Developers: | Positive Technologies |
Date of the premiere of the system: | 2022/05 |
Last Release Date: | 2024/11/21 |
Branches: | Internet services, Information security |
Main article: Bughunters. Bug bounty. Vulnerability scanning
The Standoff 365 Bug Bounty platform for searching for vulnerabilities from Positive Technologies was introduced in May 2022. For the first time, security researchers working within the platform will be able to receive a reward not only for detecting individual risks, but also for demonstrating their implementation. More than 1,400 researchers are registered on the platform as of August 2022. White hackers have submitted 73 vulnerability reports, the first of which is just 20 minutes after the platform was launched.
2024
During open cyber tests, Innostage repelled 780 thousand targeted attacks
Innostage went through cyber tests on the Standoff Bug Bounty platform. Following the results of the six-month program, the company received a certificate from Cyber Testing JSC. The number of researchers trying to hack into the infrastructure of Innostage exceeded 930 people, including 4 Red team teams, winners of Russian cyberbits. The reward for a successful attack was 10 million rubles. The company announced this on December 6, 2024. Read more here.
Launch of SberLogistics program
SberLogistics has launched a vulnerability search program on Standoff Bug Bounty. Positive Technologies announced this on December 5, 2024.
Its own program on the Standoff Bug Bounty platform will achieve a high level of security and reliability of services. Security researchers will be available to study a large set of web resources, and SberLogistics the reward for identifying the most dangerous vulnerabilities can reach 250 thousand. rubles
According to to data research by Positive Technologies, in almost every fifth to the attack industry transport logistics cybercriminals , they used to exploit vulnerabilities. Seven out of every ten incidents in this area entailed a violation of the main activities of companies. In some cases, a successful attack led to unacceptable consequences for the company - up to the declaration of insolvency. According to experts, in such conditions, more and more organizations in this industry, trying to achieve a high level of cyber resistance, are launching bagbounty programs.
We expect a large number of interesting reports from researchers at Standoff Bug Bounty. First of all, related to data leakage, violation of logistics routes, as well as affecting the availability of individual services, for example, PVZ points, - said Aleksei Morozov, head of applied security at SberLogistics. |
Running Timeweb
As part of the public program, specialists information security registered on the Standoff Bug Bounty platform will have the opportunity to explore the main web resources. Timeweb Thus, one of the cloudy providers Russia companies plans to achieve a high level of security for its services in the context of growth in the cyber attacks sphere. information technology Remuneration amounts range from 5 to 500 thousand. rubles This was Positive Technologies reported on November 26, 2024. More here.
Inclusion in the unified register of Russian software
The platform for organizing vulnerability search programs for a fee Standoff Bug Bounty, launched by Positive Technologies in May 2022, is included in the unified register of Russian software. This will allow even more government agencies to use the bagbounty launch site to increase the security of their infrastructure from cyber attacks. Positive Technologies announced this on November 26, 2024.
The platform allows companies to conduct programs to search for vulnerabilities in products and infrastructure and automate this process. In accordance with the instructions of the Russian Ministry of Digital Development of 15.11.2024, the Standoff Bug Bounty platform is classified as a means of automating information security processes.
The inclusion of Russian software in the register confirms that the platform is reliably protected and developed exclusively in Russia. This means that the operation and modernization of the platform does not depend on foreign companies and foreign software. Thus, Standoff Bug Bounty can be used to launch programs to search for vulnerabilities in critical information infrastructure objects. According to the Decree of the President of the Russian Federation of 30.03.2022 No. 166, from the beginning of 2025, foreign software will be completely prohibited from being used at KII facilities.
In some cases, within the framework of procurement, government organizations are required to confirm the place of origin of the software. Therefore, the company decided to add Standoff Bug Bounty to the unified register of Russian software. This step will expand the customer base of our platform. As a result, even more institutions will be able to attract thousands of information security specialists to search for vulnerabilities and ensure a high level of security for their infrastructure, "said Yulia Voronova, director of consulting at the competence center Positive Technologies. |
In 2024, PT SWARM specialists discovered almost three times more vulnerabilities in Russian software than in 2023. At the same time, 20% of the identified gaps have a critical level of danger, which can lead to the implementation of unacceptable events in organizations of all industries. Information security experts in such conditions recommend that organizations use a modern way to identify and eliminate vulnerabilities - run bagbounty programs.
