The best time for Yandex BugBounty
Hello, dear Khabrovsk residents. I have long wanted to study the results of the Yandex BugBounty program. Finally got around to it. In this simple and short article, I looked at the available data on it, found some patterns and found the top bughunters. If anyone is interested in which quarter of the year has the most bug reports, or which month is the best to find them, please see cat.
Not long ago, about six months ago, I managed to get into Hall of Fame Yandex BugBounty, however, obviously didn’t pay me anything for this, but at least they admitted that it was a bug. Of course, I did all this in the hope of earning extra money and not because I love money, no – out of principle! – as the classic correctly noted. Besides, once you get into the hall of fame, it’s certainly an honor; you’re not ashamed to tell your work colleagues about it over lunch.
Moreover, in 2023 Yandex paid 70 million rubles to bag hunters, and in 2024 he wants to allocate at least 100 million. Moreover, the largest payments in 2023 are 12 million, 7.5 million and 3.7 million rubles. I would say it sounds good, all that’s left is to find a couple of good, fat bugs and it’s done.
Let's try to increase our chances, the payout amounts are frankly enticing, diamond smoke is already on the ceiling, pearl beads are rolling on the table and jumping on the floor… in general, the hint is clear, but what if you get lucky, someone broke the bank, and we are no worse !
First of all, you need to study the data from the official site programs. We have access to some information about bug hunters who found some kind of bug in Yandex sites/products for each month starting from November 2014. All we know is the name, avatar and link to the bughunter’s account, as well as who was in which month.
Calculation of statistics by year
2014 and 2024 are not complete and are not suitable for statistics, but the data for these years will be useful to us when we need to look at the top bughunters and count how many times they were added to the hall of fame. In total, the total number of records that will be used in the calculation, starting from 2015 and ending with 2023, is 1358 pieces, or rather, this is the number of bug reports sent from bug hunters who found at least one bug per month.
The first thing that comes to mind is to count the number of these reports by year. If you look at the graph below, you will notice that from the beginning of the program their number gradually decreases from year to year, but starting from the middle it increases again. Here we can assume that at the start there was more attention, and many bugs were found that were on the surface. Over time, the number of bugs decreased, and the number of Yandex products grew, and accordingly, the number of bugs found began to increase again.
You can’t draw too many conclusions from breaking it down by year, but well, you can go the other way and break down the number of reports sent by month.
Yes, you can’t see much here either, it turned out to be very detailed, except that you can notice that most of the zeros fall at the beginning of the years, and the most profitable months are at the ends.
This is already more interesting, you can try to summarize the data more and group the number of reports by quarter of the year. Yes, in the chart below you can clearly see that the most reports come in the second and fourth quarters.
Indeed, for all 9 years that were included in the study, the maximums were always in the 4th and 2nd quarters. It can be assumed that in the first quarter of the year they release some kind of feature, in the second the bugs are already fixed, not without the help of bug hunters. In the fourth quarter of the year, there is usually a rush to close projects, hence the number of errors.
Quarter | Number of maxima |
4 | 5 |
2 | 4 |
Since it has become clear in which quarter of the year there is the greatest chance of finding a bug, you can at the same time try to select the month with the maximum number of reports for the year and count the number of such months that most often became the maximum in the number of reports. Well, it’s not surprising that the first three months in the top are included in the second and fourth quarters, namely, the most chances of finding a bug are in December, April and October.
Month | Number of maxima |
December | 3 |
April | 2 |
October | 2 |
Well, since this is the case, then we can at the same time, from the other side, look at which months are historically least likely to find a bug, judging by the number of minimum reports that fall on them.
January is the worst month, followed by April and May
Month | Number of minimums |
January | 3 |
April | 2 |
May | 2 |
April is both a maximum and a minimum, but we can definitely say that at the beginning of the year there is less chance of finding a bug, January is the worst month, but at the end of the year the probability of detection increases, December is the best.
Bughunter rating.
And now the time has come to take a closer look at the bughunters.
During the period under review from 2014 to 2024 inclusive, 542 bug hunters found at least one bug worthy of a hall of fame in the BugBounty program. I think here we can neglect the fact that for some reason someone registered bugs from different accounts. In general, we can say for sure that there are definitely over 500 unique bughunters.
Of these, if you look at the top 10, simply amazing people appear. Bughunter entered the hall of fame from first place 51 times, the number of bugs he found is even greater (although, as we know, Yandex does not always pay for them).
Sergey – 51
nn9899 – 38
Deepak Kivande – 38
pyrk1 – 31
amlnspqr – thirty
Thomas Anderson – 28
fle_xxx – 24
xsstestov – 22
h3llwish – 22
Karim Valiev – 22
This, of course, is simply amazing; at the moment, out of the 113 months of the program reviewed, the top baghunter was included in 51 of them. In other words, he finds at least one bug in about two months. One thing can be said for sure: how the gears of top bug hunters work is simply something. I barely found one bug, I think they added me to the hall of fame only because I was annoying and so they decided to just brush it off, but then someone was there 51 times!
Remembering my motivation to look for bugs, I finally thought that it would be nice to transform from Thomas A. Anderson into Neo. But there is no magic red pill, you have to work hard and hard, they definitely won’t show this in the movies.
However, not everything is so bad, because every month, as I correctly estimated in my last articlea certain number of new faces appear in the hall of fame, now you can estimate their number exactly according to the graph below.
On average, newcomers make up 38% of the total number of hunters per month. I don’t think that all these people have some kind of sacred knowledge that is accessible only to a select few.
Moreover, one should not think that all the errors that were on the surface were found and only complex and difficult to find ones remained. As popular wisdom rightly says: “he who does nothing makes no mistakes,” and Yandex does a lot, and while new products are being introduced and old products are being changed, there will be bugs, all that remains is to find them.
Source code link github.com
Thank you for your attention, good luck in finding bugs and of course white hat!