Positive Technologies works continuously to create products that are trusted by companies from all over the world.
Our experience shows that there is no such thing as a completely secure system. That's why we launched a bug bounty program to reward researchers for reporting vulnerabilities in our own services.
PT Sandbox is one of our products designed to check files and emails for information security threats.
Program description

Objective

PT Sandbox protects corporate email. This program is intended for black-box testing of the product.

Scope

185.71.53.245:5555
The PT Sandbox help is available at help.ptsecurity.com.
Note. If you discover an out-of-scope vulnerability, please report it to us too. Our security team will review your report and take measures to fix the problem.

Participation requirements

• Participants must be at least 18 years old.
• Researchers aged 14–18 are allowed to participate only if they can present the written consent of a parent or a legal guardian.

Participant obligations

• Follow the vulnerability disclosure rules of the Positive Technologies program and the Standoff 365 Bug Bounty platform.
• Follow the rules related to the handling of sensitive information. Do not gain access to data belonging to another user without the user's permission, change or destroy the data, or disclose any sensitive data obtained inadvertently during the vulnerability testing process or exploit demonstration. Deliberate access to sensitive data is prohibited and can be deemed illegal.
• Maintain communication with the security team, send them reports on discovered vulnerabilities according to the program requirements, and provide feedback if they have questions about the report.
• Promptly report vulnerabilities without disclosing information about them before public disclosure by Positive Technologies or before the non-disclosure period has expired.
 

Positive Technologies obligations

• Promptly address identified security issues.
• To not prohibit the disclosure of vulnerabilities without good reason.
• To not make baseless accusations against researchers.
 

Public vulnerability disclosure

Disclosure by mutual agreement. If neither party objects, the report will be made public. Both parties must state their agreement in the comment section under the report. Until then, the vulnerability information is not allowed to be disclosed.
 
Disclosure by mutual consent. Positive Technologies will discuss the disclosure timing and other details with the participant.
 
Disclosure to protect product users. If Positive Technologies obtains evidence that a vulnerability is currently being exploited or otherwise presents an immediate risk to customers, the company can immediately disclose information about the issue so that users can take protective measures.
 
Delayed disclosure. Some vulnerabilities may take longer than 60 days to fix. In that case, a vulnerability can be kept undisclosed until Positive Technologies fixes it.

Prohibited actions

Program participants are not allowed to do the following:
• Tamper with user accounts without their owners' permission.
• Use detected vulnerabilities for personal purposes.
• Use vulnerability testing tools that automatically generate large amounts of traffic and cause resource exhaustion attacks.
• Conduct attacks that compromise integrity and availability of services (for example, DoS and brute-force attacks) or attempt to exploit a resource exhaustion vulnerability. If you find such a vulnerability, report it to the Positive Technologies security team so that we can simulate an attack in a test environment.
• Perform physical attacks on Positive Technologies employees, data centers, or offices.
• Spam or carry out social engineering attacks (phishing, vishing, and so on) against Positive Technologies customers, partners, or employees.
• Analyze server infrastructure where web applications are hosted.

Rewards for reported vulnerabilities

Rewards are only provided for server-side vulnerabilities of high and critical severity. Other reported issues will also be verified and fixed. No rewards are provided for client-side vulnerabilities.
If a vulnerability is discovered in third-party software (for example, open source libraries) used by Positive Technologies, the researcher will receive a limited reward that can be increased at the discretion of the contest commission. Detection of vulnerabilities other than those listed above may be rewarded at the discretion of the commission, depending on their severity, but payment is not guaranteed.
No reward will be given for:
• Reports generated by security scanners and other automated tools.
• Disclosure of non-sensitive information (such as software name and version or technical characteristics and metrics of the system).
• Information about IP addresses, DNS records, and open ports.
• Reports of issues and vulnerabilities based on the product version without demonstrating exploitation.
• Reports of vulnerabilities whose exploitation is prevented by information security tools without demonstrating how to bypass the security tools.
• Reports of insecure SSL/TLS ciphers without demonstrating exploitation.
• Reports indicating the lack of SSL or other current best practices.
• Reports of vulnerabilities already reported by other participants (duplicate reports).
• Reports of publicly available 0-day or 1-day vulnerabilities.
• Reports of brute-force vulnerabilities without providing an attack method that is significantly more efficient than a straight-forward brute-force approach.

Report requirements

A vulnerability report must contain the following:
• Vulnerability name.
• Product name and version of the vulnerable software (or component).
• Proof of concept (PoC) or detailed description of how to reproduce the security issue.
• Description of the attack scenario: who can exploit the vulnerability, for what purpose, in what circumstances, and so on.
• Recommendations for remediation.
 
You can attach videos and screenshots to your report, but they cannot replace the report (it must be filled out).
If you identify multiple security issues in Positive Technologies services, prepare a separate report for each vulnerability.
Vulnerability reporting is subject to the platform rules.
Launched December 29, 2023
Edited November 18, 08:43
Program format
Vulnerabilities
Reward for vulnerabilities
by severity level
Critical
₽500K–1M
High
₽200K–500K
Medium
₽0–0
Low
₽0–0
None
₽0–0
Program statistics
₽50,000
Paid in total
₽50,000
Average payment
₽50,000
Paid in the last 90 days
2
Valid reports
2
Submitted reports
Description
Vulnerabilities
Ranking
Versions