Standoff 365 is a platform for hackers. The Standoff 365 team invites you to test the platform for vulnerabilities.
Program description

Scope

• *.standoff365.com
Standoff 365 runs several projects: Cyberrange, Bug Bounty, and Talks. The program scope includes all subdomains except the following:
• meet.standoff365.com
• chat.standoff365.com
• vpn.standoff365.com
• partners.standoff365.com
• 365-vpn.standoff365.com
• publicvpn.standoff365.com
• privatevpn.standoff365.com
• cfp.standoff365.com
The maximum reward amounts are only provided for vulnerabilities related to Bug Bounty and authentication. Other vulnerabilities have smaller rewards.

Program for testing

To test for access control vulnerabilities, use the dedicated private bug bounty program. Its name, description, and scope contain flags (secret strings) in the following format: ^STF365[a-zA-Z0-9\-_@\(\)]+$. If you manage to obtain a flag or other data from that private program, the reward for your report will be increased by 10 percent.
For testing purposes, the program includes a report, comment, and other data as shown in the table below.
Data typeValue
Private program (id)80
Private program (slug)standoff-priv8t
Document added to the private program terms (uuid)e1a49787-ce62-4520-835d-c69bb1646a43
Report (id)1161
File attached to the report (uuid)93e5dd37-d7a7-4a21-9014-88ccc3ada656
Comment on the report (id)4393
File attached to the comment (uuid)f837a477-1b71-4f25-9697-26c9b97331d7
Please avoid creating extra reports for the program. If you need more data for testing, contact us at support@standoff365.com.

Rewards for reported vulnerabilities

VulnerabilityReward
Remote code execution (RCE)₽200,000–₽1,000,000
Injection (SQLi or equivalent)₽120,000–₽500,000
Local file access and manipulation (LFR, RFI, XXE)₽70,000–₽350,000
Admin interface authentication bypass₽50,000–₽250,000
Access control and report data retrieval₽50,000–₽250,000
Access control and private program data retrieval₽50,000–₽150,000
Server-side request forgery (SSRF, non-blind)₽50,000–₽100,000
 
Detection of vulnerabilities other than those listed above may be rewarded at the discretion of the commission, depending on their severity, but payment is not guaranteed.
No reward will be given for:
• Next.js SSRF.
• Reports generated by security scanners and other automated tools.
• Disclosure of non-sensitive information (such as software name or version).
• Information about IP addresses, DNS records, and open ports.
• Reports of issues and vulnerabilities based on the product version without demonstrating exploitation.
• Reports of vulnerabilities whose exploitation is prevented by information security tools without demonstrating how to bypass the security tools.
• Reports of insecure SSL/TLS ciphers without demonstrating exploitation.
• Reports indicating the lack of SSL or other current best practices.
• Reports of vulnerabilities already reported by other participants (duplicate reports).
• Reports of 0-day vulnerabilities publicly disclosed less than 30 days before the report submission and vulnerabilities with a CVSS score higher than 8 disclosed less than 14 days before the submission.• Reports of publicly available 1-day vulnerabilities.
• Reports of issues related to mail server misconfigurations (DMARC, DKIM, and other) that do not directly affect users or application data.
• Self-XSS and other vulnerabilities that do not directly affect users or application data.
Reports indicating the lack of best practices (such as missing Secure and HttpOnly flags) will be accepted as informative.
If you identify multiple security issues in Standoff 365 services, prepare a separate report for each vulnerability.

Participation requirements

• Participants must be at least 18 years old.
• Researchers aged 14–18 are allowed to participate only if they can present the written consent of a parent or a legal guardian.
• Standoff 365 employees cannot participate in the program.

Participant obligations

• Follow the vulnerability disclosure rules of the Standoff 365 program and the Standoff 365 Bug Bounty platform.
• Follow the rules related to the handling of sensitive information. Do not gain access to data belonging to another user without the user's permission, change or destroy the data, or disclose any sensitive data obtained inadvertently during the vulnerability testing process or exploit demonstration. Deliberate access to sensitive data is prohibited and can be deemed illegal.
• Maintain communication with the security team, send them reports on discovered vulnerabilities according to the program requirements, and provide feedback if they have questions about the report.
• Do not disclose information about a vulnerability before public disclosure by Standoff 365.

Standoff 365 obligations

• Promptly address identified security issues.
• To not prohibit the disclosure of vulnerabilities without good reason.
• To not make baseless accusations against researchers.

Public vulnerability disclosure

Disclosure by mutual consent: you and Standoff 365 must discuss and agree upon the disclosure timing and other details.

Prohibited actions

Program participants are not allowed to do the following:
• Tamper with user accounts without their owners' permission.
• Use detected vulnerabilities for personal purposes.
• Use vulnerability testing tools that automatically generate large amounts of traffic and cause resource exhaustion attacks.
• Conduct attacks that compromise integrity and availability of services (for example, DoS and brute-force attacks) or attempt to exploit a resource exhaustion vulnerability. If you find such a vulnerability, report it to the Standoff 365 security team so that we can simulate an attack in a test environment.
• Perform physical attacks on Standoff 365 employees, data centers, or offices.
• Spam or carry out social engineering attacks (phishing, vishing, and so on) against Standoff 365 customers, partners, or employees.
• Analyze server infrastructure where web applications are hosted.
Launched February 21, 2023
Edited November 5, 12:14
Program format
Vulnerabilities
Reward for vulnerabilities
by severity level
Critical
₽250K–1M
High
₽50K–250K
Medium
₽15K–50K
Low
₽0–15K
None
₽0–0
Top hackers
Overall ranking
Score
Program statistics
₽1,968,248
Paid in total
₽42,788
Average payment
₽260,000
Paid in the last 90 days
123
Valid reports
261
Submitted reports
Description
Vulnerabilities
Ranking
Versions
Disclosed reports