third party or partner. Only reports affecting mail.ru services or customers are accepted. Vulnerability information for third party product or service can not be disclosed within Mail.Ru bug bounty program.
Main scope (Mail, Cloud, Calendar, Biz, etc - see scope description) OTHER high high high critical
Do not use this asset for reporting
Another Mail.Ru project (except subdomains delegated to external entities) OTHER medium medium medium critical
Reports for non-listed Mail.Ru projects are accepted, but only critical serverside vulnerabilities (RCE, XXE/SQLi,, etc) are eligible for bounty. Clientside vulnerabilities (XSS, CSRF) and application-specific business logic vulnerabilities are accepted without bounty. Please read program rules for categories of the bugs accepted.
Sendbox (mailer.i.bizml.ru) OTHER medium medium medium critical
Reports for Sendbox projects are accepted, but only critical serverside vulnerabilities (RCE, XXE/SQLi,, etc) are eligible for bounty. Clientside vulnerabilities (XSS, CSRF) and application-specific business logic vulnerabilities are accepted without bounty. Self-XSS vulnerabilities within organization boundaries are not accepted. Please read program rules for categories of the bugs accepted.
Atom browser DOWNLOADABLE_EXECUTABLES low high high critical
Beta version of Atom browser is available from https://browser.mail.ru/ We accept only vulnerabilities, which affect Atom and do not affect vanila Chromium. How to check if your vulnerability is applicable: 1. Launch Chromium current Atom release is based on (check browser://version page). 2. Try to reproduce your bug in Chromium and Atom. 3. If your bug only affects Atom, create a report. If your bug affects Chromium, check the latest Chromium version and, if it’s also affected, send to [Chromium bug bounty](https://www.google.com/about/appsecurity/chrome-rewards/)
*.pandao.ru URL high medium high critical
Reports for Pandao projects are accepted, but only critical serverside vulnerabilities (RCE, XXE/SQLi,, etc) are eligible for bounty. Also, pandao.ru awards billing related serverside business logic reports, if it resolves the problem which can assist monetary fraud. Clientside vulnerabilities (XSS, CSRF) and application-specific business logic vulnerabilities unrelated to billing are accepted without bounty. Please read program rules for categories of the bugs accepted.
*.mail.ru / Mail.Ru - another project (except subdomains delegated to external entities) OTHER medium medium medium critical
Reports for non-listed Mail.Ru projects are accepted, but only critical serverside vulnerabilities (RCE, XXE/SQLi,, etc) are eligible for bounty. Clientside vulnerabilities (XSS, CSRF) and application-specific business logic vulnerabilities are accepted without bounty. Please read program rules for categories of the bugs accepted.
*.my.com / My.Com - another projects OTHER medium medium medium critical
Reports for non-listed My.Com projects are accepted, but only critical serverside vulnerabilities (RCE, XXE/SQLi,, etc) are eligible for bounty. Clientside vulnerabilities (XSS, CSRF) and application-specific business logic vulnerabilities are accepted without bounty. Please read program rules for categories of the bugs accepted.
Acquisitions, not integrated to Mail.Ru infrastructure OTHER medium high medium critical
Citymobil OTHER high high high critical
city-mobil.ru, *.city-mobil.ru and City Mobil applications. Only critical serverside vulnerabilities (RCE, XXE/SQLi,, etc) are eligible for bounty. Clientside vulnerabilities (XSS, CSRF) and application-specific business logic vulnerabilities are accepted without bounty. Please read program rules for categories of the bugs accepted.
Delivery Club OTHER high high high critical
[Delivery-Club](https://delivery-club.ru/): delivery-club.ru, *.delivery-club.ru, zakazaka.ru, *.zakazaka.ru except externally hosted / delegated domains or branded partner services
Ext O: Acquisitions, not integrated to Mail.Ru infrastructure OTHER medium high medium critical
Only critical serverside vulnerabilities (RCE, XXE/SQLi,, etc) are eligible for bounty. Clientside vulnerabilities (XSS, CSRF) and application-specific business logic vulnerabilities are accepted without bounty. BCPs, SSL/HTTPS related, information disclosure without sensitive date (e.g. path disclosure) reports are not accepted. Please read program rules for categories of the bugs accepted.
