Regulation on Contests Held on the bugbounty.standoff365.com Platform

This regulation on contests held on the bugbounty.standoff365.com platform (hereinafter referred to as the "Regulation") governs the procedure of arranging and conducting of such contests.

Terms

Client

A legal entity having issued an assignment to arrange the vulnerability search contest

Contest

The contest for searching vulnerabilities in the client's web services and applications as well as ways to initiate unauthorized events, hosted on the organizer's platform

Contest committee

A group of persons comprising the client's representatives (at least two) and one representative of the organizer, approved for performing the assessment of the contest participants

Organizer

JSC Positivniye Tekhnologii

Report

A document submitted electronically by a participant to the organizer (the participant is to complete a form in their account on the platform) which shall contain the description of the completed contest assignment

Winner

A participant recognized as the contest winner by the contest committee

Platform

A website at bugbounty.standoff365.com

Participant

A legally capable individual aged eighteen or above being a tax resident of the Russian Federation in accordance with the effective laws of the Russian Federation and acting on their own behalf.

The following persons cannot participate: persons involved in the contest arrangement and holding, members of their families, authors of the code to be analyzed by the participants as part of the contest

Vulnerability

A technical flaw in the client's web services and applications which can be used to disrupt their normal operation, integrity, availability, confidentiality, and/or trigger a non-tolerable event as a result of cybercriminal activity, making it impossible to achieve operational and strategic goals or leading to the long-term disruption of core operations

Contest organizer

  1. Each contest is organized by JSC Positivniye Tekhnologii (OGRN or Primary State Registration Number: 1127746201087), location address: 23A Schelkovskoe shosse, room 36, office V, Moscow, 107241, Russian Federation; mailing address: 8 Preobrazhenskaya ploshchad, Moscow. JSC Positivniye Tekhnologii arranges every contest according to the client's assignment in line with the requirements and conditions defined by the client. These requirements and conditions are posted by the organizer on the contest page on the platform. The client may simultaneously hold several contests on the platform.

Contest conditions

  1. The contests are held on the platform. To participate, an individual (the contest participant) shall register on the platform page in the manner provided for in the Standoff 365 platform terms of use.
  2. The contest participant uses the account functionality on the platform to submit the report in accordance with the contest conditions. The report shall feature a title and a description. It also may contain:
    • Vulnerability severity (except for the non-tolerable event notification)
    • CVE (Common Vulnerabilities and Exposures) ID in the "CVE-year-number" format with a description of the vulnerability and/or public links containing its description
    • Attached files
  3. The report is assessed by the contest committee.
  4. The contest committee determines the contest winners for each winning place and the amount of reward for each winner at its own discretion. The number of winners is not limited.
  5. The lists of winners determined by the contest committee's decision are published by the organizer on the platform.
  6. The award is only given to the contest participants who have met the contest conditions and informed the contest committee on the previously unknown vulnerabilities in the client's information system. A report containing the data on the vulnerability already known to the contest committee may be assigned the "Duplicate" status in the following cases:
    • Another contest participant have submitted a similar report earlier (even if the reports describe different vectors of using the same vulnerability).
    • The report describes a vulnerability that was already known to the client's employees or contractors, which was clearly indicated (for example, by making a record in the bug tracking system).
    • The report describes a zero-day or one-day exploit that the contest committee has found out from public sources prior to the report submission by the participant.
  7. The results of the report verification are announced throughout the entire contest period. These results will be assessed by the contest committee within at least ninety (90) days upon receiving the contest participant's report on a vulnerability detected in the client's information system.
  8. The contest committee must have the quorum in order to make a decision. This requires consent of three representatives of the contest committee, one of them being the organizer's representative. The decision on awarding the contest winner is recorded in the contest committee protocol.
  9. The assignment description, criteria, and procedure of assessing the vulnerability search results, the contest period, and the deadlines for submitting the vulnerability search results, the amount, and form of the award granted to the contest participant are specified on the contest page on the platform.
  10. By submitting the report to the organizer, the winner agrees that they transfer the organizer the exclusive rights to any intellectual property created by the winner in the course of the contest. Exclusive rights to the intellectual property are alienated in full for the entire term of such rights.
  11. For the participant to meet the contest conditions, the organizer grants a basic (non-exclusive) software license—for the entire contest period and free of charge—to the extent required and sufficient to meet the contest conditions and solely for the purpose of searching for vulnerabilities and exploits in such software.
  12. The organizer retains the right to change the contest conditions.

