Positive Technologies is constantly refining its approach to result-driven cybersecurity[1]: as part of the bug bounty program Positive Dream Hunting, security researchers from around the world can attempt to trigger two non-tolerable events[2]. The first person who can inject malicious code into the company’s products or steal money from its accounts will be rewarded with more than $650,000[3].
Over the past two years, Russian companies have been hit by a record number of cyberattacks. Many companies started implementing result-driven cybersecurity by identifying and verifying non-tolerable events, monitoring key and target systems, conducting regular cyber exercises, and participating in bug bounty programs. Middle Eastern countries where companies and critical infrastructure are increasingly being hit by cyberattacks, 83% of which are targeted, can also put Positive Technologies experience to use.
Alexey Novikov, Head of the PT Expert Security Centre at Positive Technologies, said: “Launching a bug bounty program focused on non-tolerable events is the only way for a company’s CISO and senior management to test the effectiveness of its security systems”.
Positive Technologies was the first in the industry to dare to change the rules and goals of bug bounty programs by starting to engage independent security researchers to analyse how non-tolerable events can be triggered. In November 2022, the Standoff 365 platform hosted a bug bounty program in which participants were challenged to steal money from corporate accounts—a true non-tolerable event for Positive Technologies. With the help of payment agents, Standoff 365 can pay rewards to researchers in different currencies in Russia and abroad.
Positive Technologies expects other organisations, especially those with mature cybersecurity processes, to follow suit in 2024. Companies have started to take a keen interest in analysing scenarios of non-tolerable events; the number of bug bounty programs has also increased.
At the Standoff 12 cyber exercises in November 2023, Positive Technologies re-created part of its real infrastructure, including software development, build, and delivery processes, in order to test whether it was possible to introduce malicious code into its products. Participants of the cyberbattle tried and failed to introduce a backdoor into the source code of one of the company’s products.
Three months after conducting the exercises on the cyberrange, Positive Technologies is launching an open program on the bug bounty platform with a $650,000 reward. The reward will be granted to a bug hunter (or a team of bug hunters) who will be able, in accordance with the program rules,[4] to place a malicious build[5] with malicious code on the gus.ptsecurity.com internal update server or on the update.ptsecurity.com public servers. This participant must also prove that the build can be downloaded, by providing a screenshot with the necessary permissions. Researchers are prohibited from using a modified build. In addition, Positive Technologies internal security mechanisms prevent any malicious update from spreading to products used by the company’s customers.
White hat hackers who manage to come close to causing a non-tolerable event (those who get within several steps of being able to do it) will also receive a reward. Participants can get $3,300–5,500 for penetrating the network perimeter and getting a foothold on a host, while injecting code into a public product release at the storage or test stage will be worth $33,000–55,000.
To ensure result-driven cybersecurity, Positive Technologies uses its own products, with the latest features. MaxPatrol SIEM security information and event management system collects logs from all corporate assets, PT Sandbox inspects email attachments and files from traffic, and PT Application Firewall protects web resources. In addition to the Positive Technologies SOC, MaxPatrol O2, an autopilot product anchored on result-driven cybersecurity, operates in test mode.
[1] Result-driven cybersecurity is a security posture that makes an organisation resilient to cyberattacks and allows for practical confirmation at any time that an attacker will not be able to trigger organisation-specific non-tolerable events.
[2] A non-tolerable event is an event that occurred as a result of a cyberattack, which prevents an organisation from achieving its operational and/or strategic goals or leads to significant disruption of its core activities.
[3] The equivalent amount in Russian rubles (60 million rubles) was over $657,000 at the Bank of Russia’s exchange rate as of February 6, 2024.
[4] Details of the program will be available to participants after registration.
[5] A hypothetically malicious build means a build with modified release content (docker containers, ZIP archives, and so on) or any other build with payload (non-malicious function code) that ensures correct installation of the solution and operation of its basic features. Bug hunters must not add functionality that threatens the security of product users.