PT NGFW Bug Bounty Program
Rewards are paid to individual entrepreneurs and self-employed persons
Program description
Positive Technologies works continuously to create products that are trusted by companies from all over the world. Our experience shows that there is no such thing as a completely secure system. That's why we launched a bug bounty program to reward researchers for reporting vulnerabilities discovered in our own services.
Scope
- All resources in the ptcloud.ru domain and its subdomains
Note. If you discover an out-of-scope vulnerability, please report it to us too. Our security team will review your report and take measures to fix the problem.
Participation requirements
- Participants must be at least 18 years old.
- Researchers aged 14–18 are allowed to participate only if they can present the written consent of a parent or a legal guardian.
- Current Positive Technologies employees, as well as former employees whose employment ended less than three years ago, may take part in the program but are not eligible to receive a bounty payout.
Participant obligations:
-
Follow the vulnerability disclosure rules of the Positive Technologies program and the Standoff 365 Bug Bounty platform.
-
Follow the rules related to the handling of sensitive information. Do not gain access to data belonging to another user without the user's permission, change or destroy the data, or disclose any sensitive data obtained inadvertently during the vulnerability testing process or exploit demonstration. Deliberate access to sensitive data is prohibited and can be deemed illegal.
-
Maintain communication with the security team, send them reports on discovered vulnerabilities according to the program requirements, and provide feedback if they have questions about the report.
-
Do not publicly disclose any details of the vulnerabilities discovered. Positive Technologies retains the right to decide if and when information about the reported vulnerability will be published.
Positive Technologies obligations
Positive Technologies has the following obligations:
- Promptly address identified security issues.
- To not prohibit the disclosure of vulnerabilities without good reason.
- To not make baseless accusations against researchers.
- If details of a vulnerability are published, credit the security researcher who reported it.
Prohibited actions
Program participants are not allowed to do the following:
- Tamper with user accounts without their owners' permission.
- Use detected vulnerabilities for personal purposes.
- Use vulnerability testing tools that automatically generate large amounts of traffic and cause resource exhaustion attacks.
- Conduct attacks that compromise integrity and availability of services (for example, DoS and brute-force attacks) or attempt to exploit a resource exhaustion vulnerability. If you find such a vulnerability, report it to the Positive Technologies security team for simulation of an attack in a test environment.
- Perform physical attacks on the company's employees, data centers, or offices.
- Spam or carry out social engineering attacks (phishing, vishing, and so on) against Positive Technologies customers, partners, or employees.
- Analyze the underlying server infrastructure hosting the web applications.
Rewards for reported vulnerabilities
Examples of vulnerabilities we'll be happy to reward you for:
- Remote code execution (RCE)
- Injections (such as SQL and XML injections)
- Arbitrary file read or write, remote or local file inclusion (LFI/RFI)
- Flawed authentication/authorization
- Access control vulnerabilities
- Business logic vulnerabilities
- IDOR
- Sensitive information disclosure
- Non-blind server-side request forgery (SSRF)
If a vulnerability is discovered in third-party software (for example, open source libraries) used by Positive Technologies, the researcher will receive a limited reward that can be increased at the discretion of the contest commission. Detection of vulnerabilities other than those in the list below may be rewarded at the discretion of the commission, depending on their severity, but payment is not guaranteed.
No reward will be given for:
- Reports generated by security scanners and other automated tools.
- Disclosure of non-sensitive information (such as software name and version or technical characteristics and metrics of the system).
- Information about IP addresses, DNS records, and open ports.
- Reports of issues and vulnerabilities based on the product version without demonstrating exploitation.
- Reports of vulnerabilities whose exploitation is prevented by information security tools without demonstrating how to bypass the security tools.
- Reports of insecure SSL/TLS ciphers without demonstrating exploitation.
- Reports indicating the lack of SSL or other current best practices.
- Reports of vulnerabilities already reported by other participants (duplicate reports).
- 0-day or 1-day vulnerabilities identified by our security team based on information from open sources.
- Reports of brute-force vulnerabilities without providing an attack method that is significantly more efficient than a straight-forward brute-force approach.
Report requirements
A vulnerability report must contain the following:
- Vulnerability name.
- Product name and version of the vulnerable software (or component).
- Proof of concept (PoC) or detailed description of how to reproduce the security issue.
- Description of the attack scenario: who can exploit the vulnerability, for what purpose, in what circumstances, and so on.
- Recommendations for remediation.
You can attach videos and screenshots to your report, but they cannot replace the report (it must be filled out).
If you identify multiple security issues in Positive Technologies services, prepare a separate report for each vulnerability.
Vulnerability reporting is subject to the platform rules.