Positive Technologies: The Standoff 365 Bug Bounty

Main article: White hackers in Russia

The Standoff 365 Bug Bounty platform for searching for vulnerabilities from Positive Technologies was introduced in May 2022. For the first time, security researchers working within the platform will be able to receive a reward not only for detecting individual risks, but also for demonstrating their implementation. More than 1,400 researchers are registered on the platform as of August 2022. White hackers have submitted 73 vulnerability reports, the first of which is just 20 minutes after the platform was launched.

2025

Launch individual programs for 15 products

Positive Technologies has launched separate vulnerability search programs on the Standoff Bug Bounty site for 15 of its products at once. The company has given thousands of independent professionals around the world the opportunity to continuously check the security of their solutions. The reward for an effective attempt to identify the most dangerous vulnerabilities within the framework of new programs can reach up to half a million rubles. The company announced this on December 26, 2025.

Each of the programs contains a list of 10-15 possible vulnerabilities, ranked by degree of danger for each product. Among them, for example, the potential acquisition of administrator rights in PT NGFW, an attempt to bypass authentication in the PT Application Inspector management interface, or the ability to remove traces of attacks in PT Network Attack Discovery. For studying the implementation of critical risks, baghunters can receive from 300 to 500 thousand rubles, and for studying high-level vulnerabilities - from 150 to 300 thousand.

The company has also updated its existing bagbounty programs. A third critical risk has been added to the Positive dream hunting program, launched more than three years ago, aimed at finding events that are unacceptable for business - identity theft. Earlier, it included two such events - the theft of money from the company's accounts and the introduction of conditionally malicious code. The award for the study of these unacceptable scenarios can reach up to 60 million rubles. At the same time, the scope of another long-term program, Positive bug hunting, has been expanded to identify vulnerabilities in Positive Technologies web services. It includes all major domains and subdomains available to researchers. As of December 2025, the amount of payments to experts under this project exceeded 1.2 million rubles.

As leaders in the field of effective cybersecurity, we have special requirements for the reliability of our own solutions. They should be a standard of security. Therefore, we not only create modern means of protection, but also constantly improve them. A new step in this direction is to launch separate bagbounty programs for each product and expand the capabilities of exploring the company's perimeter (for example, baghunters can now look for potential flaws in the *.ptsecurity, *.phdays, *.maxpatrol domains). This will allow you to more effectively involve thousands of researchers in testing the entire Positive Technologies product portfolio, as well as motivate them to identify the most relevant vulnerabilities. So independent information security experts will help our teams achieve the highest level of product security, "said Viktor Gordeev, head of the information security department at Positive Technologies.

Opening the program for 1C-Bitrix

1C-Bitrix opened a public bagbounty program at Standoff Bug Bounty. Researchers will be able to test the security of the Bitrix24 portal, including its domain. Positive Technologies announced this on November 27, 2025.

1C-Bitrix is a Russian technology company developed CMS by 1C-Bitrix: Site Management and Bitrix24, an online business management service.

Previously, the partnership was carried out in private mode. Now, as part of a public program, researchers are invited to check the security of the Bitrix 24 cloud portal, including a unique domain that can be registered specifically for testing.

Ensuring the maximum level of security for our customers is a key priority of 1C-Bitrix. We use an integrated approach that includes both our own protective mechanisms and regular independent audits. Having made sure of the high efficiency of the bagbounty within the framework of a private partnership, we decided to launch a public program. This will attract even more talented researchers to security testing. Thus, we are proactively working to eliminate potential risks in order to be sure of the reliability of our solutions, - said Roman Strelnikov, head of information security at 1C-Bitrix.

According to to data a study by Positive Technologies, IT companies are among the three most attacked industries in, Russia accounting for 9% of the successful. Cyber spies (cyber attacks 30%) and hacktivists (32%) are showing the greatest interest in this sector. As of November 2025, the IT sector provides a wide range of critical services: from cloud solutions to hosting remote administration systems and enterprise applications. That is why IT companies often become a "springboard" for attacks on other organizations: attackers can inject malicious code software data hundreds and even thousands of clients into and steal credentials to access infrastructure.

In such conditions, experts emphasize the need for proactive protection: it is important for businesses to pay not for the time spent on finding errors, but for the real result - found and confirmed. vulnerabilities Bagbounty programs are one of the most effective ways to achieve this.

Launch of the public program "Magnet"

Magnit announced the transfer of its vulnerability scanning program, launched on the Standoff Bug Bounty site, to public mode. After the successful closed stage, which started in February 2024, about 30 thousand security researchers are involved in testing. For the implementation of especially dangerous scenarios, the company is ready to pay ethical hackers up to 250 thousand rubles. Positive Technologies announced this on November 25, 2025. [1]Подробнее #.2A_.D0.9F.D0.B5.D1.80.D0.B5.D0.B2.D0.BE.D0.B4_.D0.BF.D1.80.D0.BE.D0.B3.D1.80.D0.B0.D0.BC.D0.BC.D1.8B_.D0.BD.D0.B0_Standoff_Bug_Bounty_.D0.B2_.D0.BF.D1.83.D0.B1.D0.BB.D0.B8.D1.87.D0.BD.D1.8B.D0.B9_.D1.80.D0.B5.D0.B6.D0.B8.D0.BC здесь.

Running the Program for EKF

ElectroSolutions has launched a cyber test program on the Standoff Bug Bounty platform. The project is aimed at investigating an invalid event for organizing - deleting or encrypting backups. The maximum payment for its successful implementation is 800 thousand rubles. Positive Technologies reported this on November 17, 2025.

Within the framework of the public program, security researchers have access to key information web resources "Electrical Solutions," IP addresses and corporate mail for testing. Experts are invited to demonstrate the possibility of gaining privileged access to the EKF backup system.

The purpose of cyber tests is not to find and eliminate individual vulnerabilities, but to check the resilience of the infrastructure to real cyber attacks. Experts simulate attack chains, search for weak points at the joints of various systems - approximately as a real attacker would do, but in safe, controlled conditions. Cyber ​ ​ testing is an objective way to measure the company's cyber resistance. If independent researchers manage to implement an unacceptable event, the company pays a reward. This approach is gaining popularity today, and the most mature companies are moving to regular testing of such tests, "said Ivan Bulavin, Product Director of the Standoff 365, Technologies platform.

The program also provides incentives for interim results: from 100 thousand rubles for compromising a corporate account with up to 300 thousand rubles fixed on a workstation for a potential disruption of the virtualization platform. The company has already accepted almost fifty reports from specialists and paid them about half a million rubles as awards. The public program will last three months or until the first successful implementation of an unacceptable event.

