New web targets for the discerning hacker

As we settle into the new year, 2020 looks set to be another bumper one for bug bounties. But before launching headlong into the latest programs, it’s worth looking back at some of the highlights of 2019.

Back in October, we covered the launch of the US Department of Defense’s second ‘Hack the Army’ security bug bounty program. The challenge included more than 60 publicly accessible web assets, including *.army.mil, *.goarmy.mil, and the Arlington Cemetery website.

And the results are out, with the 52 participants reporting 146 valid vulnerabilities – the first being uncovered within four hours. The researchers scooped more than $275,000 between them, with the highest single bounty being $20,000.

Another new year, another retrospective, and as GitLab came to the end of the first year of its public bug bounty program, it’s been ruminating on the past. Since launching the program in 2014, the company has worked with 750 hackers and resolved more than 475 valid reports, handing out $1 million in bounties to hackers.

Meanwhile, Open Bug Bounty says it’s had a great year, with over 200,000 vulnerabilities reported. Hackers can take part in 657 bug bounty programs, with over 1,342 websites to test.

This year, new features should streamline communications and reduce vulnerability remediation time, and new DevSecOps vulnerability data export options are also coming soon. The platform also says it’s considering one or more partnerships, but promises it “will always remain open, community-driven and free”.

Over at Bugcrowd, congratulations are in order, with the platform announcing its program winners for the last quarter of 2019. More than 20 researchers won a Standard award for the first time, netting between $200 and $2,500. It’s also announced its top P1 researchers, who get a range of small rewards.

Moving on to this year, hackers have hit the ground running at ZDI’s Pwn2Own Miami, netting $250,000 in prizes during its inaugural ICS security contest. Highlights included a denial of service exploit against the Triangle Microworks SCADA Data Gateway by Steven Seeley and Chris Anastasio.

Looking ahead, ZDI’s Brian Gorenc said ZDI would be looking to make more of an impact on the ICS space, and was busily preparing for March’s flagship Pwn2Own live hacking event in Canada.

Finally, moving from bug bounty leaders to those starting out, Nahamsec has put together a set of resources for bounty hunter beginners.

They cover everything from the complete basics to tools, labs and testing environments, and vulnerability types. Mobile hacking gets its own section, and there’s a series of useful blog posts and talks.

January saw the arrival of several new bug bounty programs. Here’s a roundup of the latest targets:

0xcert – enhanced

Program provider:
Independent

Program type:
Public bug bounty

Max reward:
ZXC 500,000 ($560)

Outline:
Version 2.0 of the 0xcert blockchain framework has now been merged with the master branch, and researchers are now being invited to comb through the code for security flaws.

Notes:
The bug bounty for the 0xcert Framework had been up and running since January 2019 when the first version was publicly released. Rewards are being handed out in ZXC cryptocurrency.

Visit the latest 0xcert blog post for full program details

Curve

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$4,000

Outline:
Curve promises to simplify users’ financial lives by allowing them to connect all of their bank accounts to one card, the Curve Mastercard, via the company’s mobile app. The company’s new bug bounty program is offering rewards of up to $4,000 to researchers who discover security flaws in the platform.

Notes:
Bugs classed as ‘critical’ include vulnerabilities that could lead to sensitive data leakage or remote code execution. Also ranking high on the potential rewards list include subdomain takeover, cross-site scripting, cross-site request forgery, and authentication issues.

Visit the Curve bug bounty page at HackerOne for more info

GoodRx

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$5,000

Outline:
Medical prescription price comparison platform GoodRx is asking security researchers to hunt for vulnerabilities across numerous web domains, including www.goodrx.com and gold.goodrx.com. Attacks requiring man-in-the-middle or physical access to a user’s device, or any activity that may result in denial of service, are strictly out of scope.

Notes:
More than 10 million people are said to be using the GoodRx website and mobile apps each month.

Visit the GoodRx bug bounty page at HackerOne for more info

Insolar

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$3,000

Outline:
Insolar is a global technology company building public and private blockchain solutions on Insolar Blockchain Platform. Rewards for the company’s new bug bounty program are based on severity per the Common Vulnerability Scoring System (CVSS).

Notes:
Qualifying vulnerabilities include SQL injection, remote code execution, ‘severe’ XSS, clickjacking, and bugs that could lead to private key leakage. “Insolar looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe,” the company said.

Visit the Insolar bug bounty page at HackerOne for more info

Kubernetes

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
Unlisted (average bounty $250-$500)

Outline:
Following months of running in ‘beta’ mode, the Kubernetes bug bounty program has now gone public, with funding coming from the Cloud Native Computing Foundation (CNCF). The scope covers code from the main Kubernetes organizations on GitHub, as well as continuous integration, release, and documentation artifacts.

