New web targets for the discerning hacker

Since the start of the coronavirus outbreak, Zoom hasn’t been far from the news, thanks not only to a huge increase in use, but also a series of security concerns – from ‘zoombombing’ to a lack of end-to-end encryption.

At the beginning of April, the company responded to security fears with an announcement that it had fixed a raft of widely-publicized bugs, including two macOS flaws and a Uniform Naming Convention (UNC) network path issue. It also instigated a 90-day feature freeze in order to focus on privacy and security.

Now, the video conferencing giant has signed a deal with Luta Security, founded by Katie Moussouris, to help improve its bug bounty program.

“We’ve been working with them for a while, examining their internal process maturity for investigating and resolving bugs,” tweets Katie, who is looking for feedback from the security research community.

In other program news this month, Google has launched a Covid-19 grant fund to underwrite security research during the pandemic.

Any security researcher who has submitted at least two successful vulnerability reports during the past two years is eligible for a one-time $1,337 research grant.

Meanwhile, Mozilla is revamping its bug bounty program, raising payouts for the highest-impact security flaws found in Firefox and related projects. It’s also changed its policy on multiple reports, and will now split bounties between duplicate reporters, rather than awarding them to the first person to report a bug.

And the Ethereum 2.0 bug bounty program is up and running in earnest, in preparation for the blockchain platform’s biggest upgrade since its launch five years ago. Bounties range from $500 for small defects up to $10,000 for bugs that can break the chain.

There was a big payout for Ryan Pickren this month: $75,000 from Apple. The security researcher uncovered seven Safari bugs, including three flaws that, in combination, allowed the creation of a one-click malicious JavaScript-to-webcam access exploit. The vulnerabilities were patched in February and March.

In other news this month, we spoke with Metasploit founder HD Moore about bug bounties, computer security laws, and coronavirus.

“Bug bounties, from the perspective of a 90s hacker, are absolutely amazing,” he says. “Not only do tons of companies allow you to test their security without any pre-approval, but they actually pay for it if you find something!”

Moore is predicting an increase of endpoint security issues, including malware, ransomware, and compromised consumer networking equipment involved in data breaches as a result of the coronavirus crisis.

If researchers are feeling community-minded, they can sign up for HackerOne’s ‘Hack for Good’ sharing initiative, which allows them to donate full or partial amounts of their bounties to select charities each month.

The current recipient is the World Health Organization’s Covid-19 Solidarity Response Fund.

The announcement comes as bug bounty platforms continue to negotiate their way through the coronavirus emergency. Check out our earlier coverage to see what they’ve been up to – from tightening up their own home working practices to preparing for an influx of new customers.

The latest bug bounty programs for April 2020

April saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

Alibaba

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$2,500

Outline:
Chinese e-commerce giant Alibaba has launched a new public bug bounty program, with dozens of in-scope assets and a maximum reward of $2,500 for critical vulnerabilities.

Notes:
Coupled with the launch of this bug bounty is a promotion that runs until May 31 and promises additional prizes for leading researchers in each country.

Visit the Alibaba bug bounty page at HackerOne for more info

Augur – enhanced

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$25,000

Outline:
“The Augur Bug bounty program has been appended to include bounties for finding vulnerabilities in the market creation templates,” according to a statement from the blockchain-based betting exchange platform on the revamp of its program. Bounties in this category will be paid in the amount of $25 (in REP) per vulnerability discovered.

Notes:
Both the Augur core Solidity contracts and Augur SDK are within scope of the wider Augur bug bounty program. The most critical and high-level class of bugs and vulnerabilities the firm is interested in include security flaws that can lead to loss of funds and manipulating of ‘open interest’, the escrowed contract recording system used by Augur.

Visit the Augur bug bounty page at HackerOne for more info

BitTorrent File System

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$5,000

Outline:
BitTorrent File System (BTFS) is pegged as the first scalable decentralized storage system. It’s being developed by team behind the eponymous torrent client, with the newly launched bug bounty program aimed at shining light on any potential vulnerabilities in the platform.

Notes:
“BTFS looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe,” the company said.