Add a "red button"
A kind of "red button" appeared on the Standoff Bug Bounty platform. This service will be especially in demand by companies that launch APT Bug Bounty programs or participate in cyber tests in order to investigate the most dangerous cyber attack scenarios for it. Positive Technologies announced this on November 21, 2024. Now participants have the opportunity at any time to suspend the program if the actions Bughunters. Bug bounty. Vulnerability scanning|of baghunters go beyond the established area of research. Thanks to this step, the process of checking the security of the infrastructure will become more controlled, and the format of such programs for companies will become more attractive.
With the constant increase in the number of cyber attacks, their complication, as well as the identification of an increasing number of software vulnerabilities, Positive Technologies experts recommend that organizations to effectively protect their infrastructure implement the principles of effective cybersecurity and check their security using bagbounty programs and cyber tests.
The most advanced, final stage of damage to the quality and effectiveness of the built protection of the company, which strives to achieve a real result and has passed all levels of information security training, are programs that demonstrate the ability to implement typical events that are unacceptable for business. This approach is an alternative to classic penetration testing and red team, because thousands of independent researchers with different skills and tools will look for attack vectors and vulnerabilities. They check the possibility of implementing unacceptable events in accordance with the criteria formulated together with Positive Technologies specialists. APT Bug Bounty and Cyber Test formats allow you to evaluate the company's existing security system (its sufficiency, effectiveness and need for improvement), as well as quickly and safely eliminate potential opportunities for achieving unacceptable events.
For each organization, unacceptable events can be distinguished, the onset of which will have catastrophic consequences for it, - said Alexey Novikov, Managing Director of Positive Technologies. - Their definition is a key step towards building effective cybersecurity. Our platform has long had a bagbounty format for exploring the possibilities of implementing unacceptable events. At the same time, not all our clients are confident in their readiness for such checks. That is why we offer a revolutionary approach that will allow companies to stop the attack of baghunters at any time. This "red button" will help eliminate an important reason for our customers' doubts and increase security guarantees for bagbounty. |
As experts explain, information security researchers will participate in the implementation of programs of such formats only through a special virtual desktop, and all their actions will be recorded.
For customers and users, the "red button" will make the actions of specialists more transparent, the process more controlled, which means that the level of trust in such programs will increase. This function will expand the range of companies and organizations that launch this modern bagbounty format. In particular, the "red button" may be in demand by state organizations, industrial enterprises and those companies that doubt the launch of programs to assess security by independent researchers. As a result, baghunters on the platform will have more interesting tasks and opportunities to get a reward.
Launch the Posters program
"Poster" launches a separate vulnerability search program on the Standoff Bug Bounty platform. Positive Technologies was informed about this on October 30, 2024.
The company will give "white" hackers the opportunity to receive rewards for vulnerabilities found on their web resources through the Standoff Bug Bounty platform.
Researchers are invited to test the sites of both traditional media - "Posters Daily" and "Еды.ру," and the ticketing service afisha.ru. Thus, the company plans to bring the security of its projects to a new level. The declared remuneration amounts vary depending on the degree of criticality of vulnerabilities and range from 5 to 500 thousand rubles.
Previously, it was possible to search for vulnerabilities on the Afisha servers as part of the mono program of a partner - media holding Rambler & Co. Now we have decided to separate the company into a separate program - this will be more convenient for both "white" hackers and ourselves. In addition, we have increased payments for all types of vulnerabilities, so we expect to involve even more specialists with strong expertise, said Konstantin Ermakov, head of the project safety department of Afisha.
|
The bagbounty program is becoming the standard for large technological and media companies, as it allows for continuous analysis of the security of services by independent security researchers, while maintaining high economic efficiency.
Approaches to managing vulnerabilities in companies are evolving. More and more organizations that want to protect their services and user data are choosing bagbouti as one of the most progressive methods for finding vulnerabilities. It allows the forces of thousands of independent researchers with different experience and tools to look for errors and pay only for the result, noted Anatoly Ivanov, SRO Standoff Bug Bounty.
|
Rambler & Co Program Extension
Rambler & Co will test its security on the Standoff Bug Bounty platform using white hackers. Positive Technologies (Positive Technologies) reported this on October 23, 2024.
