Positive Technologies bug bounty program
Positive Technologies works continuously to create products that are trusted by companies from all over the world. Our experience in detecting vulnerabilities shows that no systems are absolutely secure. Therefore we launched a bug bounty program to reward researchers for reporting vulnerabilities in our own services.
Bug bounty scope
Only the above domains can be analyzed. All other subdomains and any second- or third-level domains cannot be checked.
Note. If you discover a vulnerability not associated with the websites mentioned above, please also report the issue to us. Our security team will review your report and take measures to fix the problem.
Participant requirements
- Participants must be aged 18 or over.
- Researchers aged 14–18 are allowed to participate only with the written consent of a parent or a legal representative.
- Positive Technologies employees cannot participate in the program.
Participant obligations
- Observe the rules of the Positive Technologies bug bounty program and The Standoff 365 bug bounty platform.
- Observe confidentiality. Participants must not access or destroy other users' data. Confidential information obtained when searching for or demonstrating vulnerabilities must not be disclosed. Deliberately accessing such information is prohibited and may be considered illegal.
- Submit vulnerability reports to our security team. Report requirements are specified below. Participants are free to ask the security team any questions they have regarding reports.
- Promptly report vulnerabilities without disclosing information about them before public disclosure by Positive Technologies or before the non-disclosure period has expired.
Positive Technologies obligations
- Promptly address identified security issues.
- Not prohibit the disclosure of vulnerabilities without good reason.
- Not make baseless accusations towards the participants.
Vulnerability disclosure terms
- Disclosure by default: if neither party objects, the report will be made public within 60 days of its acceptance.
- Disclosure by mutual consent: Positive Technologies will discuss the timing with participants and the vulnerability will be disclosed at an agreed time.
- Disclosure to protect product users: if Positive Technologies obtains evidence that a vulnerability is currently being exploited or otherwise presents an immediate risk to customers, Positive Technologies can immediately disclose information on how to fix the issue so that users can take protective measures.
- Delayed disclosure: some vulnerabilities may take longer to fix than 60 days. In this case, a vulnerability can be kept undisclosed until Positive Technologies fixes it.
What participants cannot do
- Tamper with user accounts without their owners' permission.
- Use detected vulnerabilities for personal purposes.
- Use vulnerability testing tools that automatically generate large amounts of traffic and cause resource exhaustion attacks.
- Carry out attacks that affect our services (for example DoS attacks, bruteforce, etc.).
- Attempt to exploit a resource exhaustion vulnerability, if such a vulnerability is found. Please report such issues to the security team, and they will simulate an attack in a test environment.
- Perform physical attacks on Positive Technologies employees, data centers, and offices.
- Carry out social engineering attacks (phishing, vishing, etc.) on Positive Technologies customers, partners, and employees.
- Analyze server infrastructure where web applications are hosted.
Rewards for reported vulnerabilities
| Vulnerability | Reward |
|---|
| Remote code execution (RCE) | ₽90,000 - ₽393,200 |
| Local files access and manipulation (LFR, RFI, XXE) | ₽43,600 - ₽224,200 |
| Injection (SQLi or equivalent) | ₽36,000 - ₽224,200 |
| Admin interface authentication bypass | ₽20,000 - ₽120,000 |
| SSRF, non-blind | ₽45,000 - ₽80,000 |
If a vulnerability is discovered in third-party software (for example CMS) used by Positive Technologies, the researcher will receive a limited reward that can be increased at the discretion of the Contest commission. Detection of vulnerabilities other than those listed above may be rewarded at the discretion of the commission, depending on their severity, but payment is not guaranteed.
No reward will be given for
- Reports generated by security scanners and other automated tools
- Discovery of non-critical information, such as software name or version
- Information about IP addresses, DNSrecords, and open ports
- Reporting issues and vulnerabilities based on the product version, without demonstrating exploitation
- Reports of vulnerabilities whose exploitation is prevented by security tools without demonstrating how to bypass the security tools
- Reports of insecure SSL/TLS ciphers without demonstrating exploitation
- Lack of SSL or other best current practices
- Reporting vulnerabilities already reported by other participants
- Reporting publicly available 0-day or 1-day vulnerabilities
Report requirements
A report must contain a detailed description of the discovered vulnerability and either a description of its exploitation or a proof of concept (PoC). Videos and screenshots can accompany the report but cannot replace it.
When preparing your report, be sure to include the following:
- Vulnerability name
- Product name and version of the vulnerable software (or component)
- PoC or detailed description of how to reproduce the discovered security issue
- Description of the attack scenario: who may want to exploit the vulnerability, for what purpose, how it is exploited, and other information
- Recommendations for remediation
If multiple security issues are identified, prepare separate reports for each vulnerability.
Vulnerability reporting is subject to the Platform rules.