PT Application Firewall
Bounty Range
Up to $6,000
external program
PT Application Firewall
Bounty Range
Up to $6,000
external program
Company: Positive Technologies
The PT Application Firewall Bug Bounty Program is aimed at identifying and confirming vulnerabilities that may lead to bypassing web protection mechanisms, reducing the effectiveness of attack filtering, compromising the security policy management interface, or using the WAF as a point to bypass or enhance attacks on protected applications.
PT Application Firewall is a web application protection tool designed to prevent the exploitation of vulnerabilities without making changes to the application itself. The product analyzes incoming and outgoing HTTP/HTTPS traffic, applies security policies and behavioral analysis mechanisms. Vulnerabilities in the WAF can lead both to direct bypassing of protective rules and to distortion of protection logic, creating a false sense of security.
At the time of program launch, access to test benches of the product is provided on a limited basis.
Expanded access will be provided later, as the infrastructure and support procedures are ready.
We accept reports on vulnerabilities of the following categories (but not limited to them):
Authentication or authorization bypass in the management interface, allowing unauthorized access to security policy settings.
XSS in rule configuration or log viewing sections, allowing theft of an administrator's active session or performing actions on their behalf.
SQL injections (SQLi) in input fields used for creating custom rules, filters, or exceptions.
Bypassing HTTP/HTTPS traffic parsing mechanisms using non-standard encodings, request splitting, or HTTP Request Smuggling techniques.
Bypassing filtering rules through Unicode normalization, case conversion, HTTP method manipulation, or request format changes.
Bypassing geolocation and IP restrictions by spoofing IP headers, using CDN, proxies, or chains of intermediate nodes.
Bypassing request rate limiting (Rate Limiting) mechanisms through distributed attacks or session identifier spoofing.
Bypassing bot protection (CAPTCHA, JavaScript-challenge) using automation and verification bypass techniques.
Vulnerabilities in protocol parsers (HTTP, XML, JSON) leading to memory leaks, denial of service, or remote code execution (RCE).
Bypassing file upload verification mechanisms using polymorphic techniques or non-standard data formats.
Disruption of SSL/TLS decoding mechanisms through the use of specific ciphers, non-standard parameters, or protocol versions, which can lead to incorrect analysis of encrypted traffic.
Note: Vulnerabilities that do not lead to real risk (for example, theoretical or without confirmation of exploitation) may be rejected or assessed as "informational" without monetary compensation.
Reward amounts are described in the table below:
| Severity Level | Payment Amount |
|---|---|
| Critical | ₽300,000 - ₽500,000 |
| High | ₽150,000 - ₽300,000 |
| Medium | ₽50,000 - ₽150,000 |
| Low | ₽0 - ₽50,000 |
Compensation can be paid only for attack scenarios that can be reproduced on installations of the officially supported product version with all available updates. Reports of defects in unsupported versions are also accepted, but payment for such vulnerabilities is not guaranteed.
The severity level of a vulnerability is determined during triage and report confirmation, taking into account the impact on product security.
The final decision on the severity level of a vulnerability is made by the product security team.
All interested researchers aged 18 and older may participate in the program.
Researchers aged 14 to 18 are entitled to participate in the program only with written consent from their parents or legal guardians.
Active employees of Positive Technologies and former employees who have been unemployed for less than 3 years may participate in the program but cannot claim compensation.
Comply with the rules established by Positive Technologies in its vulnerability disclosure program, as well as the rules of The Standoff 365 Bug Bounty platform.
Comply with confidentiality rules. It is prohibited to access another user's data without their consent, modify or destroy it, or disclose any confidential information accidentally obtained during vulnerability research or demonstration. Intentional access to this information is prohibited and may be considered illegal.
Maintain communication with the security team, send reports about identified vulnerabilities formatted according to requirements, and provide feedback if specialists have questions about the report.
Do not disclose information about vulnerabilities. The right to publish information about a found vulnerability remains with Positive Technologies.
Vulnerability disclosure is permitted only if there is a fix and a publicly registered CVE/BDU identifier.
A bug hunter may express a desire for report disclosure - PT undertakes to launch a process for coordinating the registration of a vulnerability identifier.
Positive Technologies does not pay compensation for:
Reports from security scanners and other automated tools;
Disclosure of non-secret information (software name or version, technical parameters and system metrics, etc.);
Information about IP addresses, DNS records, and open ports;
Problems and vulnerabilities based on the version of the product used, without demonstrating their exploitation;
Vulnerabilities whose exploitation is blocked by security measures, without demonstrating a bypass of the security measures;
Reports of insecure SSL and TLS ciphers without demonstrating their exploitation;
Reports on the absence of SSL and other best current practices;
Vulnerabilities for which information was previously submitted by other program participants (duplicate reports);
0-day or 1-day vulnerabilities for which information was obtained by the security team from open sources;
Vulnerabilities to brute force attacks, if the report does not describe a method that is substantially more effective than direct brute force.