New web targets for the discerning hacker

Summer is here in the northern hemisphere, but this hasn’t interrupted the steady stream of new bug bounty programs from hitting the market.

During the teaser for its new Lockdown Mode this month, Apple said vulnerabilities in the new anti-spyware tech can be disclosed via its Security Bounty program. Rewards of up to $2 million are on offer.

Lockdown Mode, which will ship with iOS 16, iPadOS 16, and macOS Ventura, is described as “an extreme, optional protection for the very small number of users who face grave, targeted threats to their digital security”.

Australia’s Monash University has also established a new bug bounty program, which is aimed at shoring up its defenses amid a spate of cyber-attacks impacting the education sector.

Added to the mix this month are two new rewards programs for the burgeoning digital identity market, as Onfido partners with YesWeHack and India’s Aadhaar dips its toe in the water with a program of its own.

Aadhaar is world’s largest digital identity program that provides services to over 1.3 billion Indian residents. To take part in this new, private bug bounty, hackers must apply via the UIDAI website.

There’s a high bar for entry, too, as Aadhaar stipulates that “candidates should be listed in the top 100 of the bug bounty leaderboards such as HackerOne, Bugcrowd, or listed in the bounty programs conducted by reputable companies such as Microsoft, Google, Facebook, [or] Apple”.


The latest bug bounty programs for August 2022

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

Aadhaar

Program provider:
Independent

Program type:
Private

Max reward:
TBD

Outline:
In an effort to secure Aadhaar data hosted in UIDAI’s Central Identities Data Repository (CIDR), UIDAI is planning the launch of a new bug bounty program.

Notes:
Full application details can be found on the UIDAI website. The number of participants is being limited to 20, all of whom must be Indian residents.

Check out the UIDAI bug bounty bulletin (PDF) for more details

Apple – Lockdown Mode

Program provider:
Independent

Program type:
Public

Max reward:
$2 million

Outline:
Apple has established a new category within the Apple Security Bounty program to reward researchers who find Lockdown Mode bypasses and help improve its protections.

Notes:
Bounties have been doubled for qualifying findings in Lockdown Mode, up to a maximum of $2 million – one of the highest maximum payouts in the industry.

Check out our earlier coverage for more details

BKEX

Program provider:
HackenProof

Program type:
Public

Max reward:
$10,000

Outline:
BKEX is a global digital asset trading platform, featuring more than 1,200 cryptocurrencies.

Notes:
The financial service company’s new bug bounty program is replete with a range of in-scope web attack vectors, including remote code execution (RCE), SQL injection vulnerabilities, file inclusion and access control issues, server-side request forgery (SSRF), cross-site request forgery (CSRF), cross-site scripting (XSS), and directory traversal.

Check out the BKEX bug bounty page for more details

ClickHouse

Program provider:
Bugcrowd

Program type:
Public

Max reward:
$2,500

Outline:
ClickHouse is an open source, column-oriented OLAP database management system that allows users to generate analytical reports using SQL queries in real time. The main focus of the public program is the open source version of the ClickHouse platform.

Notes:
“No technology is perfect, and ClickHouse believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology,” the company said. “We are excited for you to participate as a security researcher to help us identify vulnerabilities in our open source assets.”

Check out the ClickHouse bug bounty page for more details

Monash University

Program provider:
Bugcrowd

Program type:
Public

Max reward:
$2,500

Outline:
Monash University in Melbourne, Australia, has launched a public bug bounty program to help maintain the security of its digital platforms.

Notes:
In-scope targets include the main Monash University web domain and mobile apps, along with various technologies that are used by the institution, including its VPN and FileShare instances.

Check out our earlier coverage for more details

Onfido

Program provider:
YesWeHack

Program type:
Private

Max reward:
TBD

Outline:
Digital identity verification company Onfido has launched a new bug bounty program, in partnership with European vulnerability disclosure platform YesWeHack.

Notes:
Commenting on the partnership, Alex Valle, chief product officer at Onfido, said: “Security and compliance are essential to our mission of creating a more open world, where identity is the key to online access, and we are always looking for ways to strengthen this.”

Check out our earlier coverage for more details

SideFX

Program provider:
HackerOne

Program type:
Public

Max reward:
$3,000

Outline:
Canada-based SideFX is the developer of Houdini, a 3D animation software application used in film, television, advertising, and video games.

Notes:
Only vulnerabilities discovered in the company’s main web domain, sidefx.com, are applicable under the terms of this new bug bounty program.

Check out the SideFX bug bounty page for more details

ZBWeb

Program provider:
HackenProof

Program type:
Public

Max reward:
$5,000

Outline:
Founded in 2013, ZB.com is a worldwide digital trading platform, facilitating the exchange and management of digital assets from all corners of the globe.

Notes:
In-scope web vulnerabilities include business logic issues, payment manipulation, RCE, SQL injection, access control issues, SSRF, CSRF, XSS, and other vulnerabilities with a “clear potential loss”.

Check out the ZBWeb bug bounty page for more details


Other bug bounty and VDP news this month

  • HackerOne has disclosed details of an incident involving a former employee who was accused of accessing internal data for personal financial gain.
  • Go Daddy, Trellix, and Fidelity have launched (unpaid) vulnerability disclosure programs (VDPs).
  • Advertising platform developer and social media company Meta has released its inaugural ‘Bug Bulletin’, which includes details of some of the notable finds identified in its own, and in third-party, code.

PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for July 2022