New web targets for the discerning hacker

It’s been a busy month for bug bounties, with the US Department of Defense (DoD) announcing the launch of the second ‘Hack the Army’ challenge.

Launched in partnership with the Defense Digital Service and HackerOne, the invite-only, four-week program invites hackers to discover and disclose vulnerabilities in more than 60 publicly accessible DoD web assets.

The first Hack the Army challenge in November 2017 resulted in the discovery of 118 unique and valid vulnerabilities and $100,000 being awarded in monetary rewards.

From military assets to election security, Microsoft has launched a bug bounty program for its previously announced ElectionGuard software development kit (SDK).

First unveiled in May, ElectionGuard is free and open source software that’s designed to make voting more secure and transparent. Rewards of up to $15,000 are available to researchers who discover vulnerabilities in the SDK.

Elsewhere, the organizers of the Pwn2Own hacking contest have unveiled a new event that places industrial control systems in the firing line for the first time.

Trend Micro’s Zero Day Initiative said the third Pwn2Own competition will take place at the S4 industrial security conference in Miami South Beach on January 21-23, joining the organization’s established live hacking events in Canada and Japan.

In payout news, security researcher lucash-dev has been handed a $50,000 bug bounty for discovering a critical vulnerability in cryptocurrency firm MakerDAO’s planned Multi-Collateral Dai (MCD) upgrade.

The bug could have allowed an attacker to steal collateral stored in the new MCD system, possibly within a single transaction.

Staying in the blockchain, the DDEX team awarded $10,000 to researcher samczsun, who notified the crypto-exchange of a potential vulnerability on a contract used to beta-test margin and lending functionality.

In other news this month, The Daily Swig’s Catherine Chapman sat down with Rodolphe Harand, manager at YesWeHack, to discuss the ongoing growth of bug bounties in Europe.

“The idea is to be a European alternative to the US bug bounty platforms,” said Harand.

“If you are a company you already have most of your IT in US hands: cloud services, providers, all those as-a-service providers, so it would be nice, at least, that the security of this environment maintains some form of balance.”


October saw the arrival of several new bug bounty programs. Here’s a roundup of the latest targets:

Aelf Enterprise – temporary program

Program provider:
Independent

Program type:
Public bug bounty

Max reward:
Unlimited token payouts

Outline:
Aelf is pegged as a decentralized cloud computing blockchain network. Running until November 5, this program rewards the discovery of security bugs found in the Aelf mainchain and applications running on the platform, such as wallets or explorers.

Notes:
The Singapore-based company is auditing its latest blockchain before full launch. Per-bug rewards of up to $1,500 are split into four tiers – major, moderate, general, and Aelf external application – depending on factors such as risk, vulnerability impact, likelihood of exploitation, and quality of report.

Check out Aelf’s bug bounty announcement page for more info

Auth0

Program provider:
Bugcrowd

Program type:
Private bug bounty

Max reward:
Undisclosed

Outline:
Identity-as-a-Service (IDaaS) provider Auth0 is expanding its responsible disclosure program, appointing Bugcrowd to find 25 researchers with the right skillset, with more to be invited later.

Notes:
“Our security program is maturing rapidly, and the launch of this bug bounty program reinforces our dedication to our customers and the highest level of security we offer them,” said Joan Pepin, CISO and VP of operations at Auth0, which authenticates more than 2.5 billion logins for web, mobile, IoT, and internal applications every month.

Check out the bug bounty announcement page at Bugcrowd for more info

Microsoft – ElectionGuard

Program provider:
Independent

Program type:
Public bug bounty

Max reward:
$15,000

Outline:
Microsoft has launched a bug bounty program for its previously announced ElectionGuard software development kit (SDK). First unveiled in May, ElectionGuard is free and open source software that’s designed to make voting more secure and transparent. Rewards of up to $15,000 are available to researchers who discover vulnerabilities in the SDK.

Notes:
“The ElectionGuard bounty program invites security researchers to partner with Microsoft to secure ElectionGuard users, and is a part of Microsoft’s broader commitment to preserving and protecting electoral processes under the Defending Democracy Program,” said the Microsoft Security Response Center.