The company is expanding the vulnerability search program for a reward on the Standoff 365 platform and launching it in APT Bug Bounty format. Now independent security researchers will try to implement unacceptable events for the company in order to check the cyber resistance of IT systems. For their implementation, baghaters will receive 3 million rubles.
ART Bug Bounty is a Positive Technologies approach to testing cyber threat protection, in which independent researchers, in 24/7 mode, in an ever-changing infrastructure, assess the company's security against hacking and try to implement unacceptable events for it.
APT Bug Bounty is a logical development of our strategy to protect the infrastructure of the media holding. We build an understanding of its most important areas and focus on them. The expertise of Positive Technologies and the Standoff Bug Bounty platform allow you to expand the "partnership" with baghunters to assess the security of the most valuable assets from targeted attacks, " said Evgeny Rudenko, director of cybersecurity at Rambler & Co.
|
Rambler & Co invites white hackers to study the company's business processes and test its infrastructure for strength. The best cyber specialists will look for vectors of penetration into the infrastructure of the media holding and report on the implemented criteria for unacceptable events.
ART Bug Bounty is an alternative to the red team and the classic pentest, which provides an objective assessment of the company's security against cyber threats. This approach allows you to assess the effectiveness of the company's security system and eliminate vulnerabilities as soon as possible. noted Alexey Novikov, Managing Director of Positive Technologies.
|
A program containing rules and conditions has been published on the Standoff Bug Bounty platform, following which security researchers will try to identify and implement attack vectors that allow access to contracts, counterparties, intellectual property objects and personal data of Rambler & Co employees and customers.
At the first stage, the program will be launched in private mode and is available to a limited number of baghunters.
In addition, Rambler & Co is expanding the main bagbounty program. Now researchers are invited to separately consider vulnerabilities in the company's main media assets, sports-themed domains, the Rambler portal and LiveJournal. Thus, the holding plans to bring the security of its projects to a new level. Also, the amounts of payments for all types of vulnerabilities were increased: "low" - up to 5,000 rubles, "average" - from 5,000 to 35,000 rubles, "high" - from 35,000 to 150,000 rubles, "critical" up to 500,000 rubles.
Increase in remuneration from Innostage to 10 million rubles
Innostage on September 9, 2024 announced a double increase in remuneration for participants in open cyber trials (CSR). The program is implemented on the Standoff Bug Bounty security researcher platform and is designed to test and increase business cyber resilience. Read more here.
Adding Standoff Cyberbones online simulator
Positive Technologies has updated the Standoff 365 platform and added a new product: the online simulator Standoff Cyberbones is now available to anyone who wants to gain new knowledge of cyber incident investigation and develop their skills in this area. Information security specialists of various levels will be able to learn in practice the tactics of the strongest white hackers - participants in the Standoff cybersecurity. At the first stage, 15 of the best incidents that occurred on cyberbitva will be available to users, according to Standoff experts. Read more here.
Running the Program for MaxPatrol SIEM and MaxPatrol VM
Positive Technologies is launching Bughunters. Bug bounty. Vulnerability scanning|a bug bounty program for MaxPatrol SIEM and MaxPatrol VM systems. The company announced this on March 22, 2024.
For the discovered shortcomings, researchers can receive up to 1 million rubles.
Over the past three years, exploitation of vulnerabilities has been used in about one in three successful attacks on organizations. At the same time, the number of software vulnerabilities discovered in the world during this period is constantly growing: in 2023, their number (28,902) exceeded the indicators of 2021 and 2022 by 42% and 14%, respectively.
Our company is one of the representatives of the Russian cybersecurity market, we create products that allow organizations to build effective security. MaxPatrol SIEM is used by more than 600 companies from different industries. The product ensures the practical effectiveness of the system operators and analysts. MaxPatrol VM is the only solution that delivers information about trend vulnerabilities in 12 hours. The product allows you to build a vulnerability management process, meet information security requirements, and also helps make the infrastructure difficult for a hacker. In order to ensure real security, we constantly check for security and our own products. We want to make them as safe as possible for customers, which is why we also attract third-party information security researchers by announcing a reward program for vulnerabilities found in MaxPatrol SIEM and MaxPatrol VM, "said Ivan Prokhorov, Head of Product MaxPatrol SIEM Positive Technologies. |
All researchers registered on the Standoff 365 platform, the number of which already exceeds 8500, will be able to take part in the program.
