PT Industrial Security Incident Manager (ISIM) Bug Bounty Program

PT Industrial Security Incident Manager (ISIM) — a unified security monitoring point for industrial IT infrastructure.

PT ISIM provides comprehensive security monitoring of industrial IT infrastructure, helps detect modern cyber threats and targeted cyber attacks.

The solution allows fulfilling an important part of the requirements of Russia's FSTEC for protecting critical information infrastructure (CII) and covers measures of FSTEC Order No. 239: intrusion prevention (computer attacks) (SOV) and response to computer incidents (INC).

Limitations

At the time of program launch, access to product test stands is provided on a limited basis.

Extended access will be provided later, as infrastructure and support procedures become ready.

General Provisions

Vulnerability Types Accepted for Review

We accept reports of vulnerabilities in the following categories (but not limited to them):

1. Central Console (Overview Center) and API

• Authentication or authorization bypass in the management interface leading to obtaining administrator rights or access to data from another tenant/distributed site.

• XSS (cross-site scripting) in the incident viewing interface or network topology builder allowing administrator session hijacking.

• Unsafe deserialization in the API used for data aggregation from sensors leading to remote code execution (RCE).

2. Sensors (View Sensor) and Traffic Analysis

• Bypass of analysis mechanisms (DPI) for industrial protocols (Siemens S7, IEC 60870-5-104, Modbus TCP, OPC UA, etc.) through non-standard encodings, packet fragmentation, or use of undocumented PLC functions.

• Substitution or corruption of telemetry sent from the sensor to the central console to hide attack traces in the SCADA network.

• Denial of Service (DoS) of the sensor through specially crafted network traffic leading to a "blind spot" in monitoring.

3. Threat Detection Mechanisms

• Bypass of signature rules and the PT ISTI database using obfuscation techniques that mimic legitimate process traffic.

• Bypass of behavioral analysis and network integrity control allowing an attacker to remain undetected when unauthorized connection to the SCADA network or changes to the PLC project occur.

• Generation of multiple false incidents to mask a real attack.

4. PLC and Process Management

• Unauthorized PLC management (changing firmware, projects, operating modes) through vulnerabilities in product logic that should detect this.

• Concealment of unauthorized changes to process parameters (for example, setpoints, equipment operating modes) that PT ISIM should detect.

Note: Vulnerabilities that do not lead to real risk (for example, theoretical ones or without proof of exploitation) may be rejected or rated as "informational" without monetary reward.

Rewards

Reward amounts are described in the table below:

Reward can only be paid for attack scenarios reproducible on installations of officially supported product versions with all available updates. Reports of defects in unsupported versions are also accepted, but payment for such vulnerabilities is not guaranteed.

Vulnerability severity level is determined during triage and confirmation of the report taking into account the impact on product security.

The final decision on the severity level of a vulnerability is made by the product security team.

Participant Requirements

All interested researchers aged 18 and over may participate in the program.

Researchers aged 14 to 18 are only eligible to participate with written consent from their parents or legal guardian.

Current employees of Positive Technologies and former employees whose employment ended less than 3 years ago may participate in the program but cannot claim a reward.

Researchers Must:

• Comply with the rules established by Positive Technologies in its vulnerability disclosure program, as well as the rules of The Standoff 365 Bug Bounty platform.

• Comply with information confidentiality rules. It is prohibited to access data of another user without their consent, modify and destroy it, as well as disclose any confidential information accidentally obtained during vulnerability research or demonstration. Intentional access to this information is prohibited and may be recognized as illegal.

• Maintain communication with the security team, send reports of identified vulnerabilities formatted according to requirements, and provide feedback if specialists have questions about the report.

• Not disclose information about the vulnerability. The right to publish information about found vulnerabilities remains with Positive Technologies.

• Vulnerability disclosure is permitted only when a fix is available and a publicly registered CVE/BDU identifier exists.

• A bug hunter may express a desire to disclose the report - PT undertakes to launch a process to coordinate registration of the vulnerability identifier.

No Reward for Vulnerabilities

Positive Technologies does not pay rewards for:

• Reports from security scanners and other automated tools;

• Disclosure of non-secret information (software name or its version, technical parameters and system metrics, etc.);

• Information about IP addresses, DNS records, and open ports;

• Issues and vulnerabilities based on the product version being used without demonstrating their exploitation;

• Vulnerabilities whose exploitation is blocked by security tools without demonstrating bypass of the security tools;

• Reports of insecure SSL and TLS ciphers without demonstrating their exploitation;

• Reports about the absence of SSL and other best current practices;

• Vulnerabilities whose information was previously submitted by other participants (duplicate reports);

• 0-day or 1-day vulnerabilities whose information was obtained by the security team from open sources;

• Vulnerabilities to brute force attacks if the report does not describe a method with significantly higher efficiency than direct brute force.