Ext O: Delegated subdomain or branded partner service OTHER low low low medium
3rd party projects and services are not covered by bug bounty terms and rules. Researchers must follow rules and service agreement published by resource being investigated. Mail.Ru does not authorize researcher or provide him permissions in any form to research third party resources for vulnerabilities, all permissions must be acquired by researcher directly from third party or partner. Only reports affecting mail.ru services or customers are accepted. Vulnerability information for third party product or service can not be disclosed within Mail.Ru bug bounty program. Only critical serverside vulnerabilities (RCE, XXE/SQLi,, etc) are eligible for bounty. Clientside vulnerabilities (XSS, CSRF) and application-specific business logic vulnerabilities are accepted without bounty. BCPs, SSL/HTTPS related, information disclosure without sensitive date (e.g. path disclosure) reports are not accepted.
Ext. A Scope OTHER high high high critical
Productivity, e-commerce, B2B and content/news projects: \*.mail.ru, \*.my.com and dedicated project domains (\*.pandao.ru, \*.maps.me, \*.am.ru, \*.youla.ru, \*.vseapteki.ru, \*.seosan.io, etc) except delegated and externally hosted domains and branded partner services. Extended scope only awards critical serverside vulnerabilities, if it leads to compromise of infrastructure or sensitive data. Clientside vulnerabilities (XSS, CSRF) and business logic specific bugs are accepted without bounty.
Ext. B Scope OTHER medium high high critical
Gaming, entertainment, recruitment, educational projects, realty services, taxi services and unlisted projects *.mail.ru, \*.my.com, and dedicated project domains (worki.ru, geekbrains.ru, 33slona.ru, relap.io, game domains within Mail.Ru infrastructure) Except delegated domains, externally hosted projects, acquirements not integrated to Mail.Ru infrastructure and branded partner services. Reports for user introduced vulnerabilities in hosted systems or hosted student projects are considered as informative. Extended scope only awards critical serverside vulnerabilities, if it leads to compromise of infrastructure or sensitive data. Clientside vulnerabilities (XSS, CSRF) and business logic specific bugs are accepted without bounty.
Hosting OTHER none none none none
User-introduced vulnerabilities in hosted services (Mail.Ru hosting / colocation networks, MCS "Infra" public cloud computing hosts, gaming teams hosting, hosted student works for educational projects, etc) are considered as informative. Hosting network can be identified by whois information or PTR name (e.g. customer host in MCS network may have ###.mcs.mail.ru PTR where ### is last octet from IP address).
Lootdog OTHER high high high critical
[Lootdog](https://lootdog.io/): lootdog.io, *.lootdog.io
Mail.Ru Cloud Solutions (MCS) OTHER high high high critical
mcs.mail.ru / *.mcs.mail.ru, infra.mail.ru / *.infra.mail.ru except customer-operated hosts in MCS Hosting networks. Reports for customer introduced vulnerabilities in MCS Hosting networks are considered as informative.
Ext. O: Acquisitions, not integrated to Mail.Ru infrastructure OTHER medium high medium critical
Only critical serverside vulnerabilities (RCE, XXE/SQLi,, etc) are eligible for bounty. Clientside vulnerabilities (XSS, CSRF) and application-specific business logic vulnerabilities are accepted without bounty. BCPs, SSL/HTTPS related, information disclosure without sensitive date (e.g. path disclosure) reports are not accepted. Please read program rules for categories of the bugs accepted.
Ext. O: Delegated subdomain or branded partner service OTHER low low low medium
3rd party projects and services are not covered by bug bounty terms and rules. Researchers must follow rules and service agreement published by resource being investigated. Mail.Ru does not authorize researcher or provide him permissions in any form to research third party resources for vulnerabilities, all permissions must be acquired by researcher directly from third party or partner. Only reports affecting mail.ru services or customers are accepted. Vulnerability information for third party product or service can not be disclosed within Mail.Ru bug bounty program. Only critical serverside vulnerabilities (RCE, XXE/SQLi,, etc) are eligible for bounty. Clientside vulnerabilities (XSS, CSRF) and application-specific business logic vulnerabilities are accepted without bounty. BCPs, SSL/HTTPS related, information disclosure without sensitive date (e.g. path disclosure) reports are not accepted.