In December 2023, Positive Technologies launched its first bagbounty product program for the PT Cloud Application Firewall web application layer firewall, and then for two more of its products - PT Sandbox and PT Network Attack Discovery.
Cancel Program Expiration
Positive Technologies made its first Bughunters. Bug bounty. Vulnerability scanning|bagbounty product program indefinite. The company announced this on February 13, 2024.
Researchers can continue to look for vulnerabilities in the PT Cloud Application Firewall cloud product on the Standoff 365 Bug Bounty platform, the terms and conditions of the program have not changed. The goal is to make the product safe non-stop.
The program was launched at the end of December 2023. For a month, the researchers searched for vulnerabilities in the web application layer firewall PT Cloud Application Firewall. As a result, 20 reports were accepted, while no critical vulnerabilities were found. The identified safety deficiencies were promptly eliminated by the product team within five hours.
According to forecasts of Positive Technologies experts, in 2024 the trend towards complicating cyber attacks will continue to strengthen, hackers will begin to use more sophisticated methods. As a result, the demand for security tools and services will increase, but at the same time the requirements for the quality of their work will increase. For February 2024, customers are primarily interested in obtaining an honest assessment of their level of cyber resistance and building reliable protection against unacceptable risks. Vulnerable systems cannot provide companies with the necessary level of security: attackers can hack them, like any unprotected software.
Trends in the information security market dictate to vendors the condition: it is necessary to continuously increase the security of instruments. An indefinite bagbounty program will solve this problem: companies will be able to constantly check and improve products, including cloud ones, "said Anatoly Ivanov, head of bagbounty at Standoff 365. - This applies to both Positive Technologies products and solutions and offers from other vendors. How else to protect the product from the influence of hackers? Give baghunters the opportunity to continuously search for vulnerabilities in it, and for developers to fix them. PT Cloud Application Firewall was our first step towards implementing this strategy. |
When developing products for effective cybersecurity, Positive Technologies focuses, among other things, on their reliability. The company's experts analyze the security of systems and eliminate vulnerabilities using the same methods that are used in projects. Perpetual bagbounty programs will complement the usual audit tools, making security analysis a continuous process.
The choice of PT Cloud Application Firewall, a web application firewall (WAF) class product, as a pioneer on the Positive Technologies bug boot program is not accidental. WAF is responsible in companies for fault tolerance and business reliability, and therefore it should be as protected as possible from cyber threats, while not at the moment, but always, - said Alexey Astakhov, head of application security products at Positive Technologies. - The bagbounty program in this sense is a very correct tool that complements the processes of secure development. We want our products to be under the scrutiny of pentesters, and are happy to pay for the results of this work. |
2023
Launch Bagbounty Product Program
Positive Technologies launched its first bagbounty product program. The company announced this on December 20, 2023.
Researchers will look for vulnerabilities in the company's cloud product, PT Cloud Application Firewall.
The program on the Standoff 365 Bug Bounty platform will run from December 20, 2023 to January 20, 2024. For the detected bugs, researchers can receive up to 500,000 rubles.
Exploitation of vulnerabilities remains the most successful method of conducting attacks on the organization. In 37% of cases, attackers launched an attack precisely by searching for vulnerabilities. Positive Technologies, as a representative of the effective market cyber security Russia , has repeatedly stated that a bagbount program can radically change the situation and complicate the implementation of an attack. In this regard, we are bringing our first commercial cloudy product - firewall the PT Cloud Application Firewall web application layer - to the Standoff 365 Bug Bounty platform.
