Scope
• *.standoff365.com
Standoff 365 runs several projects: Cyberrange, Bug Bounty, and Talks. The program scope includes all subdomains except the following:
• meet.standoff365.com
• chat.standoff365.com
• vpn.standoff365.com
• partners.standoff365.com
• 365-vpn.standoff365.com
• publicvpn.standoff365.com
• privatevpn.standoff365.com
• cfp.standoff365.com
The maximum reward amounts are only provided for vulnerabilities related to Bug Bounty and authentication. Other vulnerabilities have smaller rewards.
Program for testing
To test for access control vulnerabilities, use the dedicated private bug bounty program. Its name, description, and scope contain flags (secret strings) in the following format: ^STF365[a-zA-Z0-9\-_@\(\)]+$
. If you manage to obtain a flag or other data from that private program, the reward for your report will be increased by 10 percent.
For testing purposes, the program includes a report, comment, and other data as shown in the table below.
Data type | Value |
---|
Private program (id) | 80 |
Private program (slug) | standoff-priv8t |
Document added to the private program terms (uuid) | e1a49787-ce62-4520-835d-c69bb1646a43 |
Report (id) | 1161 |
File attached to the report (uuid) | 93e5dd37-d7a7-4a21-9014-88ccc3ada656 |
Comment on the report (id) | 4393 |
File attached to the comment (uuid) | f837a477-1b71-4f25-9697-26c9b97331d7 |
Please avoid creating extra reports for the program. If you need more data for testing, contact us at
support@standoff365.com.
Rewards for reported vulnerabilities
Vulnerability | Reward |
---|
Remote code execution (RCE) | ₽200,000–₽1,000,000 |
Injection (SQLi or equivalent) | ₽120,000–₽500,000 |
Local file access and manipulation (LFR, RFI, XXE) | ₽70,000–₽350,000 |
Admin interface authentication bypass | ₽50,000–₽250,000 |
Access control and report data retrieval | ₽50,000–₽250,000 |
Access control and private program data retrieval | ₽50,000–₽150,000 |
Server-side request forgery (SSRF, non-blind) | ₽50,000–₽100,000 |
Detection of vulnerabilities other than those listed above may be rewarded at the discretion of the commission, depending on their severity, but payment is not guaranteed.
No reward will be given for:
• Next.js SSRF.
• Reports generated by security scanners and other automated tools.
• Disclosure of non-sensitive information (such as software name or version).
• Information about IP addresses, DNS records, and open ports.
• Reports of issues and vulnerabilities based on the product version without demonstrating exploitation.
• Reports of vulnerabilities whose exploitation is prevented by information security tools without demonstrating how to bypass the security tools.
• Reports of insecure SSL/TLS ciphers without demonstrating exploitation.
• Reports indicating the lack of SSL or other current best practices.
• Reports of vulnerabilities already reported by other participants (duplicate reports).
• Reports of 0-day vulnerabilities publicly disclosed less than 30 days before the report submission and vulnerabilities with a CVSS score higher than 8 disclosed less than 14 days before the submission.• Reports of publicly available 1-day vulnerabilities.
• Reports of issues related to mail server misconfigurations (DMARC, DKIM, and other) that do not directly affect users or application data.
• Self-XSS and other vulnerabilities that do not directly affect users or application data.
Reports indicating the lack of best practices (such as missing Secure and HttpOnly flags) will be accepted as informative.
If you identify multiple security issues in Standoff 365 services, prepare a separate report for each vulnerability.
Participation requirements
• Participants must be at least 18 years old.
• Researchers aged 14–18 are allowed to participate only if they can present the written consent of a parent or a legal guardian.
• Standoff 365 employees cannot participate in the program.
Participant obligations
• Follow the vulnerability disclosure rules of the Standoff 365 program and the Standoff 365 Bug Bounty platform.
• Follow the rules related to the handling of sensitive information. Do not gain access to data belonging to another user without the user's permission, change or destroy the data, or disclose any sensitive data obtained inadvertently during the vulnerability testing process or exploit demonstration. Deliberate access to sensitive data is prohibited and can be deemed illegal.
• Maintain communication with the security team, send them reports on discovered vulnerabilities according to the program requirements, and provide feedback if they have questions about the report.
• Do not disclose information about a vulnerability before public disclosure by Standoff 365.
Standoff 365 obligations
• Promptly address identified security issues.
• To not prohibit the disclosure of vulnerabilities without good reason.
• To not make baseless accusations against researchers.
Public vulnerability disclosure
Disclosure by mutual consent: you and Standoff 365 must discuss and agree upon the disclosure timing and other details.
Prohibited actions
Program participants are not allowed to do the following:
• Tamper with user accounts without their owners' permission.
• Use detected vulnerabilities for personal purposes.
• Use vulnerability testing tools that automatically generate large amounts of traffic and cause resource exhaustion attacks.
• Conduct attacks that compromise integrity and availability of services (for example, DoS and brute-force attacks) or attempt to exploit a resource exhaustion vulnerability. If you find such a vulnerability, report it to the Standoff 365 security team so that we can simulate an attack in a test environment.
• Perform physical attacks on Standoff 365 employees, data centers, or offices.
• Spam or carry out social engineering attacks (phishing, vishing, and so on) against Standoff 365 customers, partners, or employees.
• Analyze server infrastructure where web applications are hosted.