The program helps us identify vulnerabilities and, by analyzing them, gain a more complete understanding of system problems. This allows you to emphasize those elements of the infrastructure and services that require careful configuration and protection. We pay special attention to critical controls and their objects, defects of which can lead to the implementation of unacceptable events. During the program, we already see the first results: the researchers handed over 50 reports, and the total amount of rewards for confirmed finds amounted to about half a million rubles. Let's emphasize separately the work with baghunters that are looking for new vulnerabilities and indicate aspects that require special attention from our team, "comments Aleksandr Zloy, Head of the Information and Commercial Security Service of ElectroSolutions.

According to Positive Technologies, in Russia over the past year, industry has become the main target of cybercriminals: 17% of all successful attacks on organizations were directed to this sector. At the same time, vulnerabilities in software were exploited in more than a quarter (28%) of all attacks on Russian companies. In such conditions, experts insist on the need for proactive protection, which will allow businesses to pay not for the time spent looking for an error, but for the result achieved. In addition to the classic bagbounty programs aimed at identifying and eliminating vulnerabilities, participation in cyber tests becomes important. This approach allows you to assess the risks of causing an organization unacceptable damage to it. R

Running Flowwow

Marketplace flowers and gifts Flowwow launched its own search program vulnerabilities on the Standoff Bug Bounty site. By attracting experienced researchers from all over the world, the company strives to make its platform as safe as possible for thousands of local brands and hundreds of thousands of customers. This was Positive Technologies reported on November 18, 2025. More here.

Launch of the BCS Bank program

BCS Bank launches an open program to search for vulnerabilities in key digital services. This step was a logical continuation of the closed testing stage at the Standoff Bug Bounty site, confirming the consistent approach of the business to strengthen the security of its resources. During the first three weeks of launch, the maximum level of remuneration for researchers will be 500 thousand rubles. Positive Technologies announced this on November 12, 2025. More here.

Starting the SKB Kontur program

SKB Kontur has launched a public program to search for vulnerabilities on the Standoff Bug Bounty site. More than 30,000 security researchers will be able to test the entire product line of the business. The maximum reward for the implementation of especially dangerous scenarios will be up to 1 million rubles. Positive Technologies announced this on November 5, 2025. More here.

"T-Technologies" launched a program for searching for vulnerabilities in the format of cyber tests

T-Technologies on October 9, 2025 announced the launch of a program expanding existing search practices. vulnerabilities

In addition to the standard format for identifying technical bugs, the company is launching a fundamentally different direction - testing "unacceptable events." The method is based on the Standoff Bug Bounty platform. Read more here.

Launch the program for K2 Cloud

K2 Cloud (a division of K2Tech) on September 23, 2025 announced the launch of a bagbounty program aimed at increasing transparency and additional protection of the company's cloud services. The first stage will be held in a closed format: researchers verified by Standoff Bug Bounty (from Positive Technologies) will be able to participate in it. Read more here.

Results of Timeweb's participation in bug bounty programs

Timeweb summed up its participation in bug bounty programs. Since April 2023, Timeweb has paid 9.3 million rubles to white hackers for strengthening cyber defense. The Baghunters sent nearly 900 reports on potential risks. Timeweb announced this on August 27, 2025. Timeweb participates in two vulnerability search programs, including Standoff Bug Bounty from Positive Technologies. [2]Подробнее #.2A_.D0.92.D1.8B.D0.BF.D0.BB.D0.B0.D1.82.D0.B0_.D0.B1.D0.B5.D0.BB.D1.8B.D0.BC_.D1.85.D0.B0.D0.BA.D0.B5.D1.80.D0.B0.D0.BC_9.2C3_.D0.BC.D0.B8.D0.BB.D0.BB.D0.B8.D0.BE.D0.BD.D0.B0_.D1.80.D1.83.D0.B1.D0.BB.D0.B5.D0.B9_.D0.B7.D0.B0_.D1.83.D1.81.D0.B8.D0.BB.D0.B5.D0.BD.D0.B8.D0.B5_.D0.BA.D0.B8.D0.B1.D0.B5.D1.80.D0.B7.D0.B0.D1.89.D0.B8.D1.82.D1.8B здесь.

The start of the third stage of the project to search for vulnerabilities in the services of the Ministry of Digital Development

The Ministry of Digital Development, Communications and Mass Media of the Russian Federation announced the start of the third stage of the project to search for vulnerabilities on the Standoff Bug Bounty platform. The increase in the number of users and the increase in the load on digital services of the department require constant monitoring and search for vulnerabilities. Thousands of bagkhanter will be able to check security of key resources of the Ministry of Digital Development. The maximum reward for identifying a critical vulnerability will be 1 million rubles. Positive Technologies reported this on July 8, 2025.

The rapid digitalization of the public sector and the complication of its systems lead to an increase in the volume of processed data, making state services the goal of cyber attacks. Under these conditions, in order to effectively protect critical platforms with millions of users, government agencies are launching their own vulnerability search programs. They allow you to involve thousands of information security experts with different approaches and skills in solving this problem.

As part of the next stage of bagbounty Ministry of Digital Development Russia, researchers will have access to dozens of domains, IP addresses and mobile applications in vulnerability search programs. Among them are several electronic government systems at once: the Unified Identification and Authentication System (ESIA), the Unified Biometric System (EBS), the Unified System of Interdepartmental Electronic Interaction (CMEV) and other resources. Information security specialists will be able to receive an award of up to 1 million rubles for detecting vulnerabilities of different levels of danger.

Earlier, at the first two stages of bagbounty programs, more than 26 thousand researchers took part in the search for bugs on Public services, in SMEV, feedback platform and other government services.

Cyber ​ ​ tests for Rentley Technologies

Rentley Technologies (Rentley Tech June 23, 2025 announced the successful passage of an independent examination in the field of information security for the protection of personal data. RentliTech became one of 70 participants selected for cyber trials from more than 1000 requests from financial, IT, e-commerce, production and service companies.

For three months, from January 20 to April 20, 2025, Rentli. Tech participated in the Cyber ​ ​ Test program at the Standoff365 site, which brings together more than 20,000 white hackers. The development of the white hacker industry plays a critical role in identifying vulnerabilities in companies' technologies, software, applications and IT infrastructure before they are exploited by attackers. The evaluation of the Cyber ​ ​ Testing project is based on a special methodology and the work of the expert council, which monitors the conduct of research without causing critical damage.

Tests of the website rently.tech were carried out in order to identify potential vulnerabilities in the protection of personal data of company customers. The website rently.tech has successfully withstood test cyber attacks. There were no risks in the field of cybersecurity and scenarios for the implementation of unacceptable events, which is confirmed by the certificate received on June 20, 2025. Rentli.Tech was included in 35% of companies that passed the test successfully.

Protecting personal data and IT infrastructure is the primary business objective. The successful completion of the test indicates a high level of protection of our customers' personal data from cyber threats. For Rentli, the issue of information security is a priority, and we will continue to test the digital products we are developing for potential vulnerabilities. This is important to ensure sustainable growth and competitiveness in an increasingly complex and dynamic digital environment, said founder and CEO Rentli. Tech Arthur Zantmans.