It is important for us to set the standards for protecting the cloud-native infrastructure, since we are sure that "clouds" are not just the future, but the present, "said Alexey Astakhov, head of application security at Positive Technologies. - It is logical that it is worth starting this path with yourself, with your own cloud product - PT Cloud Application Firewall, which must meet serious requirements for fault tolerance and reliability to protect applications. The bagbounty program in this case is the most effective tool for independent assessment of security. We are open to researchers: if you can find critical vulnerabilities, then we will willingly pay for them, because this will eventually make the product even more protected from cyber threats. |
PT Cloud Application Firewall is distributed through a monthly subscription through technology partners - authorized service and cloud providers. Under the terms of the program, all researchers registered on the platform (as of December 2023, there are more than 8,000 of them) will be able, using the black box method, to search for vulnerabilities in resources that are on the domain ptcloud.ru.
Payments for bagbounty in Russia are comparable to remuneration on global platforms
Positive Technologies on November 23, 2023 summed up the work of the Standoff 365 Bug Bounty vulnerability search platform, launched in May 2022. For a year and a half, the number of placed programs increased from 2 to 53 and continues to grow. The amount of remuneration ranges from nine thousand to three million rubles, depending on the level of danger of vulnerability. At the same time, the maximum payments are comparable to similar rewards on world platforms.
As of November 2023, organizations from different organizations have placed their programs on the platform:,,, industries IT trade finance government agencies. The largest number of programs are presented in the IT sector (38%), among state institutions (17%) educational and platforms (11%).
Since the discovery, 7,537 researchers have registered on the platform; the programs were presented by Rambler & Co , VK , Public services, Odnoklassniki, Tinkoff.
One of the most significant indicators of the platform's performance is the number of valid reports received on the vulnerabilities found, "said Anatoly Ivanov, Standoff 365 product manager. - As a rule, these are the reports of researchers who have been verified by the platform and the program representative. In total, the baghunters sent 1,479 reports, of which 10% (152) were with critical vulnerabilities and 19% (287) were with high-risk vulnerabilities. |
For a year and a half of Standoff 365 Bug Bounty, hackers have found 71 types of CWE (Common Weakness Enumeration) vulnerabilities in web applications. The disadvantage of the CWE-79 - "Incorrect neutralization of input data when generating web pages (cross-site scripting)" - took first place in popularity, as it fell into 22% of reports.
One of the world's bug bounty platforms, HackerOne, also keeps statistics on CWE, which also publishes security flaws that are ranked by the number of reports with them. Positive Technologies noted that the data from the two platforms are similar, and therefore Standoff 365 Bug Bounty supports global trends even in statistics on vulnerabilities in organization infrastructures.
The peak payout metric can vary significantly from program to program. In one, several thousand rubles can be paid for a critically dangerous vulnerability, and in the other - more than three million. The amount of remuneration depends on the company itself: its income, the scale, the information with which it works.
According to our data, IT companies and organizations from the financial sphere paid hackers more than companies from other industries represented on the platform, - said Grigory Prokhorov, an analyst at the research group of the analytics department of Positive Technologies. - They account for a total of 81% of remuneration, despite the fact that they are quantitatively represented in only 44% of programs. We note that the level of payments on foreign platforms is comparable to similar programs on Standoff 365 Bug Bounty. For example, on the HackerOne platform, rewards on them can be up to 20 thousand. dollars depending on the company participating in the program. |
In addition, Standoff 365 Bug Bounty hosted two Standoff Hacks in 2023, where baghunters were given the opportunity to participate in closed programs. According to the results of the last event alone, the total amount of payments amounted to 11,470,740 rubles.
Cyber Training Availability for Enterprise Information Security Services
On August 1, 2023, the next exercises will start on the online cyber police Standoff 365, and the site itself will begin work in an updated format: from this day, non-stop cyber training will be available for teams of defenders. This was announced by Positive Technologies (Positive Technologies).
In Russia, the heads of organizations bear personal responsibility for cybersecurity. In particular, they are interested in creating effective information security teams that can squeeze the maximum capabilities out of the means of protection, will be aware of the most current tactics and techniques of attackers, will be able to make sure of their ability to detect a cyber attack of any degree of complexity and react to it in time. A distinctive feature of the landfill created by Positive Technologies is live hacker traffic from the company's international community of independent security researchers. This enables cyber police customers to prepare for threats and the most unpredictable scenarios, including identifying and investigating attacks that exploit zero-day vulnerabilities.
