PT NGFW
Bounty Range
Up to $6,000
external program
PT NGFW
Company: Positive Technologies
The PT NGFW Bug Bounty Program is aimed at identifying and confirming vulnerabilities that may lead to compromise of network protection, bypass of security policies and traffic inspection mechanisms, unauthorized administrative access to NGFW and the management system, as well as the use of product components as an entry point for attacks on customer infrastructure.
PT NGFW is a next-generation firewall that provides deep traffic inspection, application and user activity control, integration with identity management systems (Microsoft Active Directory), and a high-performance intrusion prevention system (IPS) built into the traffic processing pipeline. Vulnerabilities in the product can lead to complete bypass of network protection, breach of segmentation, compromise of credentials, and reduction of the security level of the entire corporate network.
At the time of program launch, access to product test stands is provided on a limited basis.
Extended access will be provided later, as the infrastructure and support procedures are ready.
Reports of vulnerabilities in the following categories are accepted (but not limited to):
Authentication bypass in the management system web console, resulting in obtaining administrative access.
Authentication bypass in the management system CLI, allowing execution of administrative commands without proper authorization.
Authentication bypass in the NGFW CLI, resulting in complete control of the device.
Admin session theft and execution of arbitrary actions in UI (Reflected XSS).
Persistent control over the management interface with the ability to inject backdoors (Stored XSS).
Use of NGFW and management system interfaces as an intermediate node for attacks on internal components, services, and external integrations (LDAP, SSO, etc.).
Unauthorized reading or modification of logs, configurations, and user data affecting the correctness of audit and security policies.
Remote Code Execution (RCE) via web interface or management API.
Unsafe deserialization in the configuration API, leading to execution of arbitrary code or breach of integrity of settings.
SQL injections in the logging system, allowing access to data or disruption of audit mechanisms.
Obtaining root privileges in the Linux system of NGFW or management system, leading to complete compromise of the device and network protection.
Compromised SSL/TLS encryption keys or certificates used to decrypt SSL/TLS traffic between users and storage, allowing Man-in-the-Middle attacks and access to transmitted data.
Note: Vulnerabilities that do not lead to real risk (for example, theoretical or without proof of exploitation) may be rejected or assessed as "informational" without monetary reward.
Reward amounts are described in the table below:
| Severity Level | Reward Amount |
|---|---|
| Critical | ₽300,000–500,000 |
| High | ₽100,000–300,000 |
| Medium | ₽50,000–100,000 |
| Low | ₽0–50,000 |
Reward can only be paid for attack scenarios reproducible on installations of officially supported product versions with all available updates. Reports of vulnerabilities in unsupported versions are also accepted, but payment for such vulnerabilities is not guaranteed.
The severity level of a vulnerability is determined during triage and confirmation of the report, taking into account the impact on product security.
The final decision on the severity level of a vulnerability is made by the product security team.
All interested researchers aged 18 and over can participate in the program.
Researchers aged 14 to 18 may participate in the program only with written consent from parents or legal guardians.
Current employees of Positive Technologies and former employees who have been unemployed for less than 3 years may participate in the program but cannot claim rewards.
Comply with the rules established by Positive Technologies in its vulnerability disclosure program, as well as the rules of The Standoff 365 Bug Bounty platform.
Comply with confidentiality rules. It is prohibited to access another user's data without their consent, modify and destroy it, or disclose any confidential information accidentally obtained during vulnerability search or demonstration. Intentional access to this information is prohibited and may be recognized as illegal.
Maintain communication with the security team, submit reports of identified vulnerabilities formatted according to requirements, and provide feedback if specialists have questions about the report.
Do not disclose information about the vulnerability. The right to publish information about a found vulnerability remains with Positive Technologies.
Vulnerability disclosure is only permitted with the availability of a fix and a publicly registered CVE/BDU identifier.
A bug hunter may express a desire to disclose the report - PT commits to launching the process of coordinating the registration of a vulnerability identifier.
Positive Technologies does not pay rewards for:
Reports from security scanners and other automated tools.
Disclosure of non-secret information (software names or versions, technical parameters and system metrics, etc.).
Information about IP addresses, DNS records, and open ports.
Problems and vulnerabilities based on the version of the product used, without demonstrating their exploitation.
Vulnerabilities whose exploitation is blocked by security tools, without demonstrating a security tool bypass.
Reports of insecure SSL and TLS ciphers without demonstrating their exploitation.
Reports on the absence of SSL and other best current practices.
Vulnerabilities for which information was previously submitted by other contest participants (duplicate reports).
0-day or 1-day vulnerabilities for which information was obtained by the security team from public sources.
Vulnerabilities to brute force attacks, if the report does not describe a method that is significantly more efficient than direct brute force.