Timeweb Sums Up The Standoff 365 Bug Bounty

Timeweb on June 5, 2025 announced the results of participation in the bug bounty program from Positive Technologies. Over the past six months, Timeweb has paid white hackers more than 1.3 million rubles to strengthen its cyber defense. [3]Подробнее #.2A_.D0.92.D1.8B.D0.BF.D0.BB.D0.B0.D1.82.D0.B0_1.2C3_.D0.BC.D0.BB.D0.BD_.D1.80.D1.83.D0.B1.D0.BB.D0.B5.D0.B9_.D0.B2.D0.BD.D0.B5.D1.88.D0.BD.D0.B8.D0.BC_.D0.B8.D1.81.D1.81.D0.BB.D0.B5.D0.B4.D0.BE.D0.B2.D0.B0.D1.82.D0.B5.D0.BB.D1.8F.D0.BC_.D0.BA.D0.B8.D0.B1.D0.B5.D1.80.D1.80.D0.B8.D1.81.D0.BA.D0.BE.D0.B2 здесь.

25,000 cybersecurity researchers from 60 countries in 3 years

On May 26, 2025, the Standoff Bug Bounty platform summed up its work over three years. Since its launch, the site has attracted almost 25,000 cybersecurity researchers from 60 countries around the world. The total amount of remuneration during this time amounted to 242 million rubles. More than 100 vulnerability search programs have been published on the platform, each of which helps to increase the level of security of business and the state.

Geography covers, states Asia,, CIS Middle East as well as, and. Europe Africa Over the Latin America past year and a half, the number of whites on the hackers platform has more than tripled, and the total number of reports submitted (10.9 thousand) has more than tripled.

Other indicators are growing rapidly: since November 2023, the number of unique reports received by customers has more than tripled (4,772), as well as the number of critical vulnerabilities found (520).

The maximum amount of remuneration on the platform is almost 4 million rubles. This is the largest award among domestic bagbounty venues. The figure is up 39% from 2023. The average payment for the accepted vulnerability reached 58 thousand rubles.

Standoff Bug Bounty has launched over 100 vulnerability search programs, including those aimed at investigating scenarios for the implementation of unacceptable events. Clients of the platform represent a variety of sectors: from small medium-sized businesses to the largest, the Russian Marketplaces media holdings, state institutions and regional governments. In 2023, IT companies received the most reports, and in 2024 -. retail

{{quote 'Standoff Bug Bounty platform turns three in 2025. During this time, together with program owners and researchers, we managed not only to develop the service, but also to form a new market that previously did not exist in Russia. What was recently perceived with alertness is becoming the standard for a mature approach to cybersecurity. We see how companies are transforming, opening up to the community, building work with vulnerabilities, becoming a guide for others, "said Anatoly Ivanov, head of Standoff Bug Bounty. }}

Rambler & Co Cyber Resistance Measurement

Rambler & Co has implemented a three-month effective cybersecurity project and is now measuring its cyber resilience with an independent assessment by white hackers in a cyber test format on the Standoff 365 platform. The media holding made the development of cybersecurity an integral part of its business strategy, the project partner was Positive Technologies, which announced this on May 15, 2025. Read more here.

Launching a program that spans nine products

Positive Technologies on March 6, 2025 announced the launch of the bagbounty program, which covers nine products. It started in the format of cyber tests and is designed to assess whether attackers can use potential flaws in solutions to further harm users. The program is public and open to all security researchers. For the discovered shortcomings in protection, baghunters can receive up to 2 million rubles.

In 2024, more than half of Russian organizations were victims of cyber attacks, with one in four companies attacked in the last six months. Most of the victims faced serious consequences: downtime (48%), data breaches (34%), reputational damage (26%) and financial losses (24%).

This bagbounty program is aimed at checking the possibility of implementing unacceptable events for users through the exploitation of potential product flaws. Researchers are invited to identify full-fledged attack scenarios that can lead to a shutdown of business processes due to a system failure, violation of security functions and massive data leakage. Each report should describe the attacker's actions taking into account the level of access - from an external attacker to a user with an account and access rights to the product management interface. Attack scenarios must comply with the strict requirements specified in the program conditions.

Researchers will have to look for and implement unacceptable events through the exploitation of possible vulnerabilities in nine company products: MaxPatrol SIEM, MaxPatrol VM, PT Network Attack Discovery, PT Sandbox, PT MultiScanner, PT Application Firewall, PT Application Inspector, PT BlackBox. The amount of remuneration will depend on the level of danger of the scenario. For the implementation of the most critical of them, baghunters can receive up to 2 million rubles.

Our goal is to prevent attacks that could be implemented through exploiting possible shortcomings in the company's solutions, and thereby protect the business and its customers from serious damage. The launch of the program is another step towards constant verification of the security of Positive Technologies products and, in general, to strengthen the security of the infrastructure of organizations using our solutions, - said Aleksei Goncharov, Head of Product Security at Positive Technologies.

The program highlights the company's commitment to proactive protection and expands its expertise in bagbounty, where individual products have previously been investigated. Positive Technologies also continues the Positive Dream Hunting program with a reward of 60 million rubles for the implementation of unacceptable events.

2024

Over the year, the share of reports on the most dangerous vulnerabilities was twice that of global platforms

Experts summed up the work of the Standoff Bug Bounty platform for 2024. By the end of 2024, the number of researchers registered on the platform reached 18,400, having more than doubled compared to the level of 2023. Positive Technologies announced this on January 16, 2025.

In 2024, 1926 vulnerability reports were adopted on the platform - this is 43% more than in 2023. In total, the Baghunters passed 4658 reports. The total amount of remuneration paid to researchers since the launch of Standoff Bug Bounty has reached 158 million rubles. At the same time, the average payment for the adopted report increased by 13%, amounting to 58 thousand rubles.

The public sector has become the record holder for the number of reports on critical vulnerabilities - 19% of the total number of reports in this industry. In the financial sector, among all the high and critical vulnerabilities found, more than two-thirds of the dangers are caused by a violation of access control, which is associated with high complexity of systems and multi-level privilege management mechanisms.

In 2024, the proportion of high and critical vulnerability reports was 31% of the total, more than twice the average of competing platforms such as HackerOne (15%).

The share of reports on critical vulnerabilities increased to 12%, - said Anatoly Ivanov, head of Standoff Bug Bounty. - This testifies to the professionalism of platform users and the efficiency of Standoff Bug Bounty. The increase in payments, especially for highly dangerous vulnerabilities, motivates researchers to cooperate, which ultimately helps make the digital infrastructure of companies more secure. Our platform continues to serve as a bridge between business and the white hacker community, offering unique opportunities to protect IT infrastructure and develop cybersecurity globally.