Cyber training at the Standoff 365 training ground allows a team of information security specialists to assess the degree of infrastructure security and understand how to make life as difficult as possible for criminals. Here they can study, disassemble and explore the current and non-trivial techniques of hackers. And companies, if necessary, can place and check fragments of their infrastructure here to test its security in a safe and controlled environment. In addition, on Standoff 365, you can in practice get acquainted with different classes of information security products, determine which of them are necessary for a specific organization, and ensure optimal configuration of security tools.
Until now, launched in July 2022, the cyber police was only available to attackers. As of August 2023, more than six thousand independent information security specialists have already been registered on the Standoff 365 platform. Here, as they explore replicas of real company infrastructures, they hone their skills, explore new 24/7 attack techniques, and test the security limits of organizations across industries. Over the year, researchers found more than 440 vulnerabilities in three industry segments presented on cyber polygons and were able to implement unacceptable scenarios 165 times. Since August 1, the defense teams have also had the opportunity to improve their skills. They will be able to monitor and investigate the actions of attackers in order to further use the acquired skills in life to prevent real hacker attacks.
Cyber polygon is a key element in building an effective cybersecurity system. With its help, thousands of ethical hackers using various tactics, techniques and tools help businesses and the state prevent scenarios that are unacceptable to organizations by revealing interesting and unexpected attack vectors. The rapid development of information systems requires the constant attention of security specialists. The online polygon helps companies to increase the competencies of defense teams and improve information security processes in a continuous mode, while almost not distracting specialists from the main work: a subscription to the online polygon is valid for a year, each specialist or team turns to it in a comfortable mode for themselves.
The infrastructure of the updated Standoff 365 includes copies of IT systems of various levels of complexity with the ability to add the necessary basic services, facilities and equipment of APCS, development environments, information monitoring and protection tools. The landfill includes modules that recreate elements of the industrial network of six different industries (with the ability to work out protection against passage from the corporate network to the technological one), as well as financial services.
At the request of the client, Standoff 365 can also add its own infrastructure to assess its security in the context of real attacks with unpredictable vectors. The training ground is designed not only to conduct exercises, increase expertise in information security and compliance, but also to maximize the effectiveness of protective equipment, a constant stream of up-to-date information about tactics, techniques and tools of hackers.
Hosting Your Own Vulnerability Scanning Program
Positive Technologies On March 1, 2023, the company announced that Bughunters. Bug bounty. Vulnerability scanning Standoff 365 had launched its own public search program. vulnerabilities Thus, the platform is ready to openly confirm the security of its services and demonstrate concern for customer safety. The Standoff 365 bagbount program will be available to all researchers, and the reward for the most dangerous vulnerabilities will be 1 million. rubles
In the IV quarter of 2022, the number attacks hackers of companies IT increased by 18%. The IT sphere came close to the top three in the list of the most attacked. industries Attackers are interested in IT companies, since their compromise opens the way for further attacks on their customers - users of products and services.
The launch of its own vulnerability search program is a serious step in the development of Standoff. The platform contains a lot of data that is important to us and our customers, so launching a bug will strengthen protection and prepare the development team to quickly change processes, find and fix bugs early. We are ready to show by our example to everyone that bagbounty is not scary and that searching for vulnerabilities by baghunters does not negatively affect the operation of services, "said Anatoly Ivanov, head of bagbounty development at Standoff 365. |
As part of the Standoff 365 bagbounty program, researchers will have access to all subdomains of the platform's website - standoff365.com, including domains authorizations (auth.standoff365.com), bagbounty (bugbounty.standoff365.com) and cyber police (range.standoff365.com). The amount of remuneration of ethical hackers depends on the degree of danger of the vulnerabilities found and will amount to 1 million rubles for a critically dangerous level, 250 thousand rubles for a high, 50 thousand and 15 thousand rubles, respectively, for medium and low levels.
The next step in the development of the program will be the launch of a bagbounty aimed at the implementation of unacceptable events, and an increase in payments to baghunters to 2 million rubles. In addition, to motivate researchers, the platform is ready for other forms of encouragement, including merch and invitations to events.
