Innostage Bug Bounty

Main article: Bughunters. Bug bounty. Vulnerability scanning

2024

Double reward increase for participants in open cyber tests

Innostage on September 9, 2024 announced a double increase in remuneration for participants in open cyber trials (CSR). The program is implemented on the Standoff Bug Bounty security researcher platform and is designed to test and increase business cyber resilience.

Under the terms of the CSR from Innostage, an unacceptable event is the transfer of up to 2000 rubles from the company's accounts to the controlled accounts of independent researchers. At the start of the program, on May 26, 2024, a reward of 5 million rubles was promised to white hackers for the implementation of the National Assembly and the report on the actions taken. Now Innostage has increased the rate to 10 million rubles.

At INFORMATION SECURITY the same time, intermediate rewards for researchers who were able to penetrate the infrastructure, but were stopped halfway to the goal by specialists from the Innostage Cyber ​ ​ Threat Center, SOC CyberART remain within the same limits. Compromise of the company's corporate user account with fixation on the corporate workstation - 100 thousand rubles. Overcoming the network perimeter and fixing on the node in the infrastructure - 200-300 thousand rubles. Access to the system of accounting finance and creation of payment orders under the relevant for an unacceptable event or privileged account - up to 1 million rubles.

As of September 2024, over 600 independent information security researchers have registered as participants in open cyber tests. The decision to increase the main reward is aimed at attracting even more highly qualified security researchers, as well as speeding up the process of detecting and eliminating critical vulnerabilities.

By increasing rewards and making the program more attractive to experienced researchers, we plan to increase the likelihood of identifying the slightest vulnerabilities that could lead to business risks. Our goal is to continuously improve our cyber security, responsibility and reliability as business partners. And we are ready to pay millions of rubles to independent experts who will help us in this, - said Ruslan Suleimanov, director of digital transformation at Innostage.

Adding Conditions to the Open Cyber Test Program

IT company Innostage has supplemented its open cyber program with new conditions. They relate to rewards for intermediate actions on the way to the implementation of an unacceptable event (NA). The company announced this on July 10, 2024.

On May 26, 2024, when launching open cyber tests on a platform for security researchers Standoff Bug Bounty Innostage , the National Security Service designated the theft of 2000 rubles from the corporate financial system and their transfer to controlled accounts as the National Security Service. For hackers the successful implementation of the proposed scenario and the report on the actions taken, the company undertakes to pay 5 million rubles.

Open cyber tests - a format for checking for cyber resistance, the rules of which are formed during the "pilot" launches. In the future, Innostage plans to introduce the practice of open cyber testing as widely as possible, forming a new industry standard. Over 360 hackers responded to the proposal to assess the level of digital sustainability of the business and its reliability for customers.

According to the results of a month and a half monitoring of the actions of independent information security researchers, Innostage decided to encourage their activity and is ready to additionally reward not only for the implementation of an unacceptable event, but also other significant actions.

From July 10, the following remuneration conditions are introduced:

• Compromise of the company's corporate user account with fixation on the corporate workstation - 100 thousand rubles.
• Overcoming the network perimeter and fixing on a node in the infrastructure - 200-300 thousand rubles (depends on the type of node, account or segment where it was possible to do this).
• Gaining access to the financial accounting system and creating payment orders under a relevant for an unacceptable event or privileged account - up to 1 million rubles.

Initially, we set a very difficult task for white hackers. Our unacceptable event can be compared to setting an Olympic record, where, despite hundreds of failed attempts, motivation and tenacity ultimately help athletes achieve their cherished goal. Monitoring incidents shows that the invitation to participate in our open cyber tests was accepted by experienced information security researchers, and we decided to support them by introducing intermediate rewards on the way to the implementation of the National Assembly, - said Ruslan Suleimanov, director of digital transformation at Innostage.

2023: Bug bounty launch

Innostage announced on September 22, 2023 that it would check the level of protection of its own information infrastructure using the bug bounty program. The Innostage program will be aimed at implementing unacceptable events: thus, the company plans to publicly demonstrate the level of practical expertise in IT and information security areas and the safety of work for its customers.

Innostage applies the concept of cyber resilience, which consists primarily in synchronizing IT and information security experts when creating a sustainable and business-efficient IT infrastructure. The company's goal is to show business that the well-coordinated and joint work of IT and information security divisions will allow top managers of companies not to worry about security, fault tolerance, import substitution and other routine tasks. At the same time, for IT and information security specialists, the infrastructure should have the functions of automating typical tasks, monitoring 360, controlling changes and other operational tasks that allow you to close any business requests.

Innostage for September 2023 will become the second company from the Russian information security industry with its own bug bounty program in terms of unacceptable events: in November 2022, Positive Technologies announced a similar program.

Bug bounty programs are implemented by companies that adhere to modern approaches to product development and organization of information infrastructure protection. They allow organizations in real conditions to check its security and take measures that will exclude the possibility of the implementation of unacceptable events.

Russian baghunters ("white hackers") will be able to take part in the program. The launch is scheduled in private mode (by invitation), followed by transfer to an open bounty program. If the attacks are successfully implemented, white hackers will receive a monetary reward from the company.

For us, the bug bounty program is one of the real measurements of our own security. One of Innostage's main visionary tasks is to change the attitude of the industry towards such tools. Innostage begins preparing the program, and plans to conduct it as publicly as possible - because we ourselves share the idea of ​ ​ real cybersecurity, which requires not only the implementation of regulatory practices, but also constant self-testing. We are confident in the security of our own infrastructure and are doing everything to ensure that this confidence is always maintained, "said Aydar Guzairov, CEO of Innostage.

Preparation of a description of the program and conditions for a public bug bounty began in September 2023. The program is scheduled to launch in May 2024.