An ecosystem of cloud products for cybersecurity designed by Positive Technologies
Positive Technologies works continuously to create products that are trusted by companies from all over the world. Our experience shows that there is no such thing as a completely secure system. That's why we launched a bug bounty program to reward researchers for reporting vulnerabilities in our own services.
• All resources in the ptcloud.ru domain and its subdomains
Note. If you discover an out-of-scope vulnerability, please report it to us too. Our security team will review your report and take measures to fix the problem.
• Participants must be at least 18 years old.
• Researchers aged 14–18 are allowed to participate only if they can present the written consent of a parent or a legal guardian.
• Positive Technologies employees cannot participate in the program.
• Follow the vulnerability disclosure rules of the Positive Technologies program and the Standoff 365 Bug Bounty platform.
• Follow the rules related to the handling of sensitive information. Do not gain access to data belonging to another user without the user's permission, change or destroy the data, or disclose any sensitive data obtained inadvertently during the vulnerability testing process or exploit demonstration. Deliberate access to sensitive data is prohibited and can be deemed illegal.
• Maintain communication with the security team, send them reports on discovered vulnerabilities according to the program requirements, and provide feedback if they have questions about the report.
• Promptly report vulnerabilities without disclosing information about them before public disclosure by Positive Technologies or before the non-disclosure period has expired.
• Promptly address identified security issues.
• To not prohibit the disclosure of vulnerabilities without good reason.
• To not make baseless accusations against researchers.
Disclosure by default. If neither party objects, the report will be made public within 60 days of its acceptance.
Disclosure by mutual consent. Positive Technologies will discuss the disclosure timing and other details with the participant.
Disclosure to protect product users. If Positive Technologies obtains evidence that a vulnerability is currently being exploited or otherwise presents an immediate risk to customers, the company can immediately disclose information about the issue so that users can take protective measures.
Delayed disclosure. Some vulnerabilities may take longer than 60 days to fix. In that case, a vulnerability can be kept undisclosed until Positive Technologies fixes it.
Program participants are not allowed to do the following:
• Tamper with user accounts without their owners' permission.
• Use detected vulnerabilities for personal purposes.
• Use vulnerability testing tools that automatically generate large amounts of traffic and cause resource exhaustion attacks.
• Conduct attacks that compromise integrity and availability of services (for example, DoS and brute-force attacks) or attempt to exploit a resource exhaustion vulnerability. If you find such a vulnerability, report it to the Positive Technologies security team so that we can simulate an attack in a test environment.
• Perform physical attacks on Positive Technologies employees, data centers, or offices.
• Spam or carry out social engineering attacks (phishing, vishing, and so on) against Positive Technologies customers, partners, or employees.
• Analyze server infrastructure where web applications are hosted.
Examples of vulnerabilities we'll be happy to reward you for:
• Remote code execution (RCE)
• Injections (such as SQL and XML injections)
• Arbitrary file read or write, remote or local file inclusion (LFI/RFI)
• Flawed authentication/authorization
• Access control vulnerabilities
• Business logic vulnerabilities
• Insecure direct object reference (IDOR)
• Sensitive information disclosure
• Non-blind server-side request forgery (SSRF)
If a vulnerability is discovered in third-party software (for example, open source libraries) used by Positive Technologies, the researcher will receive a limited reward that can be increased at the discretion of the contest commission. Detection of vulnerabilities other than those listed above may be rewarded at the discretion of the commission, depending on their severity, but payment is not guaranteed.
No reward will be given for:
• Reports generated by security scanners and other automated tools.
• Disclosure of non-sensitive information (such as software name and version or technical characteristics and metrics of the system).
• Information about IP addresses, DNS records, and open ports.
• Reports of issues and vulnerabilities based on the product version without demonstrating exploitation.
• Reports of vulnerabilities whose exploitation is prevented by information security tools without demonstrating how to bypass the security tools.
• Reports of insecure SSL/TLS ciphers without demonstrating exploitation.
• Reports indicating the lack of SSL or other current best practices.
• Reports of vulnerabilities already reported by other participants (duplicate reports).
• Reports of publicly available 0-day or 1-day vulnerabilities.
• Reports of brute-force vulnerabilities without providing an attack method that is significantly more efficient than a straight-forward brute-force approach.
A vulnerability report must contain the following:
• Vulnerability name.
• Product name and version of the vulnerable software (or component).
• Proof of concept (PoC) or detailed description of how to reproduce the security issue.
• Description of the attack scenario: who can exploit the vulnerability, for what purpose, in what circumstances, and so on.
• Recommendations for remediation.
You can attach videos and screenshots to your report, but they cannot replace the report (it must be filled out).
If you identify multiple security issues in Positive Technologies services, prepare a separate report for each vulnerability.
Vulnerability reporting is subject to the platform rules.