Visit the BTFS bug bounty page at HackerOne for more info

Cybermalveillance.gouv.fr – enhanced

Program provider:
YesWeHack

Program type:
Public bug bounty

Max reward:
€1,500

Outline:
Following a successful private program that was launched in December 2019, the bug bounty program for cybermalveillance.gouv.fr, a French government cyber-support site, has been public since April 16 – something we previewed in February.

Notes:
The program’s primary objectives are preventing exfiltration of users’ data, modification of tools used by service providers and cybercrime victims, and redirection of contact requests to malicious destinations.


Visit the Cybermalveillance bug bounty page at YesWeHack for more info

Facebook – enhanced

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
~$50,000

Outline:
Facebook has made its established bug bounty program available to security researchers who ply their trade through HackerOne.

Notes:
“Facebook’s bug bounty program is giving hackers the option to receive bounty payouts via HackerOne,” HackerOne co-founder Michiel Prins explained in a Twitter update. “This gives hackers participating in one of the world’s oldest bug bounty programs access to a variety of fast and reliable payout options.”

Visit Facebook’s announcement for more information on the expansion of the program

NeoPhotonics – enhanced

Program provider:
Bugcrowd

Program type:
Public bug bounty

Max reward:
$3,500

Outline:
NeoPhotonics increased its rewards as of April 14, 2020. Additionally, the company will now reward P4 findings for the first time.

Notes:
The company is a leading designer and manufacturer of optoelectronic solutions for the highest speed communications networks in telecom and data center applications.

Visit the NeoPhotonics bug bounty page at Bugcrowd for more info

NordLocker

Program provider:
Independent

Program type:
Public bug bounty

Max reward:
$10,000

Outline:
NordLocker, the file encryption tool from NordVPN, is inviting hacking enthusiasts to crack an encrypted locker and win $10,000. “Only the first person to open the locker and contact the company will get the reward,” the company said.

Notes:
“We want NordLocker users to feel confident that their files are safe,” said Oliver Noble, encryption specialist at NordLocker. “We need your help to find out whether we’ve missed anything. If you crack open the locker, you’ll have our gratitude and, of course, the generous bounty.”

Visit the NordLocker bug bounty page for more info

Olvid – enhanced

Program provider:
YesWeHack

Program type:
Public bug bounty

Max reward:
€2,000

Outline:
After four months running a private bug bounty program, Olvid, a security-focused instant messaging application, has opened up to allow YesWeHack’s entire community to participate in its program. Flaws in the Android and iOS version of the app as well as Olvid’s API are within the scope of the bug bounty program. Social engineering and exploits that rely on hacks on third-party apps or devices are excluded.

Notes:
Olvid does not rely on a central directory of users, an architecture designed to offer users anonymity advantages over comparable apps such as Signal and WhatsApp.

Visit the Olvid bug bounty page at YesWeHack for more info

Riot Games – enhancedProgram provider:

HackerOne

Program type:
Public bug bounty

Max reward:
$100,000

Outline:
Video games developer Riot Games has modified its longstanding bug bounty program to include Valorant, its proprietary anti-cheat engine.

Notes:
Valorant leverages a kernel driver to combat cheaters. Security researchers are being offered a jaw-dropping $100,000 if they can break it.

Visit the Riot Games bug bounty page at HackerOne for more info

Socrata – enhanced

Program provider:
Bugcrowd

Program type:
Public bug bounty

Max reward:
$2,500

Outline:
Socrata increased its bug bounty rewards as of April 24, with the cloud-based data platform now offering up to $2,500 for critical vulnerabilities.

Notes:
Focus areas for the Socrata bug bounty program include access control vulnerabilities, server-side remote code execution, SQL injection, and path traversal issues.

Visit the Socrata bug bounty page at Bugcrowd for more info

Tencent – enhanced

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$15,000

Outline:
Hackers are being encouraged to look for vulnerabilities in all the products and services of Tencent, the Chinese technology giant. The program will be externally hosted on the Tencent Security Response Centre (TSRC).

Notes:
“To expand its community of researchers and recruit global talent, Tencent is partnering HackerOne to run its Bug Bounty Program,” the organization said.

Visit the Tencent bug bounty page at HackerOne for more info

Other bug bounty news this month: