Bug bounty program for PT Industrial Security Incident Manager (ISIM)
Rewards are paid to individual entrepreneurs and self-employed persons
Program description
Bug bounty program for PT Industrial Security Incident Manager (ISIM)
PT Industrial Security Incident Manager (ISIM) serves as a centralized hub for monitoring the security of industrial IT/OT environments.
PT ISIM delivers end-to-end security monitoring for industrial IT/OT infrastructure, helping organizations detect modern threats and targeted cyberattacks.
PT ISIM delivers end-to-end security monitoring for industrial IT/OT infrastructure, helping organizations detect modern threats and targeted cyberattacks.
The solution helps organizations address key requirements set by FSTEC of Russia for securing critical information infrastructure (CII) and covers the measures defined in FSTEC Order No. 239, including computer attack prevention and computer incident response.
Limitations
When the program launches, access to the product's test environments will be limited.
Broader access will be provided later, once the supporting infrastructure and operational procedures are finalized.
Broader access will be provided later, once the supporting infrastructure and operational procedures are finalized.
General information
Types of vulnerabilities eligible for review. We accept vulnerability reports in the following categories (including, but not limited to):
1. Central console (Overview Center) and API
- Bypassing authentication or authorization in the management interface to obtain administrator-level privileges or gain access to data belonging to another tenant or distributed site.
- Cross-site scripting (XSS) in the incident viewing interface or network topology visualization pages, allowing an attacker to hijack an administrator session.
- Insecure deserialization in the API used to aggregate data from sensors, enabling remote code execution (RCE).
2. Sensors (View Sensors) and traffic analysis
- Techniques that bypass the sensor's deep packet inspection (DPI) of industrial protocols (such as Siemens S7, IEC 60870-5-104, Modbus TCP, or OPC UA), for example by using unusual encodings, packet fragmentation, or undocumented PLC functions.
- Forging, altering, or corrupting telemetry data reported by the sensor to the central console, so that malicious activity in the OT network is concealed.
- A denial-of-service (DoS) condition in the sensor triggered by crafted network traffic, causing loss of visibility and creating a monitoring blind spot.
3. Threat detection mechanisms
- Evasion of signature-based detection rules and the PT ISTI database by using obfuscation methods that make malicious activity look like normal OT traffic.
- Circumventing behavioral analysis and network integrity controls so that an attacker can stay unnoticed during unauthorized access to an OT network or while making changes to a PLC project.
- Flooding the system with large volumes of false alerts in order to distract from an actual attack.
4. Control of PLCs and industrial process operations
- Achieving unauthorized control over PLCs (modifying firmware, PLC projects, or operating modes) by exploiting weaknesses in PT ISIM's detection logic that should identify and flag these actions.
- Concealing unauthorized modifications of industrial process parameters, such as setpoints and equipment operating modes, even though PT ISIM is intended to detect these changes.
Note. Findings that do not present a practical security risk (for example, purely theoretical issues or reports without exploit validation) may be rejected or treated as informational and are not eligible for a bounty payout.
Rewards
Payout amounts are listed in the table below:
| Severity | Payout amount |
|---|---|
| Critical | RUB 300,000–500,000 |
| High | RUB 150,000–300,000 |
| Medium | RUB 50,000–150,000 |
| Low | RUB 0–50,000 |
Rewards are paid only for attack scenarios that can be reproduced on an officially supported product version that is fully patched with all available updates. Reports for end-of-support versions are accepted as well, but a payout for such issues is not guaranteed.
Vulnerability severity is assessed during triage and validation based on the issue's impact on the product security.
The product security team makes the final severity determination.
The product security team makes the final severity determination.
Participation requirements
Participants must be at least 18 years old.
Researchers aged 14–18 are allowed to participate only if they can present the written consent of a parent or a legal guardian.
Current Positive Technologies employees, as well as former employees whose employment ended less than three years ago, may take part in the program but are not eligible to receive a bounty payout.
Researchers aged 14–18 are allowed to participate only if they can present the written consent of a parent or a legal guardian.
Current Positive Technologies employees, as well as former employees whose employment ended less than three years ago, may take part in the program but are not eligible to receive a bounty payout.
Participant obligations:
- Follow the vulnerability disclosure rules of the Positive Technologies program and the Standoff 365 Bug Bounty platform.
- Follow the rules related to the handling of sensitive information. Do not gain access to data belonging to another user without the user's permission, change or destroy the data, or disclose any sensitive data obtained inadvertently during the vulnerability testing process or exploit demonstration. Deliberate access to sensitive data is prohibited and can be deemed illegal.
- Maintain communication with the security team, send them reports on discovered vulnerabilities according to the program requirements, and provide feedback if they have questions about the report.
- Do not publicly disclose any details of the vulnerabilities discovered. Positive Technologies retains the right to decide if and when information about the reported vulnerability will be published.
- Public disclosure of a vulnerability is allowed only after a fix is released and a publicly registered CVE/BDU identifier has been assigned.
- If a researcher requests disclosure of the report, Positive Technologies will initiate the coordination process to register a vulnerability identifier.
Rewards for reported vulnerabilities
No reward will be given for:
- Reports generated by security scanners and other automated tools.
- Disclosure of non-sensitive information (such as software name and version or technical characteristics and metrics of the system).
- Information about IP addresses, DNS records, and open ports.
- Reports of issues and vulnerabilities based on the product version without demonstrating exploitation.
- Reports of vulnerabilities whose exploitation is prevented by security tools, if the researcher does not demonstrate how to bypass the security tools.
- Reports of insecure SSL/TLS ciphers without demonstrating exploitation.
- Reports indicating the lack of SSL or other best current practices (BCPs).
- Reports of vulnerabilities already reported by other participants (duplicate reports).
- 0-day or 1-day vulnerabilities identified by our security team based on information from open sources.
- Reports of brute-force vulnerabilities without providing an attack method that is significantly more efficient than a straight-forward brute-force approach.