Positive Technologies is constantly refining its approach to result-driven cybersecurity: as part of the bug bounty programme Positive Dream Hunting, security researchers worldwide can attempt to trigger two non-tolerable events. The first person who can inject malicious code into the company’s products or steal money from its accounts will be rewarded with more than $650,000.
Over the past two years, Russian companies have been hit by a record number of cyberattacks. Many companies started implementing result-driven cybersecurity by identifying and verifying non-tolerable events, monitoring key and target systems, conducting regular cyber exercises, and participating in bug bounty programmes. Middle Eastern countries where companies and critical infrastructure are increasingly being hit by cyberattacks, 83% of which are targeted, can also put Positive Technologies experience to use.
Alexey Novikov, Head of the PT Expert Security Centre at Positive Technologies, said: “Launching a bug bounty programme focused on non-tolerable events is the only way for a company’s CISO and senior management to test the effectiveness of its security systems.”
Positive Technologies was the first in the industry to dare to change the rules and goals of bug bounty programmes by starting to engage independent security researchers to analyse how non-tolerable events can be triggered. In November 2022, the Standoff 365 platform hosted a bug bounty programme in which participants were challenged to steal money from corporate accounts—a true non-tolerable event for Positive Technologies. With the help of payment agents, Standoff 365 can pay rewards to researchers in different currencies in Russia and abroad.
Positive Technologies expects other organisations, especially those with mature cybersecurity processes, to follow suit in 2024. Companies have started to take a keen interest in analysing scenarios of non-tolerable events; the number of bug bounty programmes has also increased.
At the Standoff 12 cyber exercises in November 2023, Positive Technologies re-created part of its real infrastructure, including software development, build, and delivery processes, in order to test whether it was possible to introduce malicious code into its products. Participants of the cyberbattle tried and failed to introduce a backdoor into the source code of one of the company’s products.
Three months after conducting the exercises on the cyberrange, Positive Technologies is launching an open programme on the bug bounty platform with a $650,000 reward. The reward will be granted to a bug hunter (or a team of bug hunters) who will be able, in accordance with the programme rules, to place a malicious build with malicious code on the gus.ptsecurity.com internal update server or on the update.ptsecurity.com public servers. This participant must also prove that the build can be downloaded, by providing a screenshot with the necessary permissions. Researchers are prohibited from using a modified build. In addition, Positive Technologies internal security mechanisms prevent any malicious update from spreading to products used by the company’s customers.
White hat hackers who manage to come close to causing a non-tolerable event (those who get within several steps of being able to do it) will also receive a reward. Participants can get $3,300–5,500 for penetrating the network perimeter and getting a foothold on a host, while injecting code into a public product release at the storage or test stage will be worth $33,000–55,000.
To ensure result-driven cybersecurity, Positive Technologies uses its own products, with the latest features. MaxPatrol SIEM security information and event management system collect logs from all corporate assets, PT Sandbox inspects email attachments and files from traffic, and PT Application Firewall protects web resources. In addition to the Positive Technologies SOC, MaxPatrol O2, an autopilot product anchored on result-driven cybersecurity, operates in test mode.