2022
Launch bug bounty program aimed at implementing invalid events
Positive Technologies on November 22, 2022 announced the launch of the bug bounty program, which is focused not on finding purely technical vulnerabilities in the company's external services, but on implementing a really critical event for the company - theft of money from accounts. Positive Technologies is ready to pay a reward of 10 million rubles.
Previously, the goal of traditional bug bounty programs has always been to search for relatively small and minor vulnerabilities in company services. At the same time, they are not always critical for business and, as a rule, remain clear only to technical specialists, - said Alexey Novikov, director of the security expert center Positive Technologies. - It is important for us that the most dangerous events for the company are guaranteed to be unrealizable. Therefore, we looked at the bug bounty in a new way and reoriented the attackers from discovering exclusively technical problems to finding ways to implement events that are unacceptable for our business - in particular, at this stage we are checking the possibility of stealing money from the company's accounts. This setting of the task complicates the researcher's work by an order of magnitude, since he needs to figure out how the company's business processes are built, bypass the protection systems and demonstrate the fact of money theft. |
While constantly improving its security system, Positive Technologies conducted a series of cyber exercises with almost all major companies providing penetration testing services in Russia. More than 200 possible attack scenarios were analyzed. The results showed that each team operates in different styles - someone, for example, is more focused on using social engineering, others are focused on network infrastructure or web applications. The only way to guarantee an objective and comprehensive verification of the company's security is to expand and diversify the attacking expertise. Therefore, Positive Technologies has launched a bug bounty program open to all researchers with special conditions on the Standoff 365 platform, which combines more than 2,800 baghunters as of November 2022.
The bug bounty Positive Technologies program is not limited in time, that is, the company assesses its security continuously, up to the implementation of an unacceptable scenario for the company. Unlike the classic bug bounty, here ethical hackers are allowed to use almost any way to conduct remote attacks (including social engineering) to penetrate. The main prize - 10 million rubles - will be received by the researcher who, in accordance with the rules of the program, will be able to transfer money from the company's accounts in an illegitimate way and provide a report in appropriate detail.
We believe that such an evolution of bug bounty programs is a new round in the development of the cybersecurity industry, since this is the only way for the head of the company to make sure that the protection system actually works, "concluded Alexey Novikov. |
RuStore Solution Placement
VK on November 15, 2022 announced the placement of RuStore in the Bug Bounty program on the Standoff 365 Bug Bounty platform, developed by Positive Technologies. Read more here.
Receiving VK 300 Vulnerability Reports
On October 18, 2022, VK announced that it had received 300 vulnerability reports from external experts for three months of the bug bounty program on the Standoff 365 Bug Bounty platform, developed by Positive Technologies. VK experts recognized more than half of the messages as significant, the vulnerabilities identified on their basis were eliminated.
More than 50 security researchers received a reward totaling three million rubles. The amount of payments ranged from three thousand rubles to 750 thousand rubles, depending on the criticality of the identified vulnerability.
The company posted a vulnerability search program on Standoff 365 three months ago and is already seeing positive results from its work. For this time , external experts helped to improve and strengthen protection our services. VK strives to provide comfortable conditions for users, ensuring their safety and security confidentiality. data In addition to creating its own technology solutions, VK will continue to cooperate with large the Russian IT companies so that the products are maximized, safe noted Vice President, Director of Information Security of VK , Aleksei Volkov.
|
VK announced participation in Standoff 365 Bug Bounty in August 2022. The company has placed 12 services on the platform. Within three months, the number had risen to 19. The plans include an increase in the number of projects on the platform by more than 20%.
Placement of a vulnerability search program from Rambler & Co
On September 22, 2022, Rambler & Co announced the launch of a public vulnerability search program on The Standoff 365 Bug Bounty platform developed by Positive Technologies. Researchers are invited to test the 10 most important and well-known media holding services, including the sites "Ленты.ру," "Gazeta.Ru," "Championship," the portal "Rambler," "Rambler/News," "Rambler/Mail" and others. Thus, the holding plans to bring the security of its projects to the next level.
Users need to ensure continuous uninterrupted access to, to content as well as reliable safety and. privacy of personal data This is an important step in an environment where the share in attacks the Russian web resources has almost doubled (to 22% in the first quarter of 2022 compared to 13% in the previous quarter). At the same time, the media industry entered the top five for the first time. attacked industries
In this situation, the bug bounty program becomes the standard for large technological and media companies, as it allows for continuous analysis of the security of services by independent security researchers, while maintaining high economic efficiency.
