EN
EN

Program Regulations on the Standoff 365 Bug Bounty Platform

These regulations on programs on the bugbounty.standoff365.com platform (hereinafter referred to as the Regulations) govern the procedure of arrangement and implementation of such programs.

Terms

Client

A legal entity having placed a request to arrange the Program

Committee

A group of persons comprising at least two representatives of the Client and one representative of the Organizer, approved for performing the assessment of the Program Participants' Reports

Organizer

Positivniye Tekhnologii Joint-Stock Company, OGRN (principal state registration number) 1127746201087, with its office located at Schelkovskoe shosse 23A, room 36, office V, Moscow, 107241, Russian Federation

Report

An electronic record provided by the Participant to the Organizer by completing a form in their account on the Platform. It contains the conclusions and description of the completed Program assignment

Platform

A website at bugbounty.standoff365.com

Winner

A Program Participant to be paid the reward according to the Committee's decision

Program

The Program for scanning vulnerabilities in the Client's web services and applications as well as checking for ways to trigger non-tolerable events, hosted on the Platform

Participant

A legally capable individual aged eighteen (18) (or fourteen (14) subject to a written consent of their legal representatives for participation in the Program) or above being a citizen of the Russian Federation according to legislation, acting on their own behalf and willing to participate in any Program.

The following persons may not participate: persons involved in the program arrangement and implementation, members of their families, authors of the code to be analyzed by participants as part of the Program.

Self-employed individuals who are taxpayers under a special tax regime (in accordance with Federal Act No. 422-FZ dated November 27, 2018 "On an Experiment on Establishing the Special 'Self-Employment Tax' Regime") or individual entrepreneurs may as well participate

Vulnerability

A technical flaw in the Client's web services and applications which can be used to disrupt their normal operation, integrity, availability, confidentiality and/or trigger a non-tolerable event as a result of cybercriminal activity, making it impossible to achieve operational and strategic goals or leading to a long-term disruption of core operations

Program Organizer

  1. The Organizer shall post every Program according to the Client's assignment in line with the requirements and conditions defined by the Client. These requirements and conditions are posted by the Organizer on the Program page on the Platform. Each Client may have several Programs posted on the Platform at the same time.

General provisions on Program participation

  1. To participate in the Program, the Participant shall register on the Platform as set forth in the Standoff 365 Platform Terms of Use.
  2. The Participant shall use the account functionality available on the Platform to submit the Report in accordance with the Program terms. The Report must contain the name and description of the Vulnerability. It may also contain the following items:
    • Information on the Vulnerability severity (except for the non-tolerable event notification)
    • CVE (Common Vulnerabilities and Exposures) ID in the CVE-year-number format with a description of the Vulnerability and several public links containing its description
    • CWE (Common Weakness Enumeration), or the general list of security flaws (weaknesses)
    • Attached files
  3. The Committee shall assess the Report.
  4. The Committee shall select the Winners and determine the amount of the reward money payable to each Winner at its own discretion. The number of Winners is not limited.
  5. The Organizer shall post the lists of Winners selected by the Committee on the Platform.
  6. Only Program Participants who have met the Program terms and reported to the Committee previously unknown Vulnerabilities found in the Client's information system can become Winners. A Report containing data on the Vulnerability already known to the Committee may be assigned the Duplicate status in the following cases:
    • Another Program Participant has submitted a similar Report earlier (even if the Reports describe different vectors of exploiting the same Vulnerability).
    • The Report describes a Vulnerability that was previously known to the Client's employees or contractors, which was clearly indicated (for example, by making a record in the bug tracking system).
    • The Report describes a zero-day or one-day Vulnerability that the Committee has learned about from public sources prior to the Report submission by the Participant.
  7. The results of Report verification will be announced throughout the entire Program period. The Committee shall assess the Report within ninety (90) days of receipt.
  8. A quorum is required for the Committee to make a decision, namely a consent of three members of the Committee, one of them being the Organizer representative. Upon deciding to reward a Winner, the Committee shall prepare minutes.
  9. The assignment description, criteria and procedure of assessing the Vulnerability scan results, the Program period, and the deadlines for submitting the Vulnerability scan results, the amount and form of the reward granted to the Participant will be specified on the Program page on the Platform.
  10. The Winner agrees that by submitting the Report, they transfer any and all exclusive intellectual property rights acquired while participating in the Program to the Organizer. Exclusive rights to the intellectual property are alienated in full for the entire term of such rights.
  11. For the Participant to meet the Program terms, the Organizer grants the Participant a simple (non-exclusive) software license—for the entire Program period and free of charge—to the extent required and sufficient to meet the Program terms and solely for the purpose of scanning for Vulnerabilities and exploits in such software.
  12. The Organizer may change the Program terms at its own discretion.
  13. The Organizer shall not be liable for interaction between the Client and the Participant.