Responsible disclosure

  1. Should a participant detect a vulnerability in the course of the contest, they shall follow the rules of responsible disclosure and carry out the following:
    • Notify the legal entity being the right holder of the software and/or database incorporated into the client's information system (hereinafter referred to as the "Right Holder") in accordance with the Right Holder's vulnerability disclosure policy. If no such policy is available, the participant shall contact the Right Holder via email or using any other available method.
    • The participant shall allow at least ninety (90) days for the Right Holder to issue a security patch. This period may be extended by agreement with the Right Holder.
    • The participant must additionally submit reminder emails to the Right Holder on the thirtieth (30th) and sixtieth (60th) days after the initial notification.
    • Should the participant fail to receive the Right Holder's response within ninety (90) days, they may publicly disclose the details of the detected vulnerability at their own discretion but provided always that the disclosed information would not allow other persons to exploit such vulnerability.
    • Should the Right Holder issue a security patch prior to expiry of ninety (90) days, the participant may publish the details of the detected vulnerability immediately after the security patch having been issued by the Right Holder, subject to the requirements set out above.
    • The participant shall maintain confidentiality regarding the detected vulnerability within ninety (90) days and shall not disclose such information without the Right Holder's permission.
  2. If a vulnerability is detected in the products of the Right Holder being a client, the participant shall notify on such vulnerability by submitting a report in accordance with this Regulation. In this case, the requirements set out in clause 4.1 of the Regulation may be ignored.

Award

  1. The award is provided by the contest organizer in monetary form.
  2. The winners receive awards up to the amounts specified by the client on the contest page on the platform. The contest committee may decide on paying the award exceeding the maximum amount set out for the vulnerability detected.
  3. The amount of the award to the winner depends on the vulnerability hazard, ease of its exploitation and its effect on the data of the client's information system users. The committee determines the amount of the winner's award.
  4. The organizer retains the right to adjust the award amount at the client's request.
  5. The award is paid by the organizer subject to provision of the information and documents listed in clause 6.2 of the Regulation by the winner, no later than thirty (30) calendar days following the date of notifying the contest committee on the positive assessment of the report submitted by the participant.
  6. The award payment procedure is set out in section 6 of the Regulation.
  7. The award includes the personal income tax (PIT) to be assessed and withheld from the winner's award and remitted to Russian tax authorities by the organizer in accordance with the laws of the Russian Federation.
  8. The award shall not be paid to the winner if the participant fails to provide the documents and information listed in clause 6.2 of the Regulation in full, or if the winner provides the organizer with unreliable, incomplete or knowingly false information, or otherwise violates the Regulation.

Award payment procedure

  1. The award is paid to the winner by remitting funds by the organizer using bank details specified by the winner on the platform. The award amount may only be remitted to the accounts opened with Russian banks and after PIT (personal income tax) withholding. If no notification is received from the participant on the non-receipt of payment within thirty (30) calendar days following the payment completion by the organizer, the latter is considered to have fulfilled its award payment obligations in full.

  2. In order to receive the award, the winner shall specify the following details in their account on the platform:

    • First name, last name, and patronymic in full
    • Date of birth
    • Payment details: BIK of the beneficiary's bank, the beneficiary's bank, correspondent account, INN (tax identification number) of the beneficiary's bank, the beneficiary's account, the beneficiary's name
    • Russian passport data: series, number, date of issue, subdivision code, the issuing authority, registration address
    • INN (tax identification number)

    The organizer retains the right to request a scanned copy of the passport from the winner, including the scanned copies of the pages with passport stamps confirming crossing the Russian borders.

  3. If the organizer is unable to establish the winner's country of tax residence due to the insufficiency of the information provided by the winner, the organizer may reduce the award amount granted to the winner by PIT in the amount of 30 percent.

  4. Should the winner provide unreliable information on the country of their tax residence, the organizer may block their account.

Restrictions

  1. The participant may only use their account for vulnerability testing and demonstration. Hacking and using other accounts is prohibited. The participant may not obtain access to any third party data.
  2. Participants having publicly disclosed the details of vulnerabilities, including to any third parties, and thus having violated provisions of section 4 of the Regulation, may be banned from receiving the award.
  3. Participants may also be banned from receiving the award in the following cases:
    • Physical intrusion into the client's infrastructure (including offices and computing centers)
    • Use of the social engineering methods targeted at the client's or organizer's employees
    • Attempt of accessing accounts, user data, or any other confidential information beyond the scope of actions strictly required in order to demonstrate the detected vulnerability
    • If the vulnerability exploitation in the client's operating environment resulted in disruption of the client's business or other processes (including DoS attacks and other denial of service attacks)
  4. Where the vulnerability exploitation in the client's operating environment may result in disruption of the client's business or other processes, the participant undertakes to refrain from actions associated with exploitation of such vulnerability and ensure that the report submitted by them includes all the details required to verify the ability to exploit the detected vulnerability outside of the operating environment.

Final provisions

  1. The contest is held in accordance with the laws of the Russian Federation.
  2. The participant registration in the manner set out in the Standoff 365 platform terms of use shall mean the participant's complete and unconditional consent to all contest conditions and the Regulation.
  3. The basis for processing of the participant's personal data for the purposes of their participation in the contest shall be conformance with this Regulation and the Standoff 365 platform terms of use accepted by the participant.
  4. The organizer may transfer the participant's personal data to the clients for the purposes of their participation in the contest and in order to ensure the award payment to the participant should they win.
  5. All disputes and disagreements arising in relation to the contest arrangement and conducting shall be settled by negotiations. Disputable issues not settled by negotiations shall be resolved by court at the organizer's location.