Visit the Microsoft ElectionGuard bug bounty page for more info

Facebook (enhanced)

Program provider:
Independent

Program type:
Public bug bounty

Minimum reward:
$500

Outline:
Facebook is expanding the reach of several bug bounty programs, with rare vulnerabilities landing bonus payouts, plus more opportunities for reporting flaws in third-party apps. “This change significantly increases the scope of the security research that our bug bounty community can share with us and get rewarded for,” said Dan Gurfinkel, head of Facebook’s bug bounty program.

Notes:
Researchers can only probe third-party apps for vulnerabilities with the blessing of their developers. Facebook has suffered considerable reputational damage from the data protection-flouting activities of third parties, most notably Cambridge Analytica.

The social network has raised the bounty for hard-to-find native code bugs, while a verified zero-click flaw report for Facebook Messenger on iOS will secure researchers the full bug bounty and a $15,000 bonus.

Visit the Facebook bug bounty page for more info

FaceTec – ZoOm biometric authentication

Program provider:
Independent

Program type:
Public bug bounty

Max reward:
$30,000

Outline:
Bounties for breaching FaceTec’s ZoOm 3D face authentication system will be awarded for success across three categories. According to FaceTech, ZoOm is the only biometric authentication system with level one and two certifications for iBeta’s Presentation Attack Detection evaluation.

Notes:
A level one breach, which entails the use of hi-resolution photos and amp-video to spoof the biometric authentication system, will net $15,000; level two, related to latex and silicone masks, adds another $10,000; and level three, entailing 3D masks and sculptures, delivers a final bonus of $5,000.

ZoOm-protected cryptocurrency wallet ZenGo launched a bug bounty program in July. The bounty went unclaimed.

Check out FaceTec’s bug bounty press release for more info

Nervos

Program provider:
Independent

Program type:
Public bug bounty

Reward prize pot:
$1 million

Outline:
Nervos, an open source public blockchain ecosystem, is being audited in advance of its mainnet launch – with an initial rewards pot of $1 million earmarked.

Notes:
The program includes, among other things, protocols like cell, consensus, and economic models, P2P protocols and PoW algorithms; the security and integrity of protocol implementation; cryptographic primitives; and account management flaws.

Since the launch of Nervos testnet in May, the team has “made every effort to eliminate bugs, but there is always the chance we may have missed one”.

Visit the Nervos bug bounty page for more info

Relativity

Program provider:
Independent

Program type:
Private bug bounty

Max reward:
$3,000

Outline:
Launched as part of a campaign to secure its code and platform, legal software firm Relativity is inviting researchers to find vulnerabilities in its latest version of its SaaS case-management software, RelativityOne. About 700 documents of test data will be subject to evaluation.

Notes:
With customers including Tesla, EA, and BSI, Relativity’s case management solutions help corporations, governments, and law firms manage litigation, investigations, and FOIA requests.

Visit Relativity’s bug bounty press release for more info

Other bug bounty and VDP news:

  • Cybersecurity policy specialist Amit Elazari took to Twitter to post what’s believed to be the first empirical analysis of private bug bounties. The full dissertation is available on the Stanford Digital Repository.
  • Bugcrowd hosted LevelUp 0x05, its fifth virtual security conference, on October 5. The sessions can still be accessed online.
  • Chinese hacking team A*0*E took the top spot at the recent HITCON capture-the-flag qualifiers. The finals take place on December 14-15, with the winning team set to scoop a $10,000 cash prize.
  • Offensive security engineer Adam Toscher published a guide to hardware penetration testing for red teams
  • Crypto-exchange KuCoin has joined SlowMist Zone, the blockchain VDP. The program is offering up to $10,000 worth of KuCoin KCS tokens and 512 SlowMist tokens.
  • Application security engineer Kamil Vavra has published a guide to understanding the full potential of sqlmap during bug bounty hunting.

To be featured in this list next month, email dailyswig@portswigger.net with ‘Bug Bounty Radar’ in the subject line.


Additional reporting by Adam Bannister.


RELATED Bug Bounty Radar // September 2019