ICQ OTHER high high high critical
**ICQ web client**: web.icq.com **ICQ web portal**: icq.com, \*.icq.com, agent.mail.ru **ICQ API Sandbox**: \*.icq.net (*ICQ API relies on tokens rather than cookies and basic auth and is generally resistant to crossite attacks, check the real impact for crossite access before reporting*). **ICQ Application (mobile)**: [ICQ for Android](https://play.google.com/store/apps/details?id=com.icq.mobile.client&hl=en), [ICQ for IOS](https://apps.apple.com/us/app/icq-messenger-video-calls/id302707408). Reports for Mail.Ru Agent are only accepted if the report is specific to this branded version. **ICQ Application (desktop)**: [ICQ for Mac](https://icq.com/mac/en), [ICQ for Windows](https://icq.com/windows/en), [Source code](https://github.com/mailru/icqdesktop) (*source code is not published with every ICQ version and may contain vulnerabilities already patched in version distributed via ICQ site. Only reports for vulnerabilities in latest version distributed via the ICQ site are accepted*). Reports for Mail.Ru Agent are only accepted if the report is specific to this branded version.
Delivery Club OTHER high high high critical
[Delivery-Club](https://delivery-club.ru/): delivery-club.ru, *.delivery-club.ru, zakazaka.ru, *.zakazaka.ru except externally hosted / delegated domains or branded partner services
MY.GAMES OTHER critical
MY.GAMES core services: my.games (without subdomains), account.my.games, community.my.games, profile.my.games, store.my.games, market.my.games, api.my.games, ac.my.games, *-ac.my.games, auth.my.games, c.my.games, o2.my.games, acint.my.games, dummy.my.games Game subdomains do not belong to this scope. My.Games scope only awards critical serverside vulnerabilities, if it leads to compromise of infrastructure or sensitive data. Clientside vulnerabilities (XSS, CSRF) and business logic specific bugs are accepted without bounty. MitM and local attacks, user enumeration on registration/recovery, open redirections, insufficient session expiration, cookies working after logout etc are not accepted unless there are additional vectors identified (e.g. ability to steal the session token via remote vector).
Ext. O: Acquisitions, not integrated to Mail.Ru infrastructure and external cloud services OTHER medium high medium critical
This scope covers services and products related or operated by Mail.ru but hosted outside of Mail.ru infrastructure: fresh and non-integrated acquisitions not mentioned for different scopes, different cloud services and externally hosted solutions. It also covers non-production hosts (e.g. staging and demo installations) of Mail.ru projects in MCS cloud hosting. ==Extended scope only awards critical serverside vulnerabilities, if vulnerability compromises the infrastructure (e.g. RCE, SQLi, LFR, SSRF, etc) or data outside of project's scope (e.g. personal information).== Clientside vulnerabilities (XSS, CSRF) and business logic specific bugs, including privilege escalations within the product are accepted without bounty. ==MitM and local attacks, user enumeration on registration/recovery, open redirections, insufficient session expiration, cookies working after logout, information disclosure without sensitive data etc are not accepted== unless there are additional vectors identified (e.g. ability to steal the session token via remote vector).
DonationAlerts OTHER medium high high critical
`donationalerts.com`, `*.donationalerts.com`, `donationalerts.ru`, `*.donationalerts.ru` except delegated and externally hosted domains and branded partner services.