Most often, researchers found vulnerabilities associated with lack of access control (42%). These include almost half of high and critical vulnerabilities. Basically, such errors were found in the programs of e-commerce companies, financial and online services. In second place were vulnerabilities associated with the introduction of malicious code (22%), followed by architectural and logical errors (9%).

Companies providing (or developing) online services paid more to white hackers than organizations in other industries: in total, they account for more than a third (37%) of rewards. In the same area, researchers received the largest average payments - more than 104 thousand rubles per report, and a tenth of the remuneration in the industry was more than 157 thousand rubles.

For every tenth report accepted, the payment amounted to 190,100 rubles or more. For half of all accepted reports, researchers received payments of more than 20 thousand rubles.

The maximum payment for one vulnerability found in 2024 was made by VK and amounted to a record 3.96 million rubles, which is 39% more than in 2023. 16 baghunters this year managed to earn more than 1 million rubles, of which three researchers - more than 7 million.

In 2024, 84 programs of companies from various industries were available on Standoff Bug Bounty. The largest number of reports (26%) came from researchers who studied the infrastructure of organizations from the sector trade and e-commerce. The leading positions here were taken Marketplaces Wildberries (more than 600 reports were accepted, the total amount of remuneration amounted to 5.7 million rubles) Ozon and (at least 300 reports were accepted, and payments to researchers exceeded 5.5 million rubles).

In addition, a high level of activity was observed in programs of online services, the financial sector, the media and entertainment sector, as well as government agencies.

During open cyber tests, Innostage repelled 780 thousand targeted attacks

Innostage went through cyber tests on the Standoff Bug Bounty platform. Following the results of the six-month program, the company received a certificate from Cyber ​ ​ Testing JSC. The number of researchers trying to hack into the infrastructure of Innostage exceeded 930 people, including 4 Red team teams, winners of Russian cyberbits. The reward for a successful attack was 10 million rubles. The company announced this on December 6, 2024. Read more here.

Launch of SberLogistics program

SberLogistics has launched a vulnerability search program on Standoff Bug Bounty. Positive Technologies announced this on December 5, 2024.

Its own program on the Standoff Bug Bounty platform will achieve a high level of security and reliability of services. Security researchers will be available to study a large set of web resources, and SberLogistics the reward for identifying the most dangerous vulnerabilities can reach 250 thousand. rubles

According to to data research by Positive Technologies, in almost every fifth to the attack industry transport logistics cybercriminals , they used to exploit vulnerabilities. Seven out of every ten incidents in this area entailed a violation of the main activities of companies. In some cases, a successful attack led to unacceptable consequences for the company - up to the declaration of insolvency. According to experts, in such conditions, more and more organizations in this industry, trying to achieve a high level of cyber resistance, are launching bagbounty programs.

We expect a large number of interesting reports from researchers at Standoff Bug Bounty. First of all, related to data leakage, violation of logistics routes, as well as affecting the availability of individual services, for example, PVZ points, - said Aleksei Morozov, head of applied security at SberLogistics.

Running Timeweb

As part of the public program, specialists information security registered on the Standoff Bug Bounty platform will have the opportunity to explore the main web resources. Timeweb Thus, one of the cloudy providers Russia companies plans to achieve a high level of security for its services in the context of growth in the cyber attacks sphere. information technology Remuneration amounts range from 5 to 500 thousand. rubles This was Positive Technologies reported on November 26, 2024. More here.

Inclusion in the unified register of Russian software

The platform for organizing vulnerability search programs for a fee Standoff Bug Bounty, launched by Positive Technologies in May 2022, is included in the unified register of Russian software. This will allow even more government agencies to use the bagbounty launch site to increase the security of their infrastructure from cyber attacks. Positive Technologies announced this on November 26, 2024.

The platform allows companies to conduct programs to search for vulnerabilities in products and infrastructure and automate this process. In accordance with the instructions of the Russian Ministry of Digital Development of 15.11.2024, the Standoff Bug Bounty platform is classified as a means of automating information security processes.

The inclusion of Russian software in the register confirms that the platform is reliably protected and developed exclusively in Russia. This means that the operation and modernization of the platform does not depend on foreign companies and foreign software. Thus, Standoff Bug Bounty can be used to launch programs to search for vulnerabilities in critical information infrastructure objects. According to the Decree of the President of the Russian Federation of 30.03.2022 No. 166, from the beginning of 2025, foreign software will be completely prohibited from being used at KII facilities.

In some cases, within the framework of procurement, government organizations are required to confirm the place of origin of the software. Therefore, the company decided to add Standoff Bug Bounty to the unified register of Russian software. This step will expand the customer base of our platform. As a result, even more institutions will be able to attract thousands of information security specialists to search for vulnerabilities and ensure a high level of security for their infrastructure, "said Yulia Voronova, director of consulting at the competence center Positive Technologies.

In 2024, PT SWARM specialists discovered almost three times more vulnerabilities in Russian software than in 2023. At the same time, 20% of the identified gaps have a critical level of danger, which can lead to the implementation of unacceptable events in organizations of all industries. Information security experts in such conditions recommend that organizations use a modern way to identify and eliminate vulnerabilities - run bagbounty programs.

Add a "red button"

A kind of "red button" appeared on the Standoff Bug Bounty platform. This service will be especially in demand by companies that launch APT Bug Bounty programs or participate in cyber tests in order to investigate the most dangerous cyber attack scenarios for it. Positive Technologies announced this on November 21, 2024. Now participants have the opportunity at any time to suspend the program if the actions Bughunters. Bug bounty. Vulnerability scanning|of baghunters go beyond the established area of ​ ​ research. Thanks to this step, the process of checking the security of the infrastructure will become more controlled, and the format of such programs for companies will become more attractive.

With the constant increase in the number of cyber attacks, their complication, as well as the identification of an increasing number of software vulnerabilities, Positive Technologies experts recommend that organizations to effectively protect their infrastructure implement the principles of effective cybersecurity and check their security using bagbounty programs and cyber tests.

The most advanced, final stage of damage to the quality and effectiveness of the built protection of the company, which strives to achieve a real result and has passed all levels of information security training, are programs that demonstrate the ability to implement typical events that are unacceptable for business. This approach is an alternative to classic penetration testing and red team, because thousands of independent researchers with different skills and tools will look for attack vectors and vulnerabilities. They check the possibility of implementing unacceptable events in accordance with the criteria formulated together with Positive Technologies specialists. APT Bug Bounty and Cyber ​ ​ Test formats allow you to evaluate the company's existing security system (its sufficiency, effectiveness and need for improvement), as well as quickly and safely eliminate potential opportunities for achieving unacceptable events.

