MaxPatrol EDR Bug Bounty Program

Company: Positive Technologies

Program Description

The MaxPatrol EDR Bug Bounty Program is aimed at identifying and confirming vulnerabilities in the MaxPatrol EDR product — a comprehensive endpoint security solution.

MaxPatrol EDR is a comprehensive solution for endpoint security.

As IT infrastructure develops rapidly, attackers' tools and methods also evolve and become increasingly sophisticated to bypass traditional protection measures.

To timely detect such threats and confidently respond to them, it is necessary to understand the context of what is happening on endpoints, dynamically track threats, correlate individual events into a unified picture, and build attack chains. MaxPatrol EDR enables rapid identification of complex threats and targeted attacks, confident incident response, and automation of routine operations taking into account the specifics of cybersecurity and processes of a particular company.

Limitations

At the time of program launch, access to test environments of the product is provided on a limited basis.

Expanded access will be provided later, as infrastructure and support procedures become ready.

General Provisions

Types of Vulnerabilities Accepted for Review

We accept reports of vulnerabilities in the following categories (but are not limited to them):

1. Central Management Console and API

• Authentication or authorization bypass in the EDR management console.

• XSS (Cross-Site Scripting) in the security events viewing and incident investigation interface.

• Unsafe deserialization in the API used for collecting telemetry from agents.

• Attack on the management console through fake or unauthorized agents (e.g., DoS or exploitation of agent vulnerabilities to impact the server).

• Spoofing or integrity violation of telemetry transmission from the server to agents in a SIEM system.

• SSRF (Server-Side Request Forgery) in functions integrating with SIEM/SOAR systems.

2. EDR Agent on Endpoints

• Bypass or disabling of EDR agent protection through vulnerabilities in the kernel driver.

• Removal or stopping of the agent without appropriate privileges (e.g., from a standard user account).

• Disruption of running agent functionality through environment manipulation (e.g., by changing system settings, dependencies, or resources).

• Bypass of application control and execution of prohibited code in violation of EDR policies.

3. Proactive Protection

• Bypass of built-in exploitation prevention mechanisms (Anti-Exploitation), such as ASLR, DEP, Control Flow Guard, etc.

Note 1: Reports related to Windows EDR agents and server-side (management console) are accepted for review.

Note 2: Vulnerabilities that do not lead to real risk (e.g., theoretical or without proof of exploitation) may be rejected or rated as "informational" without monetary reward.

Rewards

Reward amounts are described in the table below:

Rewards can only be paid for attack scenarios that can be reproduced on installations of officially supported product versions with all available updates. Reports of deficiencies in unsupported versions are also accepted, but reward payment for such vulnerabilities is not guaranteed.

The severity level of a vulnerability is determined during triage and confirmation of the report, taking into account the impact on product security.

The final decision on the severity level of a vulnerability is made by the product security team.

Participant Requirements

All interested researchers aged 18 and older may participate in the program.

Researchers aged 14 to 18 may participate in the program only with written consent from parents or legal representatives.

Current employees of Positive Technologies and former employees who have not been employed for less than 3 years may participate in the program but are not eligible for rewards.

Researchers must:

• Comply with the rules established by Positive Technologies in its vulnerability disclosure program and the rules of The Standoff 365 Bug Bounty platform.

• Comply with information confidentiality rules. It is prohibited to access another user's data without consent, modify and destroy it, or disclose any confidential information accidentally obtained during vulnerability search or demonstration. Intentional access to such information is prohibited and may be deemed illegal.

• Maintain communication with the security team, submit reports of identified vulnerabilities formatted according to requirements, and provide feedback if specialists have questions about the report.

• Not disclose information about the vulnerability. The right to publish information about a found vulnerability remains with Positive Technologies.

• Vulnerability disclosure is permitted only with the availability of a fix and a publicly registered CVE/BDU identifier.

• A bug hunter may request disclosure of the report - PT undertakes to launch a process to coordinate the registration of a vulnerability identifier.

Rewards for Vulnerabilities

Positive Technologies does not pay rewards for:

• Reports from security scanners and other automated tools;

• Disclosure of non-secret information (software name or version, technical parameters and system metrics, etc.);

• Information about IP addresses, DNS records, and open ports;

• Problems and vulnerabilities based on the version of the product used, without demonstration of their exploitation;

• Vulnerabilities whose exploitation is blocked by protective tools, without demonstration of protective tool bypass;

• Reports of insecure SSL and TLS ciphers without demonstration of their exploitation;

• Reports of missing SSL and other best current practices;

• Vulnerabilities whose information was previously submitted by other program participants (duplicate reports);

• 0-day or 1-day vulnerabilities whose information the security team obtained from open sources;

• Vulnerabilities to brute-force attacks, if the report does not describe a method with significantly higher efficiency than direct brute-force.