Notes:
“The bug bounty program has been in a private release for several months now, with invited researchers able to submit bugs and help us test the triage process,” Kubernetes Product Security Committee members Maya Kaczorowski and Tim Allclair said in a blog post. “After almost two years since the initial proposal, the program is now ready for all security researchers to contribute.”

Visit the Kubernetes bug bounty page at HackerOne for more info

LifeOmic

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$1,500

Outline:
LifeOmic offers a secure cloud service for the long-term storage of genomic information. Security vulnerability severity ratings for the company’s new bug bounty program are based on “true impact” severity rating. “The more damage you can do or data you can access, the higher the reward will be,” LifeOmic said.

Notes:
The organization has built a hacker documentation site that outlines account creation, main points of entry, the LifeOmic tech stack, and fake test data. “Let us know if you need anything added to make it easier to hack,” the company said.

Visit the LifeOmic bug bounty page at HackerOne for more info

Lime – enhanced

Program provider:
Bugcrowd

Program type:
Public bug bounty

Max reward:
$5,000

Outline:
Bicycle and scooter hire company Lime has ramped up its rewards for critical vulnerability submissions to $5,000, compared to the previous $2,500 that was on offer.

Notes:
The rest of the company’s bug bounty program remains unchanged, with major targets including Lime’s Android and iOS rider apps, backend APIs, and web app.

Visit the Lime bug bounty page at Bugcrowd for more info

Localize

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$1,000

Outline:
Localize helps companies translate their websites and applications to different languages. The company has created a staging environment for researchers to test the platform for security bugs.

Notes:
The company’s tiered payout structure ranges from $50 for XSS bugs up to $1,000 for remote code execution flaws.

Visit the Localize bug bounty page at HackerOne for more info

OPPO

Program provider:
HackerOne

Program type:
Private bug bounty

Max reward:
Undisclosed

Outline:
Chinese phone manufacturer has inked a new partnership with HackerOne that includes the launch of a private, invite-only bug bounty program.

Notes:
As expected with a private program, few technical details have been made available. However, according to a blog post on HackerOne, the Chinese manufacturer is expected to take its program public at some point in the future.

Visit the OPPO bug bounty page at HackerOne for more info

Ping Identity

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$2,500

Outline:
Identity security firm Ping Identity has launched a new bug bounty program through HackerOne. Common vulnerabilities to look out for across all endpoints include information disclosure, exploitable TLS vulnerabilities, sensitive AWS metadata exposure, and REST API vulnerabilities.

Notes:
Hackers can fill out an online form to receive test credentials for Ping Identity’s staging environments.

Visit the Ping Identity bug bounty page at HackerOne for more info

Roblox

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$5,000

Outline:
Since its launch in 2005, Roblox has grown to become a leader in the gaming industry. In an effort to keep its users and community safe, the ‘imagination platform’ is asking security researchers to look for bugs impacting the *.roblox.com domain, along with the Roblox Client and Roblox Studio executables.

Notes:
Each month, more than 100 million people are drawn to the Roblox platform, which allows users to design their own 3D games and play games that are created by others.

Visit the Roblox bug bounty page at HackerOne for more info

Other bug bounty and VDP news:

  • Bug bounties crossed over into mainstream press once again this month, as CNBC offered an overview of the industry’s growth in a 12-minute video featuring Synack, Bugcrowd, and HackerOne.
  • Several organizations have launched (unpaid) vulnerability disclosure programs (VDPs) through HackerOne, including Coingaming, Nutanix, InvestNext, and Topcoder.
  • Forbes ran a profile on Ning Wang, head of Kali Linux developer and certifications company, Offensive Security. “We don’t have a headquarters,” Wang said. “No two executives are in the same city.”
  • SpecterOps team members Joe Vest and James Tubberville have published Red Team Development and Operations, a new book that’s the culmination of years of experience in the information security field. Head over to the Theatexpress blog for more details.
  • Following a brief hiatus over the 2019 holiday period, Vonage has reopened its points-only VDP through Bugcrowd.
  • HackerOne interviewed Kevin Heseler, security engineer at video games developer InnoGames. Heseler discussed how the company honored the most impactful bug bounty researcher by creating their very own avatar and including it in the Forge of Empires game.
  • A researcher named Sehno dropped a bug bounty check list for web apps on GitHub.
  • As this month’s Bug Bounty Radar hit the CMS, the BSides Ahmedabad keynote landed on YouTube. This year, prominent security researcher Frans Rosén took to the stage in the Indian city to talk bug bounties, fuzzing methodologies, and information disclosure.

To have your program featured in this list next month, email dailyswig@portswigger.net with ‘Bug Bounty Radar’ in the subject line.


Additional reporting by Emma Woollacott.


RELATED Bug Bounty Radar // December 2019