MaxPatrol VM Bug Bounty Program

Company: Positive Technologies

Program Description

The MaxPatrol VM Bug Bounty Program is aimed at identifying and confirming vulnerabilities that may lead to disruption of vulnerability management processes, distortion of IT infrastructure data, erroneous risk prioritization, and use of the system as an entry point for attacks on customer infrastructure.

MaxPatrol VM is a next-generation vulnerability management system designed to build and maintain a complete vulnerability management cycle: from asset inventory and vulnerability detection to prioritization, remediation control, and assessment of the organization's overall security level. Vulnerabilities in the product can directly affect the correctness of security decisions, lead to the formation of "blind spots" in protection, and reduce the effectiveness of response to real threats.

Limitations

At the time of program launch, access to test environments of the product is provided on a limited basis.

Extended access will be provided later, as infrastructure and support procedures become ready.

General Provisions

Vulnerability Types Accepted for Consideration

We accept reports of vulnerabilities in the following categories (but are not limited to them):

1. Web Interface and Management API

• Authentication or authorization bypass in the management interface allowing unauthorized access to system functionality.

• Bypass of access control restrictions, including access to data of another tenant or organization in a multi-tenant architecture.

• XSS (Cross-Site Scripting) allowing theft of an active user session or execution of actions on behalf of a user.

• SQL Injection (SQLi) or command injection in input fields used for asset management, vulnerability processing rule setting, or report generation.

• Insecure Direct Object References (IDOR) in API allowing one user to access data, settings, or scan results of another user or organization.

2. Asset and Data Management

• Path Traversal when working with reports or uploaded files, leading to reading, deletion, or modification of arbitrary files on the server.

• Substitution of asset data leading to incorrect assessment of node criticality, vulnerability remediation priorities, and formation of "blind spots" in protection.

• Bypass of data integrity control mechanisms allowing certain assets or vulnerabilities to be hidden from the vulnerability management system.

3. Scanning and Analysis

• Bypass of vulnerability detection mechanisms leading to false negative results, where actually existing vulnerabilities are not detected by the system.

• SSRF (Server-Side Request Forgery) in functions performing checks or information collection, allowing attacks on internal infrastructure components or third-party services.

• Disruption of the retrospective analysis mechanism used to identify new vulnerabilities without re-scanning, which may lead to outdated or incorrect data about the security state.

4. Authentication and Authorization

• Access control deficiencies allowing a user with low privileges to escalate them to system administrator level.

• Vulnerabilities in mechanisms for storing or transmitting credentials used for scanning in "white box" mode, including the possibility of their compromise or reuse.

5. Product Components and Internal Interactions

• Use of system interfaces as an intermediate node for attacks on its components, internal modules, external integrations (LDAP, SSO, etc.), or other customer infrastructure nodes.

Note: Vulnerabilities not leading to actual risk (for example, theoretical or without confirmation of exploitation) may be rejected or rated as "informational" without monetary reward.

Rewards

Reward amounts are described in the table below:

Reward can only be paid for attack scenarios reproducible on installations of officially supported product versions with all available updates. Reports of deficiencies in unsupported versions are also accepted, but payment for such vulnerabilities is not guaranteed.

The severity level of a vulnerability is determined during triage and confirmation of the report taking into account the impact on product security.

The final decision on the severity level of a vulnerability is made by the product security team.

Participant Requirements

All interested researchers aged 18 and above may participate in the program.

Researchers aged 14 to 18 have the right to participate in the program only with the written consent of parents or legal guardians.

Current employees of Positive Technologies and former employees who have been separated for less than 3 years may participate in the program but cannot claim rewards.

Researchers must:

• Comply with the rules established by Positive Technologies in its vulnerability disclosure program, as well as the rules of The Standoff 365 Bug Bounty platform.

• Comply with information confidentiality rules. It is prohibited to access another user's data without consent, modify or destroy it, or disclose any confidential information accidentally obtained while searching for vulnerabilities or demonstrating them. Intentional access to this information is prohibited and may be recognized as illegal.

• Maintain communication with the security team, submit reports about identified vulnerabilities formatted according to requirements, and provide feedback if specialists have questions about the report.

• Not disclose information about the vulnerability. The right to publish information about a found vulnerability remains with Positive Technologies.

• Vulnerability disclosure is only permissible when there is a fix and a publicly registered CVE/BDU identifier.

• A bug hunter may express a desire to disclose a report - PT is obligated to start the process of coordinating the registration of a vulnerability identifier.

Vulnerabilities for Which Positive Technologies Does Not Pay Reward

Positive Technologies does not pay reward for:

• reports from security scanners and other automated tools;

• disclosure of non-secret information (software name or version, technical parameters and system metrics, etc.);

• information about IP addresses, DNS records, and open ports;

• problems and vulnerabilities based on the version of the product being used without demonstration of their exploitation;

• vulnerabilities whose exploitation is blocked by security tools without demonstration of security tool bypass;

• reports about insecure SSL and TLS ciphers without demonstration of their exploitation;

• reports about absence of SSL and other best current practices;

• vulnerabilities whose information was previously provided by other competition participants (duplicate reports);

• 0-day or 1-day vulnerabilities whose information was obtained by the security team from open sources;

• vulnerabilities to brute force attacks unless the report describes a method with significantly higher efficiency than direct brute force.