PT Sandbox
Company: Positive TechnologiesBug bounty program for PT Sandbox
Rewards are paid to individual entrepreneurs and self-employed persons
Program description
Bug bounty program for PT Sandbox
The PT Sandbox bug bounty program focuses on finding and confirming vulnerabilities that may allow attackers to evade malware detection, run malicious code outside the isolated analysis environment, compromise the sandbox infrastructure, or reduce the overall effectiveness of defenses against targeted attacks.
PT Sandbox is an on-premises sandbox designed to analyze unknown and advanced malware, including zero-day exploits, ransomware, and targeted attacks. It combines static and behavioral analysis with correlation rules, network sensors, machine learning techniques, and OS-level monitoring. Security issues in PT Sandbox could cause malicious objects to go undetected, break the isolation of the analysis environment, and lead to compromise of the product's components and the related infrastructure.
Limitations
When the program launches, access to the product's test environments will be limited.
Broader access will be provided later, once the supporting infrastructure and operational procedures are finalized.
Broader access will be provided later, once the supporting infrastructure and operational procedures are finalized.
General information
For the purposes of this program, vulnerabilities are grouped into bypass levels that indicate how deep and severe its impact is on PT Sandbox's analysis and isolation mechanisms.
Isolation bypass
| Vulnerability name | Description | Requirements for the attack vector |
|---|---|---|
| Sandbox escape | A file submitted for behavioral analysis is able to break out of the sandbox by changing its execution context and executing code on the host OS or at the hypervisor level. To qualify as a bypass, the outcome must be arbitrary code execution on the host system or the ability to disrupt the host system's operation. | The researcher is able to submit files for analysis from outside the sandbox using any supported submission method. Manual behavioral analysis of files via the product UI is permitted. |
Bypass of document and file format detection
| Vulnerability name | Description | Requirements for the attack vector |
|---|---|---|
| Malicious document missed | Undetected execution of malicious code in the user's context, via documents from widely used office applications (MS Office, LibreOffice, PDF, and others). Environment-dependent malicious behavior that only triggers outside the PT Sandbox environment is allowed. | The file must run with a single user click, must not require additional software, and must be intended for a supported platform and OS. |
| Concealing an active element in an office document | The malicious active element successfully performs malicious actions, but PT Sandbox does not detect it during static analysis. Techniques may include OLE objects, macros, DDE, ActiveX, JavaScript, OpenAction, external data sources, and Office add-ins. | The file must be a valid document, must start via a user click, and must be intended for a supported platform and OS. |
| Hiding a common format from behavioral analysis | A valid executable or document is mistakenly treated as non-active and therefore is not submitted to the virtualized environment for behavioral analysis (for example, an EXE file or an office document). | The file must be intended for a platform and OS supported by PT Sandbox. |
Partial bypasses and interface vulnerabilities
| Vulnerability name | Description | Requirements for the attack vector |
|---|---|---|
| Malicious executable missed | Undetected execution of malicious code in the user's context via executable files (EXE, ELF). Environment-dependent malicious behavior that only triggers outside the PT Sandbox environment is allowed. | The file must start with a single user click, must not rely on any additional preconditions, and must be intended for a supported platform and OS. |
| Web interface and API: authorization bypass | Security issues in the web interface and public API, including authorization bypass, XSS triggered by content submitted for analysis, insecure deserialization, and path traversal when uploading files. | The researcher is able to submit files through the web UI, the public API, or email-based integrations, and has network access to the exposed system services. |
Note. Findings that do not present a practical security risk (for example, purely theoretical issues or reports without exploit validation) may be rejected or treated as informational and are not eligible for a bounty payout.
Rewards
Payout amounts are listed in the table below:
| Severity | Payout amount |
|---|---|
| Critical | RUB 300,000–500,000 |
| High | RUB 150,000–300,000 |
| Medium | RUB 50,000–150,000 |
| Low | RUB 0–50,000 |
Rewards are paid only for attack scenarios that can be reproduced on an officially supported product version that is fully patched with all available updates. Reports for end-of-support versions are accepted as well, but a payout for such issues is not guaranteed.
Vulnerability severity is assessed during triage and validation based on the issue's impact on the product security.
The product security team makes the final severity determination.
The product security team makes the final severity determination.
Participation requirements
Participants must be at least 18 years old.
Researchers aged 14–18 are allowed to participate only if they can present the written consent of a parent or a legal guardian.
Current Positive Technologies employees, as well as former employees whose employment ended less than three years ago, may take part in the program but are not eligible to receive a bounty payout.
Researchers aged 14–18 are allowed to participate only if they can present the written consent of a parent or a legal guardian.
Current Positive Technologies employees, as well as former employees whose employment ended less than three years ago, may take part in the program but are not eligible to receive a bounty payout.
Participant obligations:
- Follow the vulnerability disclosure rules of the Positive Technologies program and the Standoff 365 Bug Bounty platform.
- Follow the rules related to the handling of sensitive information. Do not gain access to data belonging to another user without the user's permission, change or destroy the data, or disclose any sensitive data obtained inadvertently during the vulnerability testing process or exploit demonstration. Deliberate access to sensitive data is prohibited and can be deemed illegal.
- Maintain communication with the security team, send them reports on discovered vulnerabilities according to the program requirements, and provide feedback if they have questions about the report.
- Do not publicly disclose any details of the vulnerabilities discovered. Positive Technologies retains the right to decide if and when information about the reported vulnerability will be published.
- Public disclosure of a vulnerability is allowed only after a fix is released and a publicly registered CVE/BDU identifier has been assigned.
- If a researcher requests disclosure of the report, Positive Technologies will initiate the coordination process to register a vulnerability identifier.
Rewards for reported vulnerabilities
No reward will be given for:
- Reports generated by security scanners and other automated tools.
- Disclosure of non-sensitive information (such as software name and version or technical characteristics and metrics of the system).
- Information about IP addresses, DNS records, and open ports.
- Reports of issues and vulnerabilities based on the product version without demonstrating exploitation.
- Reports of vulnerabilities whose exploitation is prevented by security tools, if the researcher does not demonstrate how to bypass the security tools.
- Reports of insecure SSL/TLS ciphers without demonstrating exploitation.
- Reports indicating the lack of SSL or other best current practices (BCPs).
- Reports of vulnerabilities already reported by other participants (duplicate reports).
- 0-day or 1-day vulnerabilities identified by our security team based on information from open sources.
- Reports of brute-force vulnerabilities without providing an attack method that is significantly more efficient than a straight-forward brute-force approach.