New web targets for the discerning hacker

This month, we asked security pros what they thought about China’s new vulnerability disclosure law, which requires researchers to hand over information on vulnerabilities, including zero-days, to the authorities.

Frank Downs, director of proactive services at BlueVoyant, suggested that Chinese researchers were likely to tread much more carefully, while Joseph Carson, chief security scientist at ThycoticCentrify, said it could impact companies doing development work within China.

Other observers have suggested that that the rules could limit legitimate security research and allow the Chinese military and intelligence agencies to “stockpile” vulnerabilities for future use.

In bug bounty program news, Yearn Finance, the decentralized finance protocol, has launched a bug bounty program promising payouts of between $20,000 and $200,000 for critical vulnerabilities.

Meanwhile, loyalty management tech firm Antavo has set up a bug bounty program on European crowdsourced security platform Hacktify, offering up to €240 ($283) for qualifying security flaws.

See below for more information on these two new programs and more.

At the other end of the coordinated disclosure process, Microsoft says its own bug bounty program has awarded a whacking $13.6 million to security researchers over the past 12 months.

The biggest payout was $200,000, for the discovery of vulnerabilities in the company's Hyper V technolgy, with the average around $10,000.

And there was a big reward for newbie security researcher Augusto Zanellato, who netted $50,000 after discovering a GitHub access token that gave access to Shopify repos.

Finally, we spoke to Estonian infosec expert Oliver Sild about his new platform Patchstack. Aimed at securing WordPress plugins and the sites they run on, the platform has been inspired by the bug bounty business model, according to Sild.

“What we’ve built is a gamification-based bug hunting platform, where researchers can find vulnerabilities in whatever WordPress plugin they choose,” he says. “Each month we have a prize pool, which has just started paying out.”


The latest bug bounty programs for August 2021

The past month saw the arrival of just a few new bug bounty programs. Here’s a list of the latest entries:

Antavo

Program provider:
Hacktify

Program type:
Public bug bounty

Max reward:
€240

Outline:
Ethical hackers can receive payouts up to €240 ($283) for qualifying security flaws found in Antavo’s flagship loyalty management application.

Notes:
Antavo, which counts BMW, PepsiCo, and AbInBev among its clients, told The Daily Swig it had already received three submissions for critical vulnerabilities, as well as one low-severity bug.

Check out our earlier coverage for more details

Bullish

Program provider:
Bugcrowd

Program type:
Public bug bounty

Max reward:
$12,000

Outline:
Bullish.com is being marketed as a “new breed” of cryptocurrency exchange that’s currently in the pilot phase. Ahead of its full launch, the team is asking security pros to test the platform for flaws.

Notes:
The primary target for this engagement is bullish.com, although the company is interested in vulnerabilities related to any of its services that are “clearly and demonstrably related to Bullish assets”.

Visit the Bullish bug bounty page at Bugcrowd for more info

Diia (Ukraine)

Program provider:
Bugcrowd

Program type:
Private bug bounty

Max reward:
$4,500

Outline:
diia.gov.ua is the Ukrainian government’s ‘one-stop’ web-portal and mobile application for digital public services.

Notes:
Currently, only Ukraine-based security researchers can take part in this government-led program.

Visit the Diaa bug bounty page at Bugcrowd for more info

Huobi

Program provider:
HackenProof

Program type:
Public bug bounty

Max reward:
$10,000

Outline:
The second of this month’s crypto-exchange targets, the Huobi bug bounty program is promising to pay out up to $10,000 for critical vulnerabilities in the organization’s iOS, Android, macOS, of Windows apps.

Notes:
Huobi says it’s particularly interesting in researchers unearthing the following bugs: business logic issues, payment manipulation, remote code execution, SQL injection, access control issues, and server-side request forgery (SSRF).

Visit the Huobi bug bounty page at HackenProof for more info

Stripe

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$3,000

Outline:
Digital payments giant Stripe has launched a new bug bounty program focusing on Stripe Connect and api.stripe.com.

Notes:
The financial services company has published a long list of out-of-scope targets, so researchers would be wise to take a close look at the rules of engagement before they dive in.

Visit the Stripe bug bounty page at HackerOne for more info

Yearn Finance

Program provider:
Immunefi

Program type:
Public bug bounty

Max reward:
$200,000

Outline:
Ethical hackers are invited to find bugs in Yearn Finance’s web domains, applications, and smart contracts, primarily to protect users from hacks that potentially result in the theft of funds.

Notes:
Live since July 1, the program will pay out between $20,000 and $200,000 for critical vulnerabilities and up to $20,000 for high severity flaws.

Check out our earlier coverage for more details


Other bug bounty and VDP news this month

  • The US Cybersecurity and Infrastructure Security Agency (CISA) has selected Bugcrowd and EnDyna to launch its first federal vulnerability disclosure policy (VDP) platform. Twelve agencies are already taking part, with more set to follow suit.
  • Bug bounty hunter Douglas Day takes a closer look at how sliding bounty scales may help reduce disappointment among researchers during coordinated disclosure.
  • Ethical hacking platform YesWeHack has raised €16 million ($19 million) in its latest round of funding. The cash injection will be used to help accelerate the bug bounty company’s international growth strategy.
  • Developers of the Abu Dhabi government’s online services app have come up with a new way of discovering bugs. A new feature allows users to immediately report software flaws simply by shaking their smartphone.
  • HackerOne has compiled a list of API hacking tools that leverage the bug bounty platform’s own API.
  • In a blog post that gained a fair amount of traction online, researcher Shubham Shah offered a hacker’s perspective on the bug bounty triage process.
  • Home Bargains, AIG, and the United Stated Postal Service have launched (unpaid) VDPs on HackerOne.

  • Additional reporting by James Walker.


    PREVIOUS EDITION Bug Bounty Radar // July 2021