PT Network Attack Discovery Bug Bounty Program

Program Description

The PT Network Attack Discovery Bug Bounty Program is aimed at identifying and confirming vulnerabilities that could lead to:

• Violations of correct attack detection
• Compromise of network activity data
• Disruption of incident investigation
• Use of system components as an entry point into customer infrastructure

PT Network Attack Discovery is a Network Detection and Response (NDR/NTA) class system designed to detect attacks on the network perimeter and within corporate networks. The product identifies hidden threats, detects suspicious activity including encrypted traffic analysis, stores and correlates attack data, and integrates with external security systems. Vulnerabilities in the product can directly impact both infrastructure protection levels and the reliability of incident response decision-making.

Limitations

At the time of program launch, access to product test environments is provided on a limited basis.

Extended access will be provided later as infrastructure and support procedures become ready.

General Provisions

Vulnerability Types Accepted for Review

We accept reports of vulnerabilities in the following categories (but are not limited to them):

1. Web Interface and Management API

• XSS or CSRF in the management interface allowing modification of detection parameters, event correlation rules, or access to sensitive system data
• Authentication bypass or access control deficiencies (IDOR) in the management console leading to access to data from another subsidiary, installation, or obtaining administrator rights
• SQL injections (SQLi) or command injections allowing execution of arbitrary database queries or commands in the context of product server components

2. Traffic Analysis and Detection

• Network traffic forgery or corruption leading to denial of service (DoS) of analysis components or remote code execution (RCE) on sensors
• Vulnerabilities in network protocol parsers (supporting over 85 protocols) leading to memory leaks, incorrect network data analysis, or arbitrary code execution

3. Data Storage and Processing

• Path Traversal when accessing stored PCAP files or extracted objects leading to reading, deletion, or overwriting of arbitrary files on the server
• Vulnerabilities allowing an attacker to delete or modify evidence of already detected attacks, potentially leading to covering up traces of compromise and distorting incident investigation results

4. Integrations and External Systems

• SSRF in external system integration functionality (for example, when checking files in PT Sandbox or sending alerts to SIEM) allowing attacks on internal services and infrastructure components
• Unsafe deserialization of data when receiving information from PT MultiScanner or other Positive Technologies ecosystem systems, capable of leading to arbitrary code execution or component compromise

Note: Vulnerabilities that do not lead to real risk (for example, theoretical or without confirmation of exploitation) may be rejected or assessed as "informational" without monetary reward.

Reward Structure

Reward can only be paid for attack scenarios reproducible on installations of the officially supported product version with all available updates. Reports about deficiencies in unsupported versions are also accepted, but reward payment for such vulnerabilities is not guaranteed.

Vulnerability severity level is determined during triage and report confirmation taking into account the impact on product security.

The final decision on vulnerability severity level is made by the product security team.

Participant Requirements

All interested researchers aged 18 and older may participate in the program.

Researchers aged 14 to 18 may participate in the program only with written consent from parents or legal guardians.

Current Positive Technologies employees and former employees who left less than 3 years ago may participate in the program but cannot claim rewards.

Researchers must:

• Comply with the rules established by Positive Technologies in its vulnerability disclosure program and the rules of The Standoff 365 Bug Bounty platform
• Comply with confidentiality rules. It is prohibited to access other users' data without consent, modify and destroy it, or disclose any confidential information accidentally obtained during vulnerability search or demonstration. Intentional access to this information is prohibited and may be deemed illegal
• Maintain communication with the security team, submit reports of identified vulnerabilities formatted according to requirements, and provide feedback if specialists have questions about the report
• Not disclose information about the vulnerability. The right to publish information about a found vulnerability remains with Positive Technologies
• Vulnerability disclosure is only permitted with the presence of a fix and a publicly registered CVE/BDU identifier
• A bug hunter may request disclosure of the report - PT undertakes to launch a process for coordinating the registration of a vulnerability identifier

Vulnerabilities for Which Positive Technologies Does Not Pay Rewards

Positive Technologies does not pay rewards for:

• Reports from security scanners and other automated tools
• Disclosure of non-secret information (software name or version, technical parameters and system metrics, etc.)
• Information about IP addresses, DNS records, and open ports
• Problems and vulnerabilities based on the product version used without demonstration of exploitation
• Vulnerabilities whose exploitation is blocked by security measures without demonstration of bypass
• Reports about insecure SSL and TLS ciphers without demonstration of exploitation
• Reports about lack of SSL and other best current practices
• Vulnerabilities whose information was previously submitted by other program participants (duplicate reports)
• 0-day or 1-day vulnerabilities whose information was obtained by the security team from open sources
• Vulnerabilities to brute force attacks if the report does not describe a method with significantly higher efficiency than direct brute force