New web targets for the discerning hacker

While August was a quiet month for those in Covid-19 lockdowns, the number of new bug bounty programs launching certainly didn’t slow down.

Among more than a dozen new or enhanced programs to land last month was a vulnerability disclosure policy (PDF) from the largest election software vendor in the US, ES&S.

With the 2016 US presidential election dogged by evidence of Russian interference and the next election coming into view, the news was announced at Black Hat USA.

Likely no doubt to widespread surprise: the infosec community has previously been unimpressed by the unwillingness of election system developers to crowdsource their security.

The Zero-Day Initiative (ZDI), meanwhile, marked its 15th anniversary with the news that it has awarded more than $25 million in bug bounties to more than 10,000 security researchers since its foundation.

It’s been a bounteous year on Microsoft’s program too, with the software giant announcing that it’s handed out a whacking $13.7 million in bug bounties over the last 12 months.

That's more than three times the $4.4 million awarded over the previous year, with the loot split between 327 researchers. The big pot reflects the fact that the company has launched six new bug bounty programs over the last year, attracting more than 1,000 eligible reports.

There were also big payouts from Google last month for the discovery of a root privilege escalation and persistence flaw in ChromeOS – netting the researcher $45,000 – and for a bug that impacted mobile applications developed on Google’s Firebase platform, which earned the researcher more than $30,000.

And last month, we interviewed Vladimir Dubrovin, information security technical advisor at Mail.ru Group, who gave us the lowdown on its various HackerOne bug bounty programs.

Finally, news emerged that Joseph Sullivan, former CSO at Uber, was facing charges related to allegations that he tried to cover up the 2016 hack that exposed millions of users’ personal data by “funneling the payoff through a bug bounty program”.

The Department of Justice also said that “Uber paid the hackers $100,000 in bitcoin in December 2016, despite the fact that the hackers refused to provide their true names”. Sullivan faces a maximum five years’ imprisonment.


The latest bug bounty programs for August 2020

August saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

US Department of State

Program provider:
Independent

Program type:
Public bug bounty

Max reward:
$10 million

Outline:
Not technically a bug bounty program, but it’s close enough given the phenomenal rewards on offer. The US government has pledged up to $10 million for information related to foreign agents looking to disrupt elections through cyber-attacks, as reported by The Daily Swig.

Notes:
The US Department of State announced that it is seeking the identification or location of any foreign adversary looking to interfere with federal, state, or local elections by aiding or abetting a violation of computer fraud and abuse laws.

Read the US DoJ statement for more info

Solana BBP

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$20,000

Outline:
The Solana blockchain protocol aims to help developers produce “mission-critical applications in a censorship-resistant, open web”. It is encouraging bug bounty hunters to seek out vulnerabilities in its GitHub repos.

Notes:
Solana is offering rewards – and $20k is not necessarily the upper limit – on receipt of proving that they have crashed the runtime or crippled the network, breached the virtual machine sandbox, exploited accounts, tweaked or broken global inflation, changed inflation reward distribution, or stolen inflation rewards, among other capabilities.

Visit the Solana BBP bug bounty page at HackerOne for more info

Mozilla – enhanced

Program provider:
Independent

Program type:
Public bug bounty

Max reward:
$10,000

Outline:
Mozilla is now offering rewards for the discovery of flaws in its exploit mitigation technology, as previously reported by The Daily Swig.

Payouts of up to $10,000 are available to ethical hackers who devise mechanisms to defeat exploit mitigation and defense-in-depth measures built into the Firefox web browser.

Notes:
Exploit mitigation bugs that require privileged access now qualify for bounties too, while those that don’t will be eligible for a 50% bonus. A policy to pay out on security bugs found in the pre-release Nightly versions of Firefox, after a four-day grace period, has also been introduced.

Visit the Mozilla bug bounty page for more info

Rebellion Defense

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
Undisclosed

Outline:
Rebellion Defense builds “modern, scalable products that use artificial intelligence to analyze, secure, and transport national security and defense data. It claims its products “quickly deliver vital information for national security missions that defend democracy, humanitarian values, and the rule of law”.

Notes:
In scope are all systems created or operated by Rebellion Defense on the internet, including not only public-facing websites but also their development, staging, and production environments.

