Mail.Ru Group announces the launch of a vulnerability scanner
We are sure that feedback is one of the main ways to make services not only more convenient, but also safer. If you want protection to be truly effective, let me test it for the strength of the researchers.
Mail.Ru Group announces the launch of the vulnerability scanner: now we will pay rewards for detecting problems in the security of our projects. The program will be implemented together with one of the most respected in the world of hacker community HackerOne.
')
A small digression. HackerOne is a non-profit organization dedicated to cyber security. From time to time, it cooperates with global Internet giants, including Microsoft and Facebook, and conducts bug search programs. Or, as stated on the HackerOne web page : Simply put: hack all the things, send us the good stuff, (In short: hack everything, send us the results, and with us - the reward ). By the way, it was through the Hackerone platform that the reward was paid to hackers who discovered the infamous Heartbleed vulnerability, which just the other day led to the largest data leak in human history.
The first step in implementing the joint Mail.Ru Group and HackerOne program will be a competition to identify vulnerabilities. Messages about them can be sent during the month: from April 21 to May 20, 2014. Then, the information security analysts at Mail.Ru Group will process all applications and on May 21, 2014 they will name the winners (or pseudonyms).
The three best researchers who find the most critical vulnerabilities will receive a bonus cash reward:
Remuneration will also receive the rest of the competition. The minimum reward for the found vulnerability will be $ 150. There is no ceiling - the size of the reward will depend only on the criticality of the detected problem.
Now the reward is paid for detecting vulnerabilities on the following Mail.Ru Group web services:
Mail Mail.Ru
e.mail.ru
* .e.mail.ru
touch.mail.ru
* .touch.mail.ru
m.mail.ru
* .m.mail.ru
Mail.Ru cloud
cloud.mail.ru
* .cloud.mail.ru
Mail.Ru Calendar
calendar.mail.ru
* .calendar.mail.ru
Mail.Ru for business
biz.mail.ru
* .biz.mail.ru
Authorization center Mail.Ru
auth.mail.ru
* .auth.mail.ru
swa.mail.ru
* .swa.mail.ru
And also in the Mail.Ru Group mobile apps for iOS and Android, which somehow work with users' personal information:
Mail Mail.Ru for iOS
Mail.Ru Mail for Android
Mail.Ru calendar for Android
Mail.Ru cloud for iOS
Mail.Ru cloud for Android
Over time, other Mail.Ru Group projects may be added to this list.
If you find a vulnerability on one of the projects that is not included in the list, your application will also be considered. In this case, the reward is awarded individually and strongly depends on the severity of the detected problem.
Remuneration is not paid for information obtained through:
When conducting research, please use your own accounts. Do not attempt to access other people's accounts or any confidential information.
If you want to report not about the vulnerability, but about problems with access to your account, please contact our support team .
And then you need to bugreport through the site of our partners - the community HackerOne.com , where you will need to create your account. This is where you will be able to communicate with Mail.Ru Group information security analysts, check the status of your application, get information about your award (if it is awarded to you, of course), if necessary, answer clarifying questions and so on.
In the bug-port you need to give a detailed description of the found vulnerability. It is also necessary to briefly but clearly indicate which steps lead to encounter it, or to give a working confirmation of its concept. After all, if the vulnerability is not described in all necessary details, the disclosure process will be greatly delayed.
It is also very desirable that the researcher can explain exactly how he found this or that vulnerability.
First of all, interesting:
If you prefer to keep your name confidential, you can use a pseudonym when submitting bug reports.
Reports of vulnerabilities that need to be submitted via the HackerOne.com platform are considered by the information security analysts of Mail.Ru Group. During the assessment, we always imagine the worst scenario of exploiting vulnerabilities and pay a reward based on the size of the damage. The greater the damage, the greater the reward.
Messages are considered within 15 days (this is the maximum time limit - most likely, you will receive a response faster).
All feedback on the applications, as well as payments will be made through the system project HackerOne .
The award is awarded if you are the first to report this vulnerability. Otherwise, you will be given access to the ticket with its description so that you can track the status of its correction.
From the moment of reporting a vulnerability, at least 3 months must pass before you can post its details. We ask you to do this, because we need to have enough time to respond to you and fix the vulnerability.
The message that the vulnerability you specified is confirmed, as well as information about the award of the award will appear in your bug report. There may also be asked clarifying questions, so do not forget to check your ticket!
So, you can get more detailed information about the Mail.Ru Group vulnerability scanner and apply for it at https://hackerone.com/mailru .
Mail.Ru Group announces the launch of the vulnerability scanner: now we will pay rewards for detecting problems in the security of our projects. The program will be implemented together with one of the most respected in the world of hacker community HackerOne.
