New web targets for the discerning hacker
Summer is here in the northern hemisphere, but this hasn’t interrupted the steady stream of new bug bounty programs from hitting the market.
During the teaser for its new Lockdown Mode this month, Apple said vulnerabilities in the new anti-spyware tech can be disclosed via its Security Bounty program. Rewards of up to $2 million are on offer.
Lockdown Mode, which will ship with iOS 16, iPadOS 16, and macOS Ventura, is described as “an extreme, optional protection for the very small number of users who face grave, targeted threats to their digital security”.
Australia’s Monash University has also established a new bug bounty program, which is aimed at shoring up its defenses amid a spate of cyber-attacks impacting the education sector.
Added to the mix this month are two new rewards programs for the burgeoning digital identity market, as Onfido partners with YesWeHack and India’s Aadhaar dips its toe in the water with a program of its own.
Aadhaar is world’s largest digital identity program that provides services to over 1.3 billion Indian residents. To take part in this new, private bug bounty, hackers must apply via the UIDAI website.
There’s a high bar for entry, too, as Aadhaar stipulates that “candidates should be listed in the top 100 of the bug bounty leaderboards such as HackerOne, Bugcrowd, or listed in the bounty programs conducted by reputable companies such as Microsoft, Google, Facebook, [or] Apple”.
The latest bug bounty programs for August 2022
The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:
Aadhaar
Program provider:
Independent
Program type:
Private
Max reward:
TBD
Outline:
In an effort to secure Aadhaar data hosted in UIDAI’s Central Identities Data Repository (CIDR), UIDAI is planning the launch of a new bug bounty program.
Notes:
Full application details can be found on the UIDAI website. The number of participants is being limited to 20, all of whom must be Indian residents.
Check out the UIDAI bug bounty bulletin (PDF) for more details
Apple – Lockdown Mode
Program provider:
Independent
Program type:
Public
Max reward:
$2 million
Outline:
Apple has established a new category within the Apple Security Bounty program to reward researchers who find Lockdown Mode bypasses and help improve its protections.
Notes:
Bounties have been doubled for qualifying findings in Lockdown Mode, up to a maximum of $2 million – one of the highest maximum payouts in the industry.
Check out our earlier coverage for more details
BKEX
Program provider:
HackenProof
Program type:
Public
Max reward:
$10,000
Outline:
BKEX is a global digital asset trading platform, featuring more than 1,200 cryptocurrencies.
Notes:
The financial service company’s new bug bounty program is replete with a range of in-scope web attack vectors, including remote code execution (RCE), SQL injection vulnerabilities, file inclusion and access control issues, server-side request forgery (SSRF), cross-site request forgery (CSRF), cross-site scripting (XSS), and directory traversal.
Check out the BKEX bug bounty page for more details
ClickHouse
Program provider:
Bugcrowd
Program type:
Public
Max reward:
$2,500
Outline:
ClickHouse is an open source, column-oriented OLAP database management system that allows users to generate analytical reports using SQL queries in real time. The main focus of the public program is the open source version of the ClickHouse platform.
Notes:
“No technology is perfect, and ClickHouse believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology,” the company said. “We are excited for you to participate as a security researcher to help us identify vulnerabilities in our open source assets.”
Check out the ClickHouse bug bounty page for more details
Monash University
Program provider:
Bugcrowd
Program type:
Public
Max reward:
$2,500
Outline:
Monash University in Melbourne, Australia, has launched a public bug bounty program to help maintain the security of its digital platforms.
Notes:
In-scope targets include the main Monash University web domain and mobile apps, along with various technologies that are used by the institution, including its VPN and FileShare instances.
Check out our earlier coverage for more details
Onfido
Program provider:
YesWeHack
Program type:
Private
Max reward:
TBD
Outline:
Digital identity verification company Onfido has launched a new bug bounty program, in partnership with European vulnerability disclosure platform YesWeHack.
Notes:
Commenting on the partnership, Alex Valle, chief product officer at Onfido, said: “Security and compliance are essential to our mission of creating a more open world, where identity is the key to online access, and we are always looking for ways to strengthen this.”
Check out our earlier coverage for more details
SideFX
Program provider:
HackerOne
Program type:
Public
Max reward:
$3,000
Outline:
Canada-based SideFX is the developer of Houdini, a 3D animation software application used in film, television, advertising, and video games.
Notes:
Only vulnerabilities discovered in the company’s main web domain, sidefx.com, are applicable under the terms of this new bug bounty program.
Check out the SideFX bug bounty page for more details
ZBWeb
Program provider:
HackenProof
Program type:
Public
Max reward:
$5,000
Outline:
Founded in 2013, ZB.com is a worldwide digital trading platform, facilitating the exchange and management of digital assets from all corners of the globe.
Notes:
In-scope web vulnerabilities include business logic issues, payment