For proper operation, add the following string to /etc/hosts:

The following resources are available for participants:

The main focus of the program is on authentication bypass vulnerabilities.

• Participants must be at least 18 years old.
• Researchers aged 14–18 are allowed to participate if they can present the written consent of a parent or a legal guardian.

• Follow the rules of the Positive Technologies vulnerability disclosure program as well as the Standoff Bug Bounty platform rules.
• Follow the rules related to the handling of sensitive information. Do not gain access to data belonging to another user without the user's permission, change or destroy the data, or disclose any sensitive data obtained inadvertently during the vulnerability testing process or exploit demonstration. Deliberate access to sensitive data is prohibited and can be deemed illegal.
• Maintain communication with the security team, send them reports on discovered vulnerabilities according to the program requirements, and provide feedback if they have questions about the report.
• Do not disclose information about a vulnerability before public disclosure by Positive Technologies or before the non-disclosure period has expired.

• To promptly address identified security issues.
• To not make baseless accusations towards researchers.

Disclosure by mutual agreement. Information about a reported vulnerability can be made public if neither party objects. Both parties must state their agreement in the comment section under the report. Until then, the vulnerability information is not allowed to be disclosed.

Program participants are not allowed to do the following:

• Tamper with user accounts without their owners' permission.
• Use detected vulnerabilities for personal purposes.
• Use vulnerability testing tools that automatically generate large amounts of traffic and cause resource exhaustion attacks.
• Conduct attacks that compromise integrity and availability of services (for example, DoS and brute-force attacks) or attempt to exploit a resource exhaustion vulnerability. If you find such a vulnerability, report it to the Positive Technologies security team for simulation of an attack in a test environment.
• Perform physical attacks on Positive Technologies employees, data centers, or offices.
• Spam or carry out social engineering attacks (phishing, vishing, and so on) against Positive Technologies customers, partners, or employees.
• Analyze server infrastructure where web applications are hosted.

If a vulnerability is discovered in third-party software (for example, open source libraries) used by Positive Technologies, the researcher will receive a limited reward that can be increased at the discretion of the contest commission. Detection of vulnerabilities other than those in the list below may be rewarded at the discretion of the commission, depending on their severity, but payment is not guaranteed.

No reward will be given for:
• Reports generated by security scanners and other automated tools.
• Disclosure of non-sensitive information (such as the software name and version or technical characteristics and metrics of the system).
• Information about IP addresses, DNS records, and open ports.
• Reports of issues and vulnerabilities based on the product version without demonstrating exploitation.
• Reports of vulnerabilities whose exploitation is prevented by information security tools without demonstrating how to bypass the security tools.
• Reports of insecure SSL/TLS ciphers without demonstrating exploitation.
• Reports indicating the lack of SSL or other best current practices (BCPs).
• Reports of vulnerabilities already reported by other participants (duplicate reports).
• Reports of publicly available 0-day or 1-day vulnerabilities.
• Reports of brute-force vulnerabilities without providing an attack method that is significantly more efficient than a straight-forward brute-force approach.
• Bypass of attack detection rules.

A vulnerability report must contain the following:
• Vulnerability name.
• Product name and version of the vulnerable software (or component).
• Proof of concept (PoC) or detailed description of the discovered vulnerability and steps to reproduce it.
• Description of the attack scenario: who can exploit the vulnerability, for what purpose, in what circumstances, and so on.
• Recommendations for remediation.

You can attach videos and screenshots to your report, but they cannot replace the report (it must be filled out).

If you identify multiple security issues in Positive Technologies services, prepare a separate report for each vulnerability.

Vulnerability reporting is subject to the platform rules.