For each organization, unacceptable events can be distinguished, the onset of which will have catastrophic consequences for it, - said Alexey Novikov, Managing Director of Positive Technologies. - Their definition is a key step towards building effective cybersecurity. Our platform has long had a bagbounty format for exploring the possibilities of implementing unacceptable events. At the same time, not all our clients are confident in their readiness for such checks. That is why we offer a revolutionary approach that will allow companies to stop the attack of baghunters at any time. This "red button" will help eliminate an important reason for our customers' doubts and increase security guarantees for bagbounty.

As experts explain, information security researchers will participate in the implementation of programs of such formats only through a special virtual desktop, and all their actions will be recorded.

For customers and users, the "red button" will make the actions of specialists more transparent, the process more controlled, which means that the level of trust in such programs will increase. This function will expand the range of companies and organizations that launch this modern bagbounty format. In particular, the "red button" may be in demand by state organizations, industrial enterprises and those companies that doubt the launch of programs to assess security by independent researchers. As a result, baghunters on the platform will have more interesting tasks and opportunities to get a reward.

Launch the Posters program

"Poster" launches a separate vulnerability search program on the Standoff Bug Bounty platform. Positive Technologies was informed about this on October 30, 2024.

The company will give "white" hackers the opportunity to receive rewards for vulnerabilities found on their web resources through the Standoff Bug Bounty platform.

Researchers are invited to test the sites of both traditional media - "Posters Daily" and "Еды.ру," and the ticketing service afisha.ru. Thus, the company plans to bring the security of its projects to a new level. The declared remuneration amounts vary depending on the degree of criticality of vulnerabilities and range from 5 to 500 thousand rubles.

Previously, it was possible to search for vulnerabilities on the Afisha servers as part of the mono program of a partner - media holding Rambler & Co. Now we have decided to separate the company into a separate program - this will be more convenient for both "white" hackers and ourselves. In addition, we have increased payments for all types of vulnerabilities, so we expect to involve even more specialists with strong expertise, said Konstantin Ermakov, head of the project safety department of Afisha.

The bagbounty program is becoming the standard for large technological and media companies, as it allows for continuous analysis of the security of services by independent security researchers, while maintaining high economic efficiency.

Approaches to managing vulnerabilities in companies are evolving. More and more organizations that want to protect their services and user data are choosing bagbouti as one of the most progressive methods for finding vulnerabilities. It allows the forces of thousands of independent researchers with different experience and tools to look for errors and pay only for the result, noted Anatoly Ivanov, SRO Standoff Bug Bounty.

Rambler & Co Program Extension

Rambler & Co will test its security on the Standoff Bug Bounty platform using white hackers. Positive Technologies (Positive Technologies) reported this on October 23, 2024.

The company is expanding the vulnerability search program for a reward on the Standoff 365 platform and launching it in APT Bug Bounty format. Now independent security researchers will try to implement unacceptable events for the company in order to check the cyber resistance of IT systems. For their implementation, baghaters will receive 3 million rubles.

ART Bug Bounty is a Positive Technologies approach to testing cyber threat protection, in which independent researchers, in 24/7 mode, in an ever-changing infrastructure, assess the company's security against hacking and try to implement unacceptable events for it.

APT Bug Bounty is a logical development of our strategy to protect the infrastructure of the media holding. We build an understanding of its most important areas and focus on them. The expertise of Positive Technologies and the Standoff Bug Bounty platform allow you to expand the "partnership" with baghunters to assess the security of the most valuable assets from targeted attacks, " said Evgeny Rudenko, director of cybersecurity at Rambler & Co.

Rambler & Co invites white hackers to study the company's business processes and test its infrastructure for strength. The best cyber specialists will look for vectors of penetration into the infrastructure of the media holding and report on the implemented criteria for unacceptable events.

ART Bug Bounty is an alternative to the red team and the classic pentest, which provides an objective assessment of the company's security against cyber threats. This approach allows you to assess the effectiveness of the company's security system and eliminate vulnerabilities as soon as possible. noted Alexey Novikov, Managing Director of Positive Technologies.

A program containing rules and conditions has been published on the Standoff Bug Bounty platform, following which security researchers will try to identify and implement attack vectors that allow access to contracts, counterparties, intellectual property objects and personal data of Rambler & Co employees and customers.

At the first stage, the program will be launched in private mode and is available to a limited number of baghunters.

In addition, Rambler & Co is expanding the main bagbounty program. Now researchers are invited to separately consider vulnerabilities in the company's main media assets, sports-themed domains, the Rambler portal and LiveJournal. Thus, the holding plans to bring the security of its projects to a new level. Also, the amounts of payments for all types of vulnerabilities were increased: "low" - up to 5,000 rubles, "average" - from 5,000 to 35,000 rubles, "high" - from 35,000 to 150,000 rubles, "critical" up to 500,000 rubles.

Increase in remuneration from Innostage to 10 million rubles

Innostage on September 9, 2024 announced a double increase in remuneration for participants in open cyber trials (CSR). The program is implemented on the Standoff Bug Bounty security researcher platform and is designed to test and increase business cyber resilience. Read more here.

Adding Standoff Cyberbones online simulator

Positive Technologies has updated the Standoff 365 platform and added a new product: the online simulator Standoff Cyberbones is now available to anyone who wants to gain new knowledge of cyber incident investigation and develop their skills in this area. Information security specialists of various levels will be able to learn in practice the tactics of the strongest white hackers - participants in the Standoff cybersecurity. At the first stage, 15 of the best incidents that occurred on cyberbitva will be available to users, according to Standoff experts. Read more here.

Running the Program for MaxPatrol SIEM and MaxPatrol VM

Positive Technologies is launching Bughunters. Bug bounty. Vulnerability scanning|a bug bounty program for MaxPatrol SIEM and MaxPatrol VM systems. The company announced this on March 22, 2024.

For the discovered shortcomings, researchers can receive up to 1 million rubles.

Over the past three years, exploitation of vulnerabilities has been used in about one in three successful attacks on organizations. At the same time, the number of software vulnerabilities discovered in the world during this period is constantly growing: in 2023, their number (28,902) exceeded the indicators of 2021 and 2022 by 42% and 14%, respectively.

Our company is one of the representatives of the Russian cybersecurity market, we create products that allow organizations to build effective security. MaxPatrol SIEM is used by more than 600 companies from different industries. The product ensures the practical effectiveness of the system operators and analysts. MaxPatrol VM is the only solution that delivers information about trend vulnerabilities in 12 hours. The product allows you to build a vulnerability management process, meet information security requirements, and also helps make the infrastructure difficult for a hacker. In order to ensure real security, we constantly check for security and our own products. We want to make them as safe as possible for customers, which is why we also attract third-party information security researchers by announcing a reward program for vulnerabilities found in MaxPatrol SIEM and MaxPatrol VM, "said Ivan Prokhorov, Head of Product MaxPatrol SIEM Positive Technologies.