Visit the Rebellion Defense bug bounty page at HackerOne for more info

Sophos – enhanced

Program provider:
Bugcrowd

Program type:
Public bug bounty

Max reward:
$10,000

Outline:
Sophos has launched time-limited rewards for XG Firewall, raising payouts for specific P1 findings up to $10,000 until further notice.

Notes:
Eligible findings are reproducible on fully patched v17.5 or v18.0 installations of XG Firewall – find out more.

Visit the Sophos bug bounty page at Bugcrowd for more info

FireEye

Program provider:
Bugcrowd

Program type:
Public bug bounty

Max reward:
$2,500

Outline:
FireEye’s bug bounty program is now public, as previously covered by The Daily Swig. The California-based security software provider will pay out between £1,500 and $2,500 for critical flaws and between $50 and $150 for low-severity vulnerabilities.

Notes:
The program is focused on the company’s core infrastructure, with third-party products out of scope along with social engineering attacks, physical security attacks, and denial-of-service attacks. However, Steven Booth, vice president and CSO, says FireEye intends to expand the program’s scope “in the coming months”.

Visit the FireEye bug bounty page at Bugcrowd for more info

BugPoC

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$4,000

Outline:
BugPoC is a platform for building and sharing proof-of-concepts for bug bounty submissions, pen test deliverables, and red team reports.

Notes:
BugPoC has included notes from a hacker about probing the BugPoC attack surface – including the front-end, HTTP, and Python PoC generators, as well as the ExploitDB importer and Burp Suite Extension.

Visit the BugPoC bug bounty page at HackerOne for more info

WestJet

Program provider:
Bugcrowd

Program type:
Public bug bounty

Max reward:
Undisclosed

Outline:
The Canadian airline has invited researchers to probe its westjet.com and flyswoop.com domains.

Notes:
The company will initially rate and prioritize bugs according to the Bugcrowd Vulnerability Rating Taxonomy, potentially re-prioritizing depending on a flaw’s likelihood or impact.

Visit the WestJet bug bounty page at Bugcrowd for more info

Aiven

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$3,000

Outline:
Finnish tech company Aiven provides fully managed, immediately deployable, open source data infrastructure in public clouds, including Amazon Web Services, Google Cloud Platform, and Microsoft Azure.

Notes:
In scope are Apache Kafka, Apache Kafka Connect, Apache Cassandra, Elasticsearch, PostgreSQL, MySQL, Redis, InfluxDB, and Grafana.

Visit the Aiven bug bounty page at HackerOne for more info

Acronis

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$3,000

Outline:
Acronis, which provides backup software, anti-ransomware services and cybersecurity infrastructure, has launched a wide-ranging program.

Notes:
Tier one rewards – the most lucrative bounties – are accessed on the Acronis Cyber Cloud platform through Acronis’ beta environment; tier two involves probing Acronis Cyber Backup, an on-premises backup solution; tier three covers the main domain hosting user-facing Acronis services; and the lowest tier involves all other Acronis domains and domains belonging to Acronis-owned companies.

Visit the Acronis bug bounty page at HackerOne for more info

Other bug bounty and VDP news:

  • August also saw the launch of bug bounty programs from US loan provider Affirm, bitcoin gaming brand Coingaming, Slack polling app SimplePoll, German real estate company Engel & Völkers, and B2B email finder Dropcontact. New targets were added to programs from Cloudinary, Binance, and Centrify.
  • The US Air Force has announced that it is considering adopting a “hybrid model” to give bug hunters access to its presently classified source code. It comes after Def Con 2020 attendees were shown how to hack a satellite as a part of a virtual bug bounty event co-sponsored by the Air Force.
  • Six months after the launch of the US Defense Department’s hardware bug bounty program, no one has managed to crack its systems.
  • The Australian federal government said it has never considered launching a bug bounty program to protect its assets, despite the method’s popularity with many other advanced economies.
  • The deadline to enter Google’s Capture the Flag competition ended in late August. Those who have qualified will have the chance to play for a cash prize in October.
  • One bug bounty hunter earned $6,000 from Facebook’s program after discovering that Instagram kept photos and direct messages for months after they were deleted.

To have your program featured in this list next month, email dailyswig@portswigger.net with ‘Bug Bounty Radar’ in the subject line.


Introduction by Emma Woollacott. Additional reporting by Jessica Haworth


RELATED Bug Bounty Radar // The latest bug bounty programs for July 2020