Responsible disclosure

  1. A Participant who has detected a Vulnerability in the course of participation in the Program other than in the Client's web services and applications shall follow the rules of responsible disclosure of information on the Vulnerability and the following requirements:
    • The Participant shall notify the legal entity that is the owner of copyright in the software and/or database incorporated into the Client's information system (hereinafter referred to as the Copyright Owner) in accordance with the Copyright Owner's vulnerability disclosure policy. If no such policy is available, the Participant shall contact the Copyright Owner via email or other available methods.
    • The Participant shall allow at least ninety (90) days for the Copyright Owner to issue a security patch. This period may be extended by agreement with the Copyright Owner.
    • The Participant shall additionally submit reminder emails to the Copyright Owner on the thirtieth (30th) and sixtieth (60th) days after the initial notification.
    • If the Copyright Owner fails to respond to the Participant within ninety (90) days, the Participant may publicly disclose the details of the detected Vulnerability at their own discretion, provided that the disclosed information would not allow other persons to exploit the Vulnerability.
    • Should the Copyright Owner issue a security patch prior to the expiry of the 90-day period, the Participant may publish the details of the detected Vulnerability immediately after the security patch is issued by the Copyright Owner, subject to the requirements set out above.
    • The Participant shall maintain confidentiality regarding the detected Vulnerability for ninety (90) days and shall not disclose such information without the Copyright Owner's permission.
  2. If the Vulnerability is detected by the Participant in the information system of the Copyright Owner that is a Client, the Participant shall notify them about the Vulnerability by submitting a Report in accordance with these Regulations. To eliminate any doubt, in this case clause 4.1 of the Regulations will not apply. The Participant may not disclose any information on the Vulnerability detected in the information system of the Client without the Client's consent to such disclosure.

Reward

  1. The Organizer shall grant the Winner a monetary reward.
  2. The reward money payable to the Winners is limited by the amounts specified on the Program page on the Platform. The Committee may decide to pay a reward exceeding the maximum amount initially payable for the Vulnerability detected.
  3. The amount of the reward money payable to the Winner depends on the Vulnerability severity, ease of its exploitation and its effect on the data of the Client's information system users. The Committee shall determine the amount of the reward money payable to the Winner.
  4. The Organizer and the Client determine the amount of the reward money on their own discretion. This amount is subject to unilateral change or cancellation by the Client or the Organizer.
  5. The reward is paid by the Organizer subject to provision of the information and documents listed in clause 6.2 of the Regulations by the Winner, no later than thirty (30) calendar days following the date of notification by the Committee of the positive assessment of the Report.
  6. The reward payment procedure is set out in section 6 of the Regulations.
  7. The reward includes taxes applicable according to the Russian legislation.
  8. The reward will not be paid to the Winner in the following cases:
    • The Participant fails to provide all the documents and information listed in section 6 of the Regulations within ninety (90) calendar days following the date of notification by the Committee of the positive assessment of the Report.
    • The Participant is not a citizen of the Russian Federation.
    • The Winner has provided the Organizer with unreliable, incomplete or deliberately false information.
    • The Participant has refused to register in the Konsol service if such registration is required by the Regulations.
    • In other cases specified in the Regulations.

Reward payment procedure

  1. If the Committee makes a decision on the reward payment to the Winner, the Organizer shall submit a payment notice to the Winner to the latter's contact email address specified in their account on the Platform.
  2. The Organizer shall pay the reward to the Winner within thirty (30) calendar days of notifying the Winner in accordance with clause 6.1 of the Regulations subject to the Winner's adherence to these rules, including the rules governing information provision and registration in the Konsol service.
  3. To receive the reward, the Winner shall:

    1. Specify the details of their status and applicable tax regime in their account on the Platform.

      If the Winner participates in the Program as an individual:

    2. The Winner shall specify the following details in their account on the Platform:

      a) Full name

      b) Date of birth

      c) Payment details: RCBIC of the beneficiary bank, the beneficiary bank, correspondent account, INN (taxpayer identification number) of the beneficiary bank, the beneficiary bank account, the beneficiary name

      d) Russian passport data: series, number, date of issue, subdivision code, issuing authority, registration address

      e) INN (taxpayer identification number)

    3. If the Winner is under eighteen (18) years of age, they shall provide the Organizer with a written consent of their legal representatives for the Winner's participation in the Program and adherence to these Regulations.

    4. The Organizer may request a scanned copy of the Winner's passport, including scanned copies of the pages with stamps confirming crossings of Russian borders.

    5. If the Organizer is unable to establish the Winner's country of tax residence due to insufficient information provided by the Winner, the Organizer may reduce the reward amount granted to the Winner by the PIT (personal income tax) amount calculated at a 30-percent rate.

    6. If the Winner acts as an individual, the Organizer shall calculate the PIT amount, deduct it from the reward amount and remit it to the Russian tax authorities.

