Teacher
Professional
- Messages
- 2,670
- Reaction score
- 775
- Points
- 113
A second event that is not allowed for the company has been added to the Positive Dream Hunting bug bounty program.
Positive Technologies continues to improve its approaches to ensuring cybersecurity. As part of the bug bounty program Positive Dream Hunting, a second event that is not allowed for the company was added. The first person who can implement conditionally malicious code in the vendor's products will receive a reward of 60 million rubles. The company also raised to 60 million rubles the payment for the implementation of the first unacceptable event-the theft of money from the company's accounts.
According to Alexey Novikov, director of the Positive Technologies expert center, Russian companies are actively building effective cybersecurity in their infrastructures. Many do this step-by-step, consistently identifying and verifying invalid events, setting up monitoring of key and target systems, and conducting regular cyber training. Launching a bug bounty program focused on unacceptable events is a serious step for the company. However, this is the only way for its CISO and top management to actually verify the effectiveness of the built-in security system.
He also noted that Positive Technologies was the first to involve independent security researchers to confirm how to implement invalid events. The company expects that in 2024 this example will be followed by other organizations, first of all the most mature in terms of information security. There is already a growing business interest in finding scenarios for the implementation of unacceptable events and an increase in the number of relevant programs.
Before launching the bug bounty program for the second invalid event, Positive Technologies tested the possibility of implementing it on the Standoff 12 cyber polygon, where it recreated part of its real infrastructure — with the software development, assembly, and delivery processes. Participants in cyberbitva tried to embed a bookmark in the source code of one of the products, but they did not succeed.
Three months after testing at the cyberpolygon, Positive Technologies launches an open program on the bug bounty platform with a reward of 60 million rubles. It will be received by the bug hunter (or team) that can place a conditionally malicious working build with potentially malicious code on the internal update server in accordance with the program's rules. gus.ptsecurity.com either on public servers update.ptsecurity.com. They must also provide proof that it can be made available for download, such as a screenshot with the necessary permissions. Under the terms of the program, researchers are prohibited from using a modified build. In addition, Positive Technologies ' internal security mechanisms exclude any possibility of distributing a conditionally malicious update to products delivered to the company's customers.
White hackers who manage to complete one or more steps before the potential implementation of an invalid event will be awarded an incentive reward. In particular, for overcoming the network perimeter and securing on the node, you can get 300-500 thousand rubles, and for implementing the code in the public release of the product at the stage of storage or testing — 3-5 million rubles.
Positive Technologies launched a bug bounty program for the implementation of unacceptable events, which is open to all researchers, in November 2022 on the Standoff 365 platform. Then the bug hunters were offered to carry out the first critically dangerous event — to steal money from the company's accounts. In April 2023, the amount of the award was tripled, and it amounted to 30 million rubles. So far, no one has been able to fully execute the script, including the final stage of the theft.
Positive Technologies continues to improve its approaches to ensuring cybersecurity. As part of the bug bounty program Positive Dream Hunting, a second event that is not allowed for the company was added. The first person who can implement conditionally malicious code in the vendor's products will receive a reward of 60 million rubles. The company also raised to 60 million rubles the payment for the implementation of the first unacceptable event-the theft of money from the company's accounts.
According to Alexey Novikov, director of the Positive Technologies expert center, Russian companies are actively building effective cybersecurity in their infrastructures. Many do this step-by-step, consistently identifying and verifying invalid events, setting up monitoring of key and target systems, and conducting regular cyber training. Launching a bug bounty program focused on unacceptable events is a serious step for the company. However, this is the only way for its CISO and top management to actually verify the effectiveness of the built-in security system.
He also noted that Positive Technologies was the first to involve independent security researchers to confirm how to implement invalid events. The company expects that in 2024 this example will be followed by other organizations, first of all the most mature in terms of information security. There is already a growing business interest in finding scenarios for the implementation of unacceptable events and an increase in the number of relevant programs.
Before launching the bug bounty program for the second invalid event, Positive Technologies tested the possibility of implementing it on the Standoff 12 cyber polygon, where it recreated part of its real infrastructure — with the software development, assembly, and delivery processes. Participants in cyberbitva tried to embed a bookmark in the source code of one of the products, but they did not succeed.
Three months after testing at the cyberpolygon, Positive Technologies launches an open program on the bug bounty platform with a reward of 60 million rubles. It will be received by the bug hunter (or team) that can place a conditionally malicious working build with potentially malicious code on the internal update server in accordance with the program's rules. gus.ptsecurity.com either on public servers update.ptsecurity.com. They must also provide proof that it can be made available for download, such as a screenshot with the necessary permissions. Under the terms of the program, researchers are prohibited from using a modified build. In addition, Positive Technologies ' internal security mechanisms exclude any possibility of distributing a conditionally malicious update to products delivered to the company's customers.
White hackers who manage to complete one or more steps before the potential implementation of an invalid event will be awarded an incentive reward. In particular, for overcoming the network perimeter and securing on the node, you can get 300-500 thousand rubles, and for implementing the code in the public release of the product at the stage of storage or testing — 3-5 million rubles.
Positive Technologies launched a bug bounty program for the implementation of unacceptable events, which is open to all researchers, in November 2022 on the Standoff 365 platform. Then the bug hunters were offered to carry out the first critically dangerous event — to steal money from the company's accounts. In April 2023, the amount of the award was tripled, and it amounted to 30 million rubles. So far, no one has been able to fully execute the script, including the final stage of the theft.