Rambler & Co already has experience using such a program behind closed doors, when a limited number of researchers are invited to participate. This time, the media holding opens a bug bounty for everyone, the declared remuneration amounts in which vary depending on the degree of criticality of vulnerabilities and will range from 2,000 to 100,000 rubles.
Positive Technologies has extensive experience in the cybersecurity industry, authority in the community and strong expertise, which is an additional guarantee in attracting specialists. In the domestic market, The Standoff 365 Bug Bounty platform looks like the most mature solution, therefore, from participation in the program, the company expects to involve a large number of specialists, strong expertise and, as a result, an additional increase in the level of security of projects and services, emphasized Evgeny Rudenko, director of cybersecurity at Rambler & Co.
|
The company's research demonstrates the growing interest of cybercriminals in media industry organizations. High-profile attacks on the media in 2022 signal that it is time for the industry to reconsider its attitude towards cybersecurity. Responsible companies like Rambler & Co are aware of the growing risks and importance of bug bounty programs. And the platform helps them detect and eliminate critical gaps in services in time - thereby protecting users, narrated by Yaroslav Babin, CPO The Standoff 365.
|
Attracting 1,800 white hackers
Positive Technologies On August 26, 2022, she shared the results of the first three months of The Standoff 365 platform - a project where operational business processes and real, and industrial power transport financial companies and entire ones are recreated. industries economies
The Standoff 365 combines three projects: the Bug Bounty platform, cyber policing and a social platform for hackers and security researchers. In three months, the platform attracted 1,800 white hackers.
The Standoff 365 Bug Bounty has been operating since May 19, and as of August 26, 2022, it is a key domestic platform for attracting external researchers to find and fix vulnerabilities in the infrastructure, products and services of companies, as well as to discover ways to implement unacceptable events. After launch, 13 bug bounty programs were hosted on the platform, and registered researchers submitted 250 reports on the vulnerabilities found. Baghunters have already approved the first payments.
In July, the second element of The Standoff 365 also began to operate: in addition to regular offline cybercriminals, an online cyberpolygon was available 365 days a year, which allows you to analyze the security of infrastructure in three key segments: corporate, financial and electricity. Participants have already discovered 203 vulnerabilities on the online cyber police, the most (82) in the energy segment, and also implemented 40% of all declared unacceptable events, including four of the seven unacceptable events in the banking segment.
Placement of the vulnerability search program from VK
On August 8, 2022, VK announced its participation in The Standoff 365 Bug Bounty platform, developed by Positive Technologies. The IT company has placed a bug bounty program on the platform, which, with the help of external experts, helps to find flaws in the security system and fix them before being discovered by attackers. Bug bounty VK includes more than 40 projects. If vulnerabilities are identified, security researchers will receive rewards from the company from 6 thousand rubles to 1.8 million rubles, depending on the level of threat.
{{quote 'User security and trust in VK services have always been a priority for us. We use various tools to strengthen cyber protection, and have long used bug bounty to check the quality of our services, we see this as a real, practical benefit. Over the past six months, the number of cyber attacks on Russia has grown significantly, and we are glad that domestic companies are launching their own bug bounty platforms. I am confident that the placement of our program on The Standoff 365 platform will expand the capabilities of VK in finding vulnerabilities and quickly fixing them, - said the vice president, director of information security at VK Aleksei Volkov. }}
To attract external cybersecurity experts to discover vulnerabilities, the company's management needs courage. But it is this step that allows you to reliably and objectively assess the security of the business and eliminate vulnerabilities in the IT infrastructure in time before the bad guys use them and cause irreparable damage to the organization. The bug bounty program is a concern for the future; this is a sign of the company's openness, its attention to the security of user data. Therefore, the very fact of having a bug bounty causes more confidence in the organization. We are pleased to welcome VK on our platform with its many years of experience in bug bounty and look forward to long-term cooperation in improving the security of services and improving the level of cybersecurity, "Yaroslav Babin told CPO The Standoff 365. |