All researchers registered on the Standoff 365 platform, the number of which already exceeds 8500, will be able to take part in the program.

In December 2023, Positive Technologies launched its first bagbounty product program for the PT Cloud Application Firewall web application layer firewall, and then for two more of its products - PT Sandbox and PT Network Attack Discovery.

Cancel Program Expiration

Positive Technologies made its first Bughunters. Bug bounty. Vulnerability scanning|bagbounty product program indefinite. The company announced this on February 13, 2024.

Researchers can continue to look for vulnerabilities in the PT Cloud Application Firewall cloud product on the Standoff 365 Bug Bounty platform, the terms and conditions of the program have not changed. The goal is to make the product safe non-stop.

The program was launched at the end of December 2023. For a month, the researchers searched for vulnerabilities in the web application layer firewall PT Cloud Application Firewall. As a result, 20 reports were accepted, while no critical vulnerabilities were found. The identified safety deficiencies were promptly eliminated by the product team within five hours.

According to forecasts of Positive Technologies experts, in 2024 the trend towards complicating cyber attacks will continue to strengthen, hackers will begin to use more sophisticated methods. As a result, the demand for security tools and services will increase, but at the same time the requirements for the quality of their work will increase. For February 2024, customers are primarily interested in obtaining an honest assessment of their level of cyber resistance and building reliable protection against unacceptable risks. Vulnerable systems cannot provide companies with the necessary level of security: attackers can hack them, like any unprotected software.

Trends in the information security market dictate to vendors the condition: it is necessary to continuously increase the security of instruments. An indefinite bagbounty program will solve this problem: companies will be able to constantly check and improve products, including cloud ones, "said Anatoly Ivanov, head of bagbounty at Standoff 365. - This applies to both Positive Technologies products and solutions and offers from other vendors. How else to protect the product from the influence of hackers? Give baghunters the opportunity to continuously search for vulnerabilities in it, and for developers to fix them. PT Cloud Application Firewall was our first step towards implementing this strategy.

When developing products for effective cybersecurity, Positive Technologies focuses, among other things, on their reliability. The company's experts analyze the security of systems and eliminate vulnerabilities using the same methods that are used in projects. Perpetual bagbounty programs will complement the usual audit tools, making security analysis a continuous process.

The choice of PT Cloud Application Firewall, a web application firewall (WAF) class product, as a pioneer on the Positive Technologies bug boot program is not accidental. WAF is responsible in companies for fault tolerance and business reliability, and therefore it should be as protected as possible from cyber threats, while not at the moment, but always, - said Alexey Astakhov, head of application security products at Positive Technologies. - The bagbounty program in this sense is a very correct tool that complements the processes of secure development. We want our products to be under the scrutiny of pentesters, and are happy to pay for the results of this work.

2023

Launch Bagbounty Product Program

Positive Technologies launched its first bagbounty product program. The company announced this on December 20, 2023.

Researchers will look for vulnerabilities in the company's cloud product, PT Cloud Application Firewall.

The program on the Standoff 365 Bug Bounty platform will run from December 20, 2023 to January 20, 2024. For the detected bugs, researchers can receive up to 500,000 rubles.

Exploitation of vulnerabilities remains the most successful method of conducting attacks on the organization. In 37% of cases, attackers launched an attack precisely by searching for vulnerabilities. Positive Technologies, as a representative of the effective market cyber security Russia , has repeatedly stated that a bagbount program can radically change the situation and complicate the implementation of an attack. In this regard, we are bringing our first commercial cloudy product - firewall the PT Cloud Application Firewall web application layer - to the Standoff 365 Bug Bounty platform.

It is important for us to set the standards for protecting the cloud-native infrastructure, since we are sure that "clouds" are not just the future, but the present, "said Alexey Astakhov, head of application security at Positive Technologies. - It is logical that it is worth starting this path with yourself, with your own cloud product - PT Cloud Application Firewall, which must meet serious requirements for fault tolerance and reliability to protect applications. The bagbounty program in this case is the most effective tool for independent assessment of security. We are open to researchers: if you can find critical vulnerabilities, then we will willingly pay for them, because this will eventually make the product even more protected from cyber threats.

PT Cloud Application Firewall is distributed through a monthly subscription through technology partners - authorized service and cloud providers. Under the terms of the program, all researchers registered on the platform (as of December 2023, there are more than 8,000 of them) will be able, using the black box method, to search for vulnerabilities in resources that are on the domain ptcloud.ru.

Payments for bagbounty in Russia are comparable to remuneration on global platforms

Positive Technologies on November 23, 2023 summed up the work of the Standoff 365 Bug Bounty vulnerability search platform, launched in May 2022. For a year and a half, the number of placed programs increased from 2 to 53 and continues to grow. The amount of remuneration ranges from nine thousand to three million rubles, depending on the level of danger of vulnerability. At the same time, the maximum payments are comparable to similar rewards on world platforms.

As of November 2023, organizations from different organizations have placed their programs on the platform:,,, industries IT trade finance government agencies. The largest number of programs are presented in the IT sector (38%), among state institutions (17%) educational and platforms (11%).

Since the discovery, 7,537 researchers have registered on the platform; the programs were presented by Rambler & Co , VK , Public services, Odnoklassniki, Tinkoff.

One of the most significant indicators of the platform's performance is the number of valid reports received on the vulnerabilities found, "said Anatoly Ivanov, Standoff 365 product manager. - As a rule, these are the reports of researchers who have been verified by the platform and the program representative. In total, the baghunters sent 1,479 reports, of which 10% (152) were with critical vulnerabilities and 19% (287) were with high-risk vulnerabilities.

For a year and a half of Standoff 365 Bug Bounty, hackers have found 71 types of CWE (Common Weakness Enumeration) vulnerabilities in web applications. The disadvantage of the CWE-79 - "Incorrect neutralization of input data when generating web pages (cross-site scripting)" - took first place in popularity, as it fell into 22% of reports.

One of the world's bug bounty platforms, HackerOne, also keeps statistics on CWE, which also publishes security flaws that are ranked by the number of reports with them. Positive Technologies noted that the data from the two platforms are similar, and therefore Standoff 365 Bug Bounty supports global trends even in statistics on vulnerabilities in organization infrastructures.

The peak payout metric can vary significantly from program to program. In one, several thousand rubles can be paid for a critically dangerous vulnerability, and in the other - more than three million. The amount of remuneration depends on the company itself: its income, the scale, the information with which it works.

According to our data, IT companies and organizations from the financial sphere paid hackers more than companies from other industries represented on the platform, - said Grigory Prokhorov, an analyst at the research group of the analytics department of Positive Technologies. - They account for a total of 81% of remuneration, despite the fact that they are quantitatively represented in only 44% of programs. We note that the level of payments on foreign platforms is comparable to similar programs on Standoff 365 Bug Bounty. For example, on the HackerOne platform, rewards on them can be up to 20 thousand. dollars depending on the company participating in the program.

