Bug bounty program for PT Dephaze

Limitations

General information

1. Web interface and management API

• Authentication/authorization bypass affecting the management console for simulations and agents.
• Cross-site scripting (XSS) in sections for creating attack scenarios or viewing reports, allowing an attacker to hijack an administrator's session.
• Insecure deserialization in an API used to schedule tasks or receive results from agents, which may lead to remote code execution (RCE).
• Server-side request forgery (SSRF) in features that check simulation targets, allowing attacks against internal systems.

2. Attack simulation engine

• Bypassing the "safe mode" for scenario execution, which may cause disruption of target systems, such as triggering a denial of service on a critical server.
• Manipulation or corruption of simulation outputs (reports) due to weaknesses in how the system collects and aggregates simulation data.
• Unauthorized execution of arbitrary code or commands on a target system outside the set of scenarios explicitly allowed by the approved scenario library.

3. BAS agents

• Removing, disabling, or bypassing BAS agent self-protection on a target host without having the necessary privileges.
• Compromising the agent in order to gain control over the system the agent is running on.
• Forging or modifying an agent's telemetry data reported to the central server in order to conceal actual activity or disguise an attack.

4. Attack and scenario library

• Updating the attack library from an untrusted external source (for example, by exploiting a vulnerability in the update mechanism).
• Injecting a malicious scenario into the shared library to be later executed by other users of the system.

Rewards

Participation requirements

Participant obligations:

• Follow the vulnerability disclosure rules of the Positive Technologies program and the Standoff 365 Bug Bounty platform.
• Follow the rules related to the handling of sensitive information. Do not gain access to data belonging to another user without the user's permission, change or destroy the data, or disclose any sensitive data obtained inadvertently during the vulnerability testing process or exploit demonstration. Deliberate access to sensitive data is prohibited and can be deemed illegal.
• Maintain communication with the security team, send them reports on discovered vulnerabilities according to the program requirements, and provide feedback if they have questions about the report.
• Do not publicly disclose any details of the vulnerabilities discovered. Positive Technologies retains the right to decide if and when information about the reported vulnerability will be published.
• Public disclosure of a vulnerability is allowed only after a fix is released and a publicly registered CVE/BDU identifier has been assigned.
• If a researcher requests disclosure of the report, Positive Technologies will initiate the coordination process to register a vulnerability identifier.

Rewards for reported vulnerabilities

• Reports generated by security scanners and other automated tools.
• Disclosure of non-sensitive information (such as software name and version or technical characteristics and metrics of the system).
• Information about IP addresses, DNS records, and open ports.
• Reports of issues and vulnerabilities based on the product version without demonstrating exploitation.
• Reports of vulnerabilities whose exploitation is prevented by security tools, if the researcher does not demonstrate how to bypass the security tools.
• Reports of insecure SSL/TLS ciphers without demonstrating exploitation.
• Reports indicating the lack of SSL or other best current practices (BCPs).
• Reports of vulnerabilities already reported by other participants (duplicate reports).
• 0-day or 1-day vulnerabilities identified by our security team based on information from open sources.
• Reports of brute-force vulnerabilities without providing an attack method that is significantly more efficient than a straight-forward brute-force approach.