Yandex Bug Bounty Program, "My Expercience"

Good Day Everyone, I want to share some knowledge about the Yandex bug bounty program that I have participated. Luckily I have found one valid bug.

To those who don't know what is yandex,

"

"

"

Yandex (Russian: Яндекс) is a Russian Internet company which operates the largest search engine in Russia with about 60% market share in that country. It also develops a number of Internet-based services and products. Yandex ranked as the 4th largest search engine worldwide, based on information from Comscore.com, with more than 150 million searches per day as of April 2012, and more than 50.5 million visitors (all company's services) daily as of February 2013. The company's mission is to provide answers to any questions users have or think about (explicit or implicit). Yandex also has a very large presence in Ukraine and Kazakhstan, providing nearly a third of all search results in those markets and 43% of all search results in Belarus.

"

"

"

SUMMARY OF MY BUG REPORT

Status:Fixed

Date Reported:January 14, 2014

Type Of Vulnerability:Reflected Cross Site Scripting(Non-Persistent Xss)

Affected Url:news.yandex.ru

Payload:refer from screenshots

Payload 1

Payload 2

Steps of Disclosure

January 14, 2014:I reported the Bug

January 15, 2014:Yandex Security Team replied to me informing that I won a reward for the security report, that i have reported

January 15-30:negotiating the reward

January 31, 2014:Upon retesting the vulnerability, i found out that they already take a patched on It(01-30-14),I request a permission on them to published it in my blog because it already fixed.

They reply that it is ok now to publish.

and give me some update of the process regarding with the rewards.

It is Nice to work with others, especially when everyone not yet meet ,its the matter of Trust and Respect.

~IEEE Code of Ethics