    7. To pay the reward money to the Winner, the Organizer shall remit funds using bank details specified by the Winner on the Platform. The reward money is always subject to PIT withholding and may only be remitted to accounts opened with Russian banks. If no notification of non-receipt of the payment is received by the Organizer from the Winner within thirty (30) calendar days following the payment date, the Organizer will be deemed to have fulfilled its reward payment obligations in full.

      If the Winner participates in the Program as a self-employed individual and is a taxpayer under the special Self-Employment Tax regime (in accordance with Federal Act No. 422-FZ dated November 27, 2018):

    8. The Winner shall specify the following details in their account on the Platform:

      a) Full name

      b) Date of birth

      c) INN (taxpayer identification number)

    9. The Winner shall register in the Konsol service in accordance with clause 6.4 of the Regulations.

    10. If the Winner is a self-employed individual and a taxpayer under the special Self-Employment Tax regime, a receipt will be generated in the Konsol service on the day of receiving the reward (in accordance with Art. 14 of Federal Act No. 422-FZ dated November 27, 2018). The Winner is solely responsible for paying taxes on the reward received from the Organizer.

    11. If the Winner is a self-employed individual and was the Organizer's employee in the two (2) preceding years, the Organizer shall pay the reward to the Winner as an individual (or an individual entrepreneur if the Winner is registered as such and has provided the documents in accordance with these Regulations).

      If the Winner participates in the Program as an individual entrepreneur:

    12. The Winner shall specify the following details in their account on the Platform:

      a) Full name

      b) Date of birth

      c) INN (taxpayer identification number)

    13. The Winner shall register in the Konsol service in accordance with clause 6.4 of the Regulations.

    14. If the Winner is an individual entrepreneur, they are solely responsible for paying taxes on the reward received from the Organizer in accordance with the applicable tax regime.

  4. In cases specified in these Regulations, the Winner shall register in the Konsol service by following a link sent via their account on the Platform. This is required in order to sign payment documents and receive the reward. The registration must be completed within five (5) business days upon receiving the reward notification in accordance with clause 6.1 of the Regulations.
  5. When registering in the Konsol service, the Winner shall agree with:
  6. During registration in the Konsol service the Winner shall provide personal data (full name, passport data, information on registration, phone number, a scanned copy of an identification document) to go through an identification procedure. In addition, a photo of the Winner holding their passport must be provided in order to confirm that the personal data belongs to the particular individual whose identity has been verified and whose personal data has been uploaded to the Konsol service. In certain cases, other documents may be requested. The Winner will be informed thereof during the identification in the Konsol service.

Restrictions

  1. The Participant may use only their own account for Vulnerability testing and demonstration. Hacking and using other accounts are prohibited. The Participant may not obtain access to any third-party data.
  2. Participants that publicly disclose the Vulnerability details, including disclosure to any third parties, in violation of provisions of section 4 of the Regulations, may be banned from receiving the reward.
  3. Participants are prohibited from:
    • Physical intrusion into the Client's infrastructure (including offices and computing centers)
    • Use of social engineering methods targeted at the Client's and/or Organizer's employees
    • Attempts to access accounts, the Client's information system user data, or any other confidential information beyond the scope of actions strictly required for demonstration of the detected Vulnerability
    • Exploitation of Vulnerabilities in the Client's operating environment that may result in disruption of the Client's business or other processes (including denial-of-service attacks)
    • Penetration into internal systems of web services and applications of the Client's information systems not mentioned in the terms on the Program page
    • Intentionally downloading individuals' personal data from internal systems of web services and applications of the Client's information systems and other information resources not mentioned in the terms on the Program page
  4. The Program must be completed by hacking web portals and/or services and gaining persistence. The Participants may not further penetrate the internal systems of web services and applications of the Client's information systems.
  5. Where the Vulnerability exploitation in the Client's operating environment may result in disruption of business or other processes, the Participant shall refrain from such actions and ensure that the Report submitted by them includes all the details required to inspect the detected Vulnerability outside of the operating environment.
  6. If the Participant fails to comply with the restrictions set out in sections 4 and 7 of the Regulations, the Organizer may block their account on the Platform.

Final provisions

  1. These Regulations and all relationships associated herewith will be governed by the law of the Russian Federation.
  2. By registering on the Platform as set out in the Standoff 365 Platform Terms of Use, the Participant fully and unconditionally agrees to all Program terms, these Regulations, and the Privacy Notice.
  3. The basis for processing the Participant's personal data in relation to their participation in the Program is these Regulations and the Standoff 365 Platform Terms of Use accepted by the Participant.
  4. The Organizer may transfer the Participant's personal data to the Clients to enable the Participant's participation in the Program and to ensure payment of the reward to the Participant should they win.
  5. All disputes and disagreements arising in connection with the Program must be settled by negotiations. Disputable issues not settled by negotiations must be submitted for resolution to a competent court at the Organizer's location.

Regulation on Contests Held on the bugbounty.standoff365.com Platform valid until April 4, 2023