In addition, Standoff 365 Bug Bounty hosted two Standoff Hacks in 2023, where baghunters were given the opportunity to participate in closed programs. According to the results of the last event alone, the total amount of payments amounted to 11,470,740 rubles.

Cyber Training Availability for Enterprise Information Security Services

On August 1, 2023, the next exercises will start on the online cyber police Standoff 365, and the site itself will begin work in an updated format: from this day, non-stop cyber training will be available for teams of defenders. This was announced by Positive Technologies (Positive Technologies).

In Russia, the heads of organizations bear personal responsibility for cybersecurity. In particular, they are interested in creating effective information security teams that can squeeze the maximum capabilities out of the means of protection, will be aware of the most current tactics and techniques of attackers, will be able to make sure of their ability to detect a cyber attack of any degree of complexity and react to it in time. A distinctive feature of the landfill created by Positive Technologies is live hacker traffic from the company's international community of independent security researchers. This enables cyber police customers to prepare for threats and the most unpredictable scenarios, including identifying and investigating attacks that exploit zero-day vulnerabilities.

Cyber ​ ​ training at the Standoff 365 training ground allows a team of information security specialists to assess the degree of infrastructure security and understand how to make life as difficult as possible for criminals. Here they can study, disassemble and explore the current and non-trivial techniques of hackers. And companies, if necessary, can place and check fragments of their infrastructure here to test its security in a safe and controlled environment. In addition, on Standoff 365, you can in practice get acquainted with different classes of information security products, determine which of them are necessary for a specific organization, and ensure optimal configuration of security tools.

Until now, launched in July 2022, the cyber police was only available to attackers. As of August 2023, more than six thousand independent information security specialists have already been registered on the Standoff 365 platform. Here, as they explore replicas of real company infrastructures, they hone their skills, explore new 24/7 attack techniques, and test the security limits of organizations across industries. Over the year, researchers found more than 440 vulnerabilities in three industry segments presented on cyber polygons and were able to implement unacceptable scenarios 165 times. Since August 1, the defense teams have also had the opportunity to improve their skills. They will be able to monitor and investigate the actions of attackers in order to further use the acquired skills in life to prevent real hacker attacks.

Cyber ​ ​ polygon is a key element in building an effective cybersecurity system. With its help, thousands of ethical hackers using various tactics, techniques and tools help businesses and the state prevent scenarios that are unacceptable to organizations by revealing interesting and unexpected attack vectors. The rapid development of information systems requires the constant attention of security specialists. The online polygon helps companies to increase the competencies of defense teams and improve information security processes in a continuous mode, while almost not distracting specialists from the main work: a subscription to the online polygon is valid for a year, each specialist or team turns to it in a comfortable mode for themselves.

The infrastructure of the updated Standoff 365 includes copies of IT systems of various levels of complexity with the ability to add the necessary basic services, facilities and equipment of APCS, development environments, information monitoring and protection tools. The landfill includes modules that recreate elements of the industrial network of six different industries (with the ability to work out protection against passage from the corporate network to the technological one), as well as financial services.

At the request of the client, Standoff 365 can also add its own infrastructure to assess its security in the context of real attacks with unpredictable vectors. The training ground is designed not only to conduct exercises, increase expertise in information security and compliance, but also to maximize the effectiveness of protective equipment, a constant stream of up-to-date information about tactics, techniques and tools of hackers.

Hosting Your Own Vulnerability Scanning Program

Positive Technologies On March 1, 2023, the company announced that Bughunters. Bug bounty. Vulnerability scanning Standoff 365 had launched its own public search program. vulnerabilities Thus, the platform is ready to openly confirm the security of its services and demonstrate concern for customer safety. The Standoff 365 bagbount program will be available to all researchers, and the reward for the most dangerous vulnerabilities will be 1 million. rubles

In the IV quarter of 2022, the number attacks hackers of companies IT increased by 18%. The IT sphere came close to the top three in the list of the most attacked. industries Attackers are interested in IT companies, since their compromise opens the way for further attacks on their customers - users of products and services.

The launch of its own vulnerability search program is a serious step in the development of Standoff. The platform contains a lot of data that is important to us and our customers, so launching a bug will strengthen protection and prepare the development team to quickly change processes, find and fix bugs early. We are ready to show by our example to everyone that bagbounty is not scary and that searching for vulnerabilities by baghunters does not negatively affect the operation of services, "said Anatoly Ivanov, head of bagbounty development at Standoff 365.

As part of the Standoff 365 bagbounty program, researchers will have access to all subdomains of the platform's website - standoff365.com, including domains authorizations (auth.standoff365.com), bagbounty (bugbounty.standoff365.com) and cyber police (range.standoff365.com). The amount of remuneration of ethical hackers depends on the degree of danger of the vulnerabilities found and will amount to 1 million rubles for a critically dangerous level, 250 thousand rubles for a high, 50 thousand and 15 thousand rubles, respectively, for medium and low levels.

The next step in the development of the program will be the launch of a bagbounty aimed at the implementation of unacceptable events, and an increase in payments to baghunters to 2 million rubles. In addition, to motivate researchers, the platform is ready for other forms of encouragement, including merch and invitations to events.

2022

Launch bug bounty program aimed at implementing invalid events

Positive Technologies on November 22, 2022 announced the launch of the bug bounty program, which is focused not on finding purely technical vulnerabilities in the company's external services, but on implementing a really critical event for the company - theft of money from accounts. Positive Technologies is ready to pay a reward of 10 million rubles.

Previously, the goal of traditional bug bounty programs has always been to search for relatively small and minor vulnerabilities in company services. At the same time, they are not always critical for business and, as a rule, remain clear only to technical specialists, - said Alexey Novikov, director of the security expert center Positive Technologies. - It is important for us that the most dangerous events for the company are guaranteed to be unrealizable. Therefore, we looked at the bug bounty in a new way and reoriented the attackers from discovering exclusively technical problems to finding ways to implement events that are unacceptable for our business - in particular, at this stage we are checking the possibility of stealing money from the company's accounts. This setting of the task complicates the researcher's work by an order of magnitude, since he needs to figure out how the company's business processes are built, bypass the protection systems and demonstrate the fact of money theft.

While constantly improving its security system, Positive Technologies conducted a series of cyber exercises with almost all major companies providing penetration testing services in Russia. More than 200 possible attack scenarios were analyzed. The results showed that each team operates in different styles - someone, for example, is more focused on using social engineering, others are focused on network infrastructure or web applications. The only way to guarantee an objective and comprehensive verification of the company's security is to expand and diversify the attacking expertise. Therefore, Positive Technologies has launched a bug bounty program open to all researchers with special conditions on the Standoff 365 platform, which combines more than 2,800 baghunters as of November 2022.

