EN

Program Regulations on the Standoff 365 Bug Bounty Platform

These regulations on programs on the bugbounty.standoff365.com platform ("Regulations") govern the procedure of arrangement and implementation of such programs.

Terms and definitions

Client
A legal entity having placed a request to arrange a Program.
Organizer
Joint-Stock Company Positivnye Technologii, OGRN 1127746201087, registered address: 8 Preobrazhenskaya Square, office 60, Moscow, 107061, Russian Federation.
Report
An electronic record provided by the Participant to the Organizer by completing a form in the personal account on the Platform. It contains the conclusions and description of the completed Program assignment.
Platform
A website at bugbounty.standoff365.com
Winner
A Program Participant in respect of whom a decision to pay a reward has been made.
Program
A program for searching for vulnerabilities in the Client's Product, hosted on the Platform.
Product
An information system, web service, application, software, or another product owned by the Client or in respect to which the Client has all necessary rights to participate in the Program. The Product is tested by the Participants during the Program.
Participant
A legally capable individual who has reached 18 (eighteen), or 14 (fourteen) and has provided written consent of their legal guardians for participation in the Program, who acts on their own behalf and is willing to participate in a Program.
Persons involved in organizing and running a Program, members of their families, or developers of the code analyzed during the Program cannot participate in the Program.
Self-employed individuals who are taxpayers under a special tax regime (in accordance with Federal Law No. 422-FZ dated November 27, 2018 "On an Experiment on Establishing the Special 'Self-Employment Tax' Regime") or individual entrepreneurs may participate in the Program.
Vulnerability
A technical flaw in the Client's Product that can be exploited by attackers to disrupt the Product's normal operation, integrity, availability, confidentiality, and/or trigger a non-tolerable event. A non-tolerable event is an event that occurred as a result of a cyberattack, which prevents an organization from achieving its operational and/or strategic goals or leads to significant disruption of its core activities.
 

Program Organizer

  1. The Organizer shall post every Program on the Platform at the Client's request in line with the requirements and conditions defined by the Client. These requirements and conditions are posted by the Organizer on the Program page on the Platform.
  2. Each Client may have several Programs posted on the Platform at the same time.

General participation requirements

  1. To participate in the Program, the Participant shall register on the Platform as set forth in the Standoff 365 Platform Terms of Use.
  2. The Participant shall submit the Report via their personal account on the Platform, in accordance with the Program's terms. The Report must contain the name and description of the Vulnerability. It may also contain the following information:
    • Severity level of Vulnerability (not applicable for non-tolerable events);
    • CVE (Common Vulnerabilities and Exposures) ID in the CVE-year-number format with a description of the Vulnerability and several public links containing its description;
    • CWE (Common Weakness Enumeration) which is the general list of security flaws (weaknesses);
    • Any attached files.
  3. Only Program Participants who have met the Program terms and reported previously unknown Vulnerabilities found in the Client's Product can become Winners. A Report containing information on the Vulnerability already known to the Client may be assigned the Duplicate status in the following cases:
    • Another Program Participant has submitted a similar Report earlier (even if the Reports describe different vectors of exploiting the same Vulnerability).
    • The Report describes a Vulnerability that was previously known to the Client's employees or contractors, which was clearly indicated (for example, by making a record in the bug tracking system).
    • The Report describes a zero-day or one-day Vulnerability that the Client has learned about from public sources prior to the Report submission by the Participant.
  4. The results of the Report verification will be announced throughout the entire Program period. The Report shall be assessed within 90 (ninety) days of the date it was posted by the Participant on the Platform.
  5. The assignment description, criteria and procedure of assessing the Vulnerability search results, the Program period, and the deadlines for submitting the Vulnerability scan results, the amount and form of the reward that may be granted to the Participant will be specified on the Program page on the Platform.
  6. The Organizer shall post the lists of Winners on the Platform.
  7. The Winner does not object to the use of the Report and the information contained therein, without any restrictions, by the Organizer, the Client, or persons authorized by the Client, once the Report is uploaded to the Platform.
  8. The Organizer retains the right to change the Program terms at its own discretion.
  9. The Organizer shall not be liable for interaction between the Client and the Participant.

