Positive Technologies

Company: Positive Technologies
Positive Technologies invites you to find vulnerabilities in its IT systems and services.
Rewards are paid to individual entrepreneurs and self-employed persons
Program description

Positive Technologies bug bounty program

Positive Technologies works continuously to create products that are trusted by companies from all over the world. Our experience in detecting vulnerabilities shows that no systems are absolutely secure. Therefore we launched a bug bounty program to reward researchers for reporting vulnerabilities in our own services.

Bug bounty scope

  • *.ptsecurity.com;
  • *.ptsecurity.ru;
  • *.maxpatrol.com;
  • *.maxpatrol.ru;
  • *.phdays.com;
  • *.phdays.ru
Note. If you discover a vulnerability not associated with the websites mentioned above, please also report the issue to us. Our security team will review your report and take measures to fix the problem.

Participant requirements

  1. Participants must be aged 18 or over.
  2. Researchers aged 14–18 are allowed to participate only with the written consent of a parent or a legal representative.
  3. Current Positive Technologies employees and former employees who left less than three years ago may participate in the program but are not eligible for rewards.

Participant obligations

  1. Observe the rules of the Positive Technologies bug bounty program and The Standoff 365 bug bounty platform.
  2. Observe confidentiality. Participants must not access or destroy other users' data. Confidential information obtained when searching for or demonstrating vulnerabilities must not be disclosed. Deliberately accessing such information is prohibited and may be considered illegal.
  3. Submit vulnerability reports to our security team. Report requirements are specified below. Participants are free to ask the security team any questions they have regarding reports.
  4. Promptly report vulnerabilities without disclosing information about them before public disclosure by Positive Technologies or before the non-disclosure period has expired.

Positive Technologies obligations

  1. Prioritize security tasks and promptly address any discovered vulnerabilities.
  2. Respect researchers and refrain from obstructing the disclosure of report information without valid grounds.
  3. Refrain from making unfounded accusations against researchers regarding their participation in the competition.
  4. Credit the researcher who discovered the vulnerability when publishing information about it.

Prohibited Actions

Researchers are prohibited from:
  • Interacting with other users' accounts without their permission.
  • Using a discovered vulnerability for personal gain.
  • Using vulnerability testing tools that automatically generate significant traffic volumes and lead to resource exhaustion attacks.
  • Conducting attacks that compromise the integrity or availability of services (e.g., DoS attacks, brute-force attacks, etc.) or attempting to exploit vulnerabilities aimed at resource exhaustion. Instead, report the issue to the Positive Technologies security team, who will conduct the attack in a test environment.
  • Conducting physical attacks against company personnel, data centers, or offices.
  • Attacking Positive Technologies systems using social engineering techniques (phishing, vishing, etc.) or sending spam to clients, partners, or employees.
  • Investigating the server infrastructure hosting the web applications.
 

Rewards for reported vulnerabilities

VulnerabilityReward
Remote code execution (RCE)₽100,000 - ₽400,000
Local files access and manipulation (LFR, RFI, XXE)₽50,000 - ₽250,200
Injection (SQLi or equivalent)₽50,000 - ₽250,200
Admin interface authentication bypass₽25,000 - ₽125,000
SSRF, non-blind₽50,000 - ₽100,000
 
Bounties for vulnerabilities found in third-party software used by the company (e.g., CMS) are assessed at the minimum rate but may be increased at the discretion of the review committee. All other vulnerabilities not listed in the table may be compensated at the committee's discretion based on their severity level (though a reward is not guaranteed).
 

No reward will be given for

  • Reports generated by security scanners and other automated tools
  • Discovery of non-critical information, such as software name or version
  • Information about IP addresses, DNSrecords, and open ports
  • Reporting issues and vulnerabilities based on the product version, without demonstrating exploitation
  • Reports of vulnerabilities whose exploitation is prevented by security tools without demonstrating how to bypass the security tools
  • Reports of insecure SSL/TLS ciphers without demonstrating exploitation
  • Lack of SSL or other best current practices
  • Reporting vulnerabilities already reported by other participants
  • Reporting publicly available 0-day or 1-day vulnerabilities

Report requirements

A report must contain a detailed description of the discovered vulnerability and either a description of its exploitation or a proof of concept (PoC). Videos and screenshots can accompany the report but cannot replace it.
 
When preparing your report, be sure to include the following:
  • Vulnerability name
  • Product name and version of the vulnerable software (or component)
  • PoC or detailed description of how to reproduce the discovered security issue
  • Description of the attack scenario: who may want to exploit the vulnerability, for what purpose, how it is exploited, and other information
  • Recommendations for remediation
 
Videos and screenshots may be attached to a bug report but cannot replace it.
If you discover multiple security issues while investigating the company's services, prepare separate reports for each identified vulnerability.
Information regarding a discovered vulnerability must be submitted in accordance with the platform's rules..
Launched May 19, 2022
Edited July 2, 07:41
Program format
Vulnerabilities
Reward for vulnerabilities
by severity level
Critical
₽100K–400K
High
₽50K–250K
Medium
₽25K–50K
Low
₽0–10K
None
₽0–0
Top hackers
Overall ranking
The ranking is still empty