SberMarket OTHER high high high critical
SberMarket applications, `sbermarket.ru`, `*.sbermarket.ru`, `instamart.ru`, `*.instamart.ru` except delegated and externally hosted domains and branded partner services. ==SberMarket scope only awards critical serverside vulnerabilities, if vulnerability compromises the infrastructure (e.g. RCE, SQLi, LFR, SSRF, etc) or data outside of project's scope (e.g. personal information) via serverside vector.== Clientside vulnerabilities (XSS, CSRF) and business logic specific bugs, including privilege escalations within the product are accepted without bounty. MitM and local attacks, user enumeration on registration/recovery, open redirections, insufficient session expiration, cookies working after logout etc are not accepted unless there are additional vectors identified (e.g. ability to steal the session token via remote vector for open redirection)
Foodplex OTHER high high high critical
Foodplex applications, `ucs.ru`, `*.ucs.ru`, `plazius.ru`, `*.plazius.ru`, `*.r-keeper.ru` except delegated and externally hosted domains and branded partner services. ==Foodplex scope only awards critical serverside vulnerabilities, if vulnerability compromises the infrastructure (e.g. RCE, SQLi, LFR, SSRF, etc) or data outside of project's scope (e.g. personal information) via serverside vector.== Clientside vulnerabilities (XSS, CSRF) and business logic specific bugs, including privilege escalations within the product are accepted without bounty. MitM and local attacks, user enumeration on registration/recovery, open redirections, insufficient session expiration, cookies working after logout etc are not accepted unless there are additional vectors identified (e.g. ability to steal the session token via remote vector for open redirection)
Samokat OTHER critical
`samokat.ru`, `*.samokat.ru`, `samokat-team.ru`, `*.samokat-team.ru`, `samokat.io`, `*.samokat.io`, `smart.space`, `*.smart.space` and Samokat applications except delegated and externally hosted domains and branded partner services. ==Samokat scope only awards critical serverside vulnerabilities, if vulnerability compromises the infrastructure (e.g. RCE, SQLi, LFR, SSRF, etc) or data outside of project's scope (e.g. personal information) via serverside vector.== Clientside vulnerabilities (XSS, CSRF) and business logic specific bugs, including privilege escalations within the product are accepted without bounty. MitM and local attacks, user enumeration on registration/recovery, open redirections, insufficient session expiration, cookies working after logout etc are not accepted unless there are additional vectors identified (e.g. ability to steal the session token via remote vector for open redirection)
Content OTHER high high high critical
Content, portal, news projects (without subdomains): ```news.mail.ru```, ```sportmail.ru```, ```pogoda.mail.ru```, ```hi-tech.mail.ru```, ```auto.mail.ru```, ```hi-chef.ru```, ```kino.mail.ru```, ```tv.mail.ru```, ```lady.mail.ru```, ```horo.mail.ru```, ```deti.mail.ru```, ```dom.mail.ru```, ```realty.mail.ru```, ```vseapteki.ru```, ```health.mail.ru```, ```pets.mail.ru```, ```dobro.mail.ru```, ```wowsale.ru```, ```mediator.media```, ```mediator.mail.ru```, ```relap.io```, ```pulse.mail.ru```, ```go.mail.ru```, ```browser.ru```, ```capsula.mail.ru```, ```marusia.mail.ru```, ```otvet.mail.ru```, ```smotri.mail.ru```, ```dictor.mail.ru``` except delegated and externally hosted domains and branded partner services. ==Portal scope only awards critical serverside vulnerabilities, if vulnerability compromises the infrastructure (e.g. RCE, SQLi, LFR, SSRF, etc) or data outside of project's scope (e.g. personal information) via serverside vector.== Clientside vulnerabilities (XSS, CSRF) and business logic specific bugs, including privilege escalations within the product are accepted without bounty. ==MitM and local attacks, user enumeration on registration/recovery, open redirections, insufficient session expiration, cookies working after logout etc are not accepted== unless there are additional vectors identified (e.g. ability to steal the session token via remote vector for open redirection).

target_out_of_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
Mail.Ru Agent and ICQ mobile and desktop applications DOWNLOADABLE_EXECUTABLES none
Report Mail.Ru Agent and ICQ bugs to https://hackerone.com/icq
icq.com URL critical
Report ICQ bugs to https://hackerone.com/icq
love.mail.ru URL critical
Report love.mail.ru bugs to Wamba bug bounty program: http://corp.wamba.com/en/developer/security/
ok.ru URL critical
Report Odnoklassniki (ok.ru) bugs to https://hackerone.com/ok
vk.com URL high high high none
Report VKontakte (vk.com) bugs to https://hackerone.com/vkcom
Out-of-scope OTHER none
Do not use this asset for reporting