The bug bounty Positive Technologies program is not limited in time, that is, the company assesses its security continuously, up to the implementation of an unacceptable scenario for the company. Unlike the classic bug bounty, here ethical hackers are allowed to use almost any way to conduct remote attacks (including social engineering) to penetrate. The main prize - 10 million rubles - will be received by the researcher who, in accordance with the rules of the program, will be able to transfer money from the company's accounts in an illegitimate way and provide a report in appropriate detail.

We believe that such an evolution of bug bounty programs is a new round in the development of the cybersecurity industry, since this is the only way for the head of the company to make sure that the protection system actually works, "concluded Alexey Novikov.

RuStore Solution Placement

VK on November 15, 2022 announced the placement of RuStore in the Bug Bounty program on the Standoff 365 Bug Bounty platform, developed by Positive Technologies. Read more here.

Receiving VK 300 Vulnerability Reports

On October 18, 2022, VK announced that it had received 300 vulnerability reports from external experts for three months of the bug bounty program on the Standoff 365 Bug Bounty platform, developed by Positive Technologies. VK experts recognized more than half of the messages as significant, the vulnerabilities identified on their basis were eliminated.

More than 50 security researchers received a reward totaling three million rubles. The amount of payments ranged from three thousand rubles to 750 thousand rubles, depending on the criticality of the identified vulnerability.

The company posted a vulnerability search program on Standoff 365 three months ago and is already seeing positive results from its work. For this time , external experts helped to improve and strengthen protection our services. VK strives to provide comfortable conditions for users, ensuring their safety and security confidentiality. data In addition to creating its own technology solutions, VK will continue to cooperate with large the Russian IT companies so that the products are maximized, safe noted Vice President, Director of Information Security of VK , Aleksei Volkov.

VK announced participation in Standoff 365 Bug Bounty in August 2022. The company has placed 12 services on the platform. Within three months, the number had risen to 19. The plans include an increase in the number of projects on the platform by more than 20%.

Placement of a vulnerability search program from Rambler & Co

On September 22, 2022, Rambler & Co announced the launch of a public vulnerability search program on The Standoff 365 Bug Bounty platform developed by Positive Technologies. Researchers are invited to test the 10 most important and well-known media holding services, including the sites "Ленты.ру," "Gazeta.Ru," "Championship," the portal "Rambler," "Rambler/News," "Rambler/Mail" and others. Thus, the holding plans to bring the security of its projects to the next level.

Users need to ensure continuous uninterrupted access to, to content as well as reliable safety and. privacy of personal data This is an important step in an environment where the share in attacks the Russian web resources has almost doubled (to 22% in the first quarter of 2022 compared to 13% in the previous quarter). At the same time, the media industry entered the top five for the first time. attacked industries

In this situation, the bug bounty program becomes the standard for large technological and media companies, as it allows for continuous analysis of the security of services by independent security researchers, while maintaining high economic efficiency.

Rambler & Co already has experience using such a program behind closed doors, when a limited number of researchers are invited to participate. This time, the media holding opens a bug bounty for everyone, the declared remuneration amounts in which vary depending on the degree of criticality of vulnerabilities and will range from 2,000 to 100,000 rubles.

Positive Technologies has extensive experience in the cybersecurity industry, authority in the community and strong expertise, which is an additional guarantee in attracting specialists. In the domestic market, The Standoff 365 Bug Bounty platform looks like the most mature solution, therefore, from participation in the program, the company expects to involve a large number of specialists, strong expertise and, as a result, an additional increase in the level of security of projects and services, emphasized Evgeny Rudenko, director of cybersecurity at Rambler & Co.

The company's research demonstrates the growing interest of cybercriminals in media industry organizations. High-profile attacks on the media in 2022 signal that it is time for the industry to reconsider its attitude towards cybersecurity. Responsible companies like Rambler & Co are aware of the growing risks and importance of bug bounty programs. And the platform helps them detect and eliminate critical gaps in services in time - thereby protecting users, narrated by Yaroslav Babin, CPO The Standoff 365.

Attracting 1,800 white hackers

Positive Technologies On August 26, 2022, she shared the results of the first three months of The Standoff 365 platform - a project where operational business processes and real, and industrial power transport financial companies and entire ones are recreated. industries economies

The Standoff 365 combines three projects: the Bug Bounty platform, cyber policing and a social platform for hackers and security researchers. In three months, the platform attracted 1,800 white hackers.

The Standoff 365 Bug Bounty has been operating since May 19, and as of August 26, 2022, it is a key domestic platform for attracting external researchers to find and fix vulnerabilities in the infrastructure, products and services of companies, as well as to discover ways to implement unacceptable events. After launch, 13 bug bounty programs were hosted on the platform, and registered researchers submitted 250 reports on the vulnerabilities found. Baghunters have already approved the first payments.

In July, the second element of The Standoff 365 also began to operate: in addition to regular offline cybercriminals, an online cyberpolygon was available 365 days a year, which allows you to analyze the security of infrastructure in three key segments: corporate, financial and electricity. Participants have already discovered 203 vulnerabilities on the online cyber police, the most (82) in the energy segment, and also implemented 40% of all declared unacceptable events, including four of the seven unacceptable events in the banking segment.

Placement of the vulnerability search program from VK

On August 8, 2022, VK announced its participation in The Standoff 365 Bug Bounty platform, developed by Positive Technologies. The IT company has placed a bug bounty program on the platform, which, with the help of external experts, helps to find flaws in the security system and fix them before being discovered by attackers. Bug bounty VK includes more than 40 projects. If vulnerabilities are identified, security researchers will receive rewards from the company from 6 thousand rubles to 1.8 million rubles, depending on the level of threat.

{{quote 'User security and trust in VK services have always been a priority for us. We use various tools to strengthen cyber protection, and have long used bug bounty to check the quality of our services, we see this as a real, practical benefit. Over the past six months, the number of cyber attacks on Russia has grown significantly, and we are glad that domestic companies are launching their own bug bounty platforms. I am confident that the placement of our program on The Standoff 365 platform will expand the capabilities of VK in finding vulnerabilities and quickly fixing them, - said the vice president, director of information security at VK Aleksei Volkov. }}

To attract external cybersecurity experts to discover vulnerabilities, the company's management needs courage. But it is this step that allows you to reliably and objectively assess the security of the business and eliminate vulnerabilities in the IT infrastructure in time before the bad guys use them and cause irreparable damage to the organization. The bug bounty program is a concern for the future; this is a sign of the company's openness, its attention to the security of user data. Therefore, the very fact of having a bug bounty causes more confidence in the organization. We are pleased to welcome VK on our platform with its many years of experience in bug bounty and look forward to long-term cooperation in improving the security of services and improving the level of cybersecurity, "Yaroslav Babin told CPO The Standoff 365.

Links

Link to The Standoff 365 Bug Bounty