Responsible disclosure

  1. A Participant who has detected a Vulnerability in the course of the Program other than in the Client's Product shall follow the rules of responsible disclosure of information on the Vulnerability and the following requirements:
    • The Participant shall notify the legal entity that is the rights holder of the software and/or database incorporated into the Client's information system ("Rights Holder") in accordance with the Right Holder’s vulnerability disclosure policy. If no such policy is available, the Participant shall contact the Rights Holder via email or other available methods.
    • The Participant shall allow at least 90 (ninety) days for the Rights Holder to issue a security patch to fix the Vulnerability. This period may be extended by agreement with the Rights Holder.
    • The Participant shall additionally submit reminder emails to the Rights Holder on the 30th (thirtieth) and 60th (sixtieth) days after the initial notification.
    • If the Rights Holder fails to respond to the Participant within 90 (ninety) days, the Participant may publicly disclose the details of the detected Vulnerability at their own discretion, provided that the disclosed information would not allow other persons to exploit the Vulnerability.
    • Should the Rights Holder issue a security patch to fix the Vulnerability prior to the expiry of the 90-day period, the Participant may publish the details of the detected Vulnerability immediately after the security patch is issued by the Rights Holder, subject to the requirements set out above.
    • The Participant shall maintain confidentiality regarding the detected Vulnerability for 90 (ninety) days and shall not disclose such information without the Rights Holder's permission.
  2. If the Vulnerability is detected by the Participant in the information system of the Rights Holder who is also a Client, the Participant shall notify about the Vulnerability by submitting a Report in accordance with these Regulations. To eliminate any doubt, in this case clause 4.1 of the Regulations will not apply. The Participant shall not disclose any information on the Vulnerability detected in the information system of the Client without the Client's consent to such disclosure.

Reward

  1. The Organizer shall grant the Winner a monetary reward.
  2. The reward money payable to the Winners is limited by the amounts specified on the Program page on the Platform. The Client and the Organizer determine the amount of the reward money at their own discretion. This amount is subject to unilateral change or cancellation by the Client or the Organizer. The Client and the Organizer are entitled to decide to pay a reward exceeding the maximum amount initially payable for the Vulnerability detected.
  3. The amount of the reward money payable to the Winner depends on the Vulnerability severity, ease of its exploitation, and its effect on the data of the Client's Product users.
  4. The reward is paid by the Organizer subject to provision by the Winner of the information and documents listed in clause 6 of the Regulations, no later than 30 (thirty) calendar days following the date of the positive assessment of the Report.
  5. The reward payment procedure is set out in section 6 of the Regulations.
  6. The reward includes taxes applicable according to the Russian legislation.
  7. The reward will not be paid to the Winner in the following cases:
    • The Winner fails to provide all the documents and information listed in section 6 of the Regulations within 90 (ninety) calendar days following the date of notification by the Organizer of the positive assessment of the Report;
    • The Winner has provided the Organizer with unreliable, incomplete, or deliberately false information;
    • The Participant has refused to register in the Console (Konsol) service if such registration is required by the Regulations; or
    • In other cases specified in the Regulations.
  8. A Participant should use only their own account to receive a reward. A Participant is prohibited from providing access to their account to any third parties, as well as from providing payment details of any third parties to receive a reward. Should the Organizer suspect that the Participant has not complied with the provisions of this clause 5.8, the Organizer will be entitled to refuse to pay the reward to the Participant and/or block such Participant's account on the Platform.

Reward payment procedure

  1. If a decision on the reward payment to the Winner has been made, the Organizer shall submit a payment notice to the Winner to the latter's contact email address specified in their account on the Platform.
  2. The Organizer shall pay the reward to the Winner within 30 (thirty) calendar days of notifying the Winner in accordance with clause 6.1, provided that the Winner complies with the terms and conditions of these Regulations.
  3. The payment method is determined by the Organizer. If the Organizer decides to use a payment service to pay the reward, the Winner shall register with the service and provide all the necessary information in accordance with the rules of that service. If no notification of non-receipt of the payment is received by the Organizer from the Winner within 30 (thirty) calendar days following the payment date, the Organizer will be deemed to have fulfilled its reward payment obligations in full.
  4. If the Winner is under 18 (eighteen) years of age, they shall provide the Organizer with written consent of their legal guardians for the Winner's participation in the Program and compliance with these Regulations.
  5. The Organizer may request a scanned copy of the Winner's passport, including scanned copies of the pages with stamps confirming crossings of Russian borders.
  6. The procedure and all other necessary information required for a Winner who is not a Russian citizen to receive a reward will be posted in the Participant's account on the Platform.
  7. If the Winner participates in the Program as a self-employed individual and is a taxpayer under the special Self-Employment Tax regime (in accordance with Federal Law No. 422-FZ dated November 27, 2018):
    1. The Winner shall specify the following details in their account on the Platform:
      a) Full name;
      b) Date of birth;
      c) INN (taxpayer identification number).
    2. The Winner shall register in the Konsol service in accordance with clause 6.9 of the Regulations.
    3. If the Winner is a self-employed individual and a taxpayer under the special Self-Employment Tax regime, a receipt will be generated in the Konsol service on the day of receiving the reward (in accordance with Article 14 of Federal Law No. 422-FZ dated November 27, 2018). The Winner is solely responsible for paying taxes on the reward received from the Organizer.
    4. If the Winner is a self-employed individual and was the Organizer's employee at any time in the 2 (two) preceding years, the Organizer can only pay the reward to the Winner if the Winner is registered as an individual entrepreneur and has provided the documents in accordance with these Regulations.
  8. If the Winner participates in the Program as an individual entrepreneur:
    1. The Winner shall specify the following details in their account on the Platform:
      a) Full name;
      b) Date of birth;
      c) INN (taxpayer identification number).
    2. The Winner shall register in the Konsol service in accordance with clause 6.9 of the Regulations.
    3. If the Winner is an individual entrepreneur, they are solely responsible for paying taxes on the reward received from the Organizer in accordance with the applicable tax regime.
  9. In cases specified in these Regulations, the Winner shall register in the Konsol service by following a link sent via their account on the Platform. This is required in order to sign payment documents and receive the reward. The registration must be completed within 5 (five) business days upon receiving the reward notification in accordance with clause 6.1 of the Regulations.
  10. When registering in the Konsol service, the Winner shall agree with:
    • User agreement located at: konsol.pro/agreement;
    • Personal data provision terms located at: konsol.pro/policy.
  11. During registration in the Konsol service, the Winner shall provide personal data (full name, passport data, information on registration, phone number, a scanned copy of an identification document) to go through the identification procedure. In addition, a photo of the Winner holding their passport must be provided in order to confirm that the personal data belongs to the particular individual whose identity has been verified and whose personal data has been uploaded to the Konsol service. In certain cases, other documents may be requested. The Winner will be informed thereof during the identification in the Konsol service.

