MaxPatrol SIEM Bug Bounty Program

Company: Positive Technologies

Program Description

The MaxPatrol SIEM Bug Bounty Program is aimed at identifying and confirming vulnerabilities that may lead to violations of the processes for collecting, storing and analyzing data about events occurring in an organization's IT infrastructure, as well as the use of the system as an entry point for attacks on customer infrastructure.

MaxPatrol SIEM is a system designed for collecting, storing and analyzing data about events occurring in an organization's IT infrastructure. This makes it possible to provide information security monitoring of the entire infrastructure as well as individual divisions, nodes and applications.

Limitations

At the time of the program launch, access to product test environments is provided on a limited basis.

Expanded access will be provided later, as the infrastructure and support procedures are ready.

Vulnerability Types

We accept reports of vulnerabilities in the following categories (but not limited to):

1. Web Interface and Management API

• Cross-site Scripting (XSS) that allows stealing an administrator's session or performing actions on behalf of an administrator.
• Cross-Site Request Forgery (CSRF) that allows changing system configuration.
• Insecure Direct Object Reference (IDOR) that allows one user to access or delete data of another tenant or asset.
• SQL injections in API or interface parameters used to manage assets or data collection tasks.

2. Authentication and Authorization

• Authentication or authorization bypass at any stage of system login (for example, through password reset) that allows unauthorized access to system functionality.
• Access control defects that allow a user with low privileges to escalate them to the level of system administrator.
• Vulnerabilities in single sign-on mechanisms.

3. Data Processing and Correlation

• Server-Side Request Forgery (SSRF) in event enrichment functionality (for example, when checking IP addresses in external services) leading to attacks on internal systems.
• Deserialization vulnerabilities in event processing and correlation mechanisms leading to arbitrary code execution.
• Path Traversal when working with log files or configurations collected from assets.

4. Integrations and Third-Party Services

• Insecure storage of credentials used to connect to external systems.
• Remote Code Execution (RCE) through file analysis in integrated components (for example, when checking files in a sandbox).

5. Architecture and Deployment

• Vulnerabilities in Docker containers leading to container escape and compromise of the host system.
• Arbitrary file reading on the SIEM side through vulnerabilities in components (for example, in LogSpace/Elasticsearch databases).

Note: Vulnerabilities that do not lead to real risk (for example, theoretical or without proof of exploitation) may be rejected or rated as "informational" without monetary compensation.

Eligibility

Researchers aged 18 and above may participate in the program.

Researchers aged 14 to 18 are eligible to participate in the program only with written consent of parents or legal guardian.

Current employees of Positive Technologies and former employees who have been unemployed for less than 3 years may participate in the program but cannot claim a reward.

Researcher Requirements

Researchers must:

• Comply with the rules established by Positive Technologies in its vulnerability disclosure program as well as the rules of The Standoff 365 Bug Bounty platform.
• Comply with confidentiality rules. It is prohibited to access another user's data without consent, modify and destroy it, or disclose any confidential information accidentally obtained during vulnerability research or demonstration. Intentional access to this information is prohibited and may be deemed illegal.
• Maintain communication with the security team, send them reports of identified vulnerabilities in accordance with requirements, and provide feedback if specialists have questions about the report.
• Not disclose information about the vulnerability. The right to publish information about a found vulnerability remains with Positive Technologies.
• Vulnerability disclosure is only permitted if there is a fix and a publicly registered CVE/BDU identifier.
• A bug hunter may request disclosure of the report - PT undertakes to initiate the process of agreeing to register a vulnerability identifier.

Rewards

Reward amounts are described in the table below:

Compensation can only be paid for attack scenarios that are reproducible on installations of the officially supported version of the product with all available updates. Reports of deficiencies in discontinued versions are also accepted, but compensation for such vulnerabilities is not guaranteed.

The severity level of a vulnerability is determined during triage and confirmation of the report considering the impact on the security of the product.

The final decision on the severity level of a vulnerability is made by the product security team.

Non-Rewarded Reports

Positive Technologies does not pay compensation for:

• Reports from security scanners and other automated tools.
• Disclosure of non-secret information (software name or version, technical parameters and system metrics, etc.).
• Information about IP addresses, DNS records and open ports.
• Problems and vulnerabilities based on the version of the product used without demonstration of their exploitation.
• Vulnerabilities whose exploitation is blocked by security tools without demonstration of security tool bypass.
• Reports of insecure SSL and TLS ciphers without demonstration of their exploitation.
• Reports of missing SSL and other best current practices.
• Vulnerabilities whose information was previously transmitted by other competition participants (duplicate reports).
• 0-day or 1-day vulnerabilities whose information was received by the security team from open sources.
• Brute force attack vulnerabilities if the report does not describe a method with substantially higher efficiency than direct enumeration.