')
A small digression. HackerOne is a non-profit organization dedicated to cyber security. From time to time, it cooperates with global Internet giants, including Microsoft and Facebook, and conducts bug search programs. Or, as stated on the HackerOne web page : Simply put: hack all the things, send us the good stuff, (In short: hack everything, send us the results, and with us - the reward ). By the way, it was through the Hackerone platform that the reward was paid to hackers who discovered the infamous Heartbleed vulnerability, which just the other day led to the largest data leak in human history.
The first step in implementing the joint Mail.Ru Group and HackerOne program will be a competition to identify vulnerabilities. Messages about them can be sent during the month: from April 21 to May 20, 2014. Then, the information security analysts at Mail.Ru Group will process all applications and on May 21, 2014 they will name the winners (or pseudonyms).
The three best researchers who find the most critical vulnerabilities will receive a bonus cash reward:
- 1st place - 5 thousand dollars
- 2nd place - 3 thousand dollars
- 3rd place - 1,5 thousand dollars
Remuneration will also receive the rest of the competition. The minimum reward for the found vulnerability will be $ 150. There is no ceiling - the size of the reward will depend only on the criticality of the detected problem.
For which vulnerabilities can you get a reward?
Now the reward is paid for detecting vulnerabilities on the following Mail.Ru Group web services:
Mail Mail.Ru
e.mail.ru
* .e.mail.ru
touch.mail.ru
* .touch.mail.ru
m.mail.ru
* .m.mail.ru
Mail.Ru cloud
cloud.mail.ru
* .cloud.mail.ru
Mail.Ru Calendar
calendar.mail.ru
* .calendar.mail.ru
Mail.Ru for business
biz.mail.ru
* .biz.mail.ru
Authorization center Mail.Ru
auth.mail.ru
* .auth.mail.ru
swa.mail.ru
* .swa.mail.ru
And also in the Mail.Ru Group mobile apps for iOS and Android, which somehow work with users' personal information:
Mail Mail.Ru for iOS
Mail.Ru Mail for Android
Mail.Ru calendar for Android
Mail.Ru cloud for iOS
Mail.Ru cloud for Android
Over time, other Mail.Ru Group projects may be added to this list.
What remains outside our program?
If you find a vulnerability on one of the projects that is not included in the list, your application will also be considered. In this case, the reward is awarded individually and strongly depends on the severity of the detected problem.
Remuneration is not paid for information obtained through:
- physical hacking of data centers or Mail.Ru Group offices
- Hacking company infrastructure
- social engineering
When conducting research, please use your own accounts. Do not attempt to access other people's accounts or any confidential information.
If you want to report not about the vulnerability, but about problems with access to your account, please contact our support team .
Vulnerability was found - what next?
And then you need to bugreport through the site of our partners - the community HackerOne.com , where you will need to create your account. This is where you will be able to communicate with Mail.Ru Group information security analysts, check the status of your application, get information about your award (if it is awarded to you, of course), if necessary, answer clarifying questions and so on.
In the bug-port you need to give a detailed description of the found vulnerability. It is also necessary to briefly but clearly indicate which steps lead to encounter it, or to give a working confirmation of its concept. After all, if the vulnerability is not described in all necessary details, the disclosure process will be greatly delayed.
It is also very desirable that the researcher can explain exactly how he found this or that vulnerability.
First of all, interesting:
- Cross-site scripting
- SQL Injection
- Remote code execution
- Cross-Site Request Forgery
- Directory traversal
- Information disclosure
- Content Spoofing
- Clickjacking
If you prefer to keep your name confidential, you can use a pseudonym when submitting bug reports.
How are bug reports?
Reports of vulnerabilities that need to be submitted via the HackerOne.com platform are considered by the information security analysts of Mail.Ru Group. During the assessment, we always imagine the worst scenario of exploiting vulnerabilities and pay a reward based on the size of the damage. The greater the damage, the greater the reward.
Messages are considered within 15 days (this is the maximum time limit - most likely, you will receive a response faster).
Awards to researchers and feedback
All feedback on the applications, as well as payments will be made through the system project HackerOne .
The award is awarded if you are the first to report this vulnerability. Otherwise, you will be given access to the ticket with its description so that you can track the status of its correction.
From the moment of reporting a vulnerability, at least 3 months must pass before you can post its details. We ask you to do this, because we need to have enough time to respond to you and fix the vulnerability.
The message that the vulnerability you specified is confirmed, as well as information about the award of the award will appear in your bug report. There may also be asked clarifying questions, so do not forget to check your ticket!
So, you can get more detailed information about the Mail.Ru Group vulnerability scanner and apply for it at https://hackerone.com/mailru .
Source: https://habr.com/ru/post/220157/
All Articles