Constraints

  1. The Participant must use only their own account for Vulnerability testing and demonstration. Hacking and using other accounts are prohibited. The Participant is prohibited to access to any third-party data.
  2. Participants that publicly disclose the Vulnerability details, including disclosure to any third parties, in violation of provisions of section 4 of the Regulations, may be banned from receiving the reward.
  3. Participants are prohibited from:
    • Physical intrusion into the Client's infrastructure (including offices and computing centers);
    • Use of social engineering methods targeted at the Client's and/or Organizer's employees;
    • Attempts to access accounts, the Client's information system user data, or any other confidential information beyond the scope of actions strictly required for demonstration of the detected Vulnerability;
    • Exploitation of Vulnerabilities in the Client's operating environment that may result in disruption of the Client's business or other processes (including denial-of-service attacks);
    • Penetration into internal systems of web services and applications of the Client's information systems not mentioned in the terms on the Program page;
    • Intentionally downloading individuals' personal data from internal systems of web services and applications of the Client's information systems and other information resources not mentioned in the terms on the Program page.
  4. The Program must be completed by hacking web portals and/or services and gaining persistence. The Participant should not further penetrate the internal systems of the Client's Product.
  5. Where the Vulnerability exploitation in the Client's operating environment may result in disruption of business or other processes, the Participant shall refrain from such actions and ensure that the Report submitted by them includes all the details required to inspect the detected Vulnerability outside of the operating environment.
  6. If the Participant fails to comply with the restrictions set out in sections 4 and 7 of the Regulations, the Organizer may block their account on the Platform.

Final provisions

  1. These Regulations and all related matters shall be governed by the law of the Russian Federation.
  2. By registering on the Platform as set out in the Standoff 365 Platform Terms of Use, the Participant fully and unconditionally agrees to all Program terms, these Regulations, and the Privacy Policy.
  3. These Regulations are subject to unilateral change by the Organizer at any time. The new version of these Regulations comes into force at the moment of its posting at standoff365.com/en-US/regulation-on-contests, unless otherwise provided by the new version of the Regulations. The Platform users are deemed to have been duly notified of the changes from the moment of posting the new version of the Regulations at standoff365.com/en-US/regulation-on-contests.
  4. By registering on the Platform, the Platform users confirm that they shall keep up with the changes in the Regulations' terms; the use of the Platform after the changes have been made to the Regulations shall mean the user consents to such changes.
  5. The basis for processing the Participant's personal data in relation to their participation in the Program is these Regulations and the Standoff 365 Platform Terms of Use accepted by the Participant.
  6. The Organizer is entitled to transfer the Participant's personal data to the Clients to enable the Participant's participation in the Program and to ensure payment of the reward to the Winner.
  7. All disputes and controversies arising out of or in connection with this Program shall be settled by negotiations. Disputable issues not settled by negotiations shall be referred for resolution to a competent court at the Organizer's location.

Previous versions of the Program Regulations on the Standoff 365 Bug Bounty Platform: