MaxPatrol EDR
Company: Positive TechnologiesBug bounty program for MaxPatrol EDR
Rewards are paid to individual entrepreneurs and self-employed persons
Program description
Bug bounty program for MaxPatrol EDR
The MaxPatrol EDR bug bounty program is intended to help identify and validate security vulnerabilities in MaxPatrol EDR, an endpoint detection and response tool.
MaxPatrol EDR is a comprehensive endpoint security solution.
As enterprise IT environments evolve quickly, adversarial tools and techniques evolve as well, becoming more sophisticated and better able to bypass traditional defenses.
As enterprise IT environments evolve quickly, adversarial tools and techniques evolve as well, becoming more sophisticated and better able to bypass traditional defenses.
To detect these threats early and respond effectively, organizations need endpoint context, continuous threat tracking, and strong correlation, connecting individual events into a coherent view and building attack chains. MaxPatrol EDR helps quickly detect advanced threats and targeted attacks, respond to incidents with confidence, and automate routine tasks in line with an organization's cybersecurity requirements and operational processes.
Limitations
When the program launches, access to the product's test environments will be limited.
Broader access will be provided later, once the supporting infrastructure and operational procedures are finalized.
Broader access will be provided later, once the supporting infrastructure and operational procedures are finalized.
General information
Types of vulnerabilities eligible for review. We accept vulnerability reports in the following categories (including, but not limited to):
1. Centralized management console and API
- Authentication bypass or authorization bypass affecting the EDR management console.
- Cross-site scripting (XSS) in the UI used for viewing security events and investigating incidents.
- Insecure deserialization in the API used to ingest telemetry from agents.
- Attacks on the management console using spoofed or unauthorized agents (for example, DoS, or abusing an agent vulnerability to impact the server).
- Telemetry delivery tampering or integrity violations on the path from the agent server to the SIEM system.
- Server-side request forgery (SSRF) in SIEM/SOAR integration features.
2. EDR agents on endpoints
- Bypassing or disabling EDR agent self-protection by exploiting a vulnerability in its kernel driver.
- Uninstalling or stopping the agent without appropriate privileges (for example, as a standard user).
- Causing the running agent to malfunction by manipulating the operating environment (for example, system configuration, dependencies, or resource limits).
- Bypassing application control to run code that violates EDR policies.
3. Proactive protection
- Bypassing built-in anti-exploitation controls such as ASLR, DEP, Control Flow Guard, and similar mechanisms.
Note 1. Only reports relating to the Windows EDR agents and the server-side components (management console) will be reviewed.
Note 2. Findings that do not present a practical security risk (for example, purely theoretical issues or reports without exploit validation) may be rejected or treated as informational and are not eligible for a bounty payout.
Note 2. Findings that do not present a practical security risk (for example, purely theoretical issues or reports without exploit validation) may be rejected or treated as informational and are not eligible for a bounty payout.
Rewards
Payout amounts are listed in the table below:
| Severity | Payout amount |
|---|---|
| Critical | RUB 300,000–500,000 |
| High | RUB 150,000–300,000 |
| Medium | RUB 50,000–150,000 |
| Low | RUB 0–50,000 |
Rewards are paid only for attack scenarios that can be reproduced on an officially supported product version that is fully patched with all available updates. Reports for end-of-support versions are accepted as well, but a payout for such issues is not guaranteed.
Vulnerability severity is assessed during triage and validation based on the issue's impact on the product security.
The product security team makes the final severity determination.
The product security team makes the final severity determination.
Participation requirements
Participants must be at least 18 years old.
Researchers aged 14–18 are allowed to participate only if they can present the written consent of a parent or a legal guardian.
Current Positive Technologies employees, as well as former employees whose employment ended less than three years ago, may take part in the program but are not eligible to receive a bounty payout.
Researchers aged 14–18 are allowed to participate only if they can present the written consent of a parent or a legal guardian.
Current Positive Technologies employees, as well as former employees whose employment ended less than three years ago, may take part in the program but are not eligible to receive a bounty payout.
Participant obligations:
- Follow the vulnerability disclosure rules of the Positive Technologies program and the Standoff 365 Bug Bounty platform.
- Follow the rules related to the handling of sensitive information. Do not gain access to data belonging to another user without the user's permission, change or destroy the data, or disclose any sensitive data obtained inadvertently during the vulnerability testing process or exploit demonstration. Deliberate access to sensitive data is prohibited and can be deemed illegal.
- Maintain communication with the security team, send them reports on discovered vulnerabilities according to the program requirements, and provide feedback if they have questions about the report.
- Do not publicly disclose any details of the vulnerabilities discovered. Positive Technologies retains the right to decide if and when information about the reported vulnerability will be published.
- Public disclosure of a vulnerability is allowed only after a fix is released and a publicly registered CVE/BDU identifier has been assigned.
- If a researcher requests disclosure of the report, Positive Technologies will initiate the coordination process to register a vulnerability identifier.
Rewards for reported vulnerabilities
No reward will be given for:
- Reports generated by security scanners and other automated tools.
- Disclosure of non-sensitive information (such as software name and version or technical characteristics and metrics of the system).
- Information about IP addresses, DNS records, and open ports.
- Reports of issues and vulnerabilities based on the product version without demonstrating exploitation.
- Reports of vulnerabilities whose exploitation is prevented by security tools, if the researcher does not demonstrate how to bypass the security tools.
- Reports of insecure SSL/TLS ciphers without demonstrating exploitation.
- Reports indicating the lack of SSL or other best current practices (BCPs).
- Reports of vulnerabilities already reported by other participants (duplicate reports).
- 0-day or 1-day vulnerabilities identified by our security team based on information from open sources.
- Reports of brute-force vulnerabilities without providing an attack method that is significantly more efficient than a straight-forward brute-force approach.