PT Dephaze Bug Bounty Program
Company: Positive Technologies
Program Description
The PT Dephaze Bug Bounty Program is aimed at identifying and confirming vulnerabilities in the PT Dephaze product — an automated solution for continuous checking of your infrastructure.
PT Dephaze is an automated penetration test that shows how far a hacker could advance in your infrastructure.
Regular penetration testing is one of the objective ways to verify infrastructure security. Long breaks between testing accumulate security gaps. PT Dephaze allows you to make infrastructure security checks continuous and safe — so you can fix problems before attackers exploit them.
Limitations
At the time of program launch, access to the product's test environments is provided on a limited basis.
Expanded access will be provided later, as infrastructure and support procedures become ready.
Vulnerability Types Accepted
We accept vulnerability reports of the following categories (but are not limited to them):
1. Web Interface and Management API
- Authentication or authorization bypass in the simulation and agent management console.
- XSS (cross-site scripting) in attack scenario creation or report viewing sections, allowing theft of administrator sessions.
- Unsafe deserialization in APIs used for job scheduling or receiving results from agents, leading to remote code execution (RCE).
- SSRF (Server-Side Request Forgery) in functions that perform simulation target checks, allowing attacks on internal systems.
2. Attack Simulation Engine
- Bypassing "safe mode" script execution, resulting in actual disruption of target systems (for example, causing DoS on a critical server).
- Substitution or corruption of simulation results (reports) through vulnerabilities in the data collection and aggregation mechanism.
- Unauthorized execution of arbitrary code or commands on the target system not included in the library of permitted scenarios.
3. BAS Agents
- Deletion, stoppage, or bypassing of BAS agent protection without appropriate privileges on the target system.
- Agent compromise to gain control of the system on which it is running.
- Spoofing of telemetry sent by the agent to the central server to conceal actual activity or mask an attack.
4. Attack Library and Scripts
- Updating the attack library from an external untrusted source (for example, through a vulnerability in the update mechanism).
- Injection of a malicious script into the shared library that will be executed by other users of the system.
Note: Vulnerabilities that do not lead to real risk (for example, theoretical vulnerabilities or without exploitation confirmation) may be rejected or rated as "informational" without monetary reward.
Reward Structure
| Severity Level | Reward Amount |
|---|
| Critical | ₽300,000 – 500,000 |
| High | ₽150,000 – 300,000 |
| Medium | ₽50,000 – 150,000 |
| Low | ₽0 – 50,000 |
Reward may only be paid for attack scenarios that can be reproduced on installations of officially supported product versions with all available updates. Reports about defects in unsupported versions are also accepted, but reward payment for such vulnerabilities is not guaranteed.
The severity level of a vulnerability is determined during triage and confirmation of the report, taking into account the impact on product security.
The final decision on the severity level of a vulnerability is made by the product security team.
Participant Requirements
All interested researchers aged 18 and above may participate in the program.
Researchers aged 14 to 18 have the right to participate in the program only with written consent from parents or legal guardians.
Current employees of Positive Technologies and former employees who have been unemployed for less than 3 years may participate in the program but cannot claim rewards.
Researchers must:
- Comply with the rules established by Positive Technologies in its vulnerability disclosure program and the rules of The Standoff 365 Bug Bounty platform.
- Comply with confidentiality rules. It is forbidden to access another user's data without their consent, modify and destroy it, or disclose any confidential information accidentally obtained while searching for vulnerabilities or demonstrating them. Intentional access to this information is prohibited and may be recognized as illegal.
- Maintain communication with the security team, submit reports of identified vulnerabilities formatted according to requirements, and provide feedback if specialists have questions about the report.
- Do not disclose information about the vulnerability. The right to publish information about the discovered vulnerability remains with Positive Technologies.
- Vulnerability disclosure is only permitted if there is a fix and a publicly registered CVE/BDU identifier.
- A bug hunter may express a desire to disclose the report — PT undertakes to launch the process of coordinating the registration of a vulnerability identifier.
Non-Rewarded Vulnerabilities
Positive Technologies does not pay rewards for:
- Reports from security scanners and other automated tools.
- Disclosure of non-secret information (software name or version, technical parameters and system metrics, etc.).
- Information about IP addresses, DNS records, and open ports.
- Problems and vulnerabilities based on the version of the product used, without demonstration of exploitation.
- Vulnerabilities whose exploitation is blocked by security tools, without demonstration of bypass.
- Reports of insecure SSL and TLS ciphers without demonstration of exploitation.
- Reports about missing SSL and other best current practices.
- Vulnerabilities whose information was previously submitted by other program participants (duplicate reports).
- 0-day or 1-day vulnerabilities whose information was obtained by the security team from open sources.
- Vulnerabilities to brute force attacks if the report does not describe a method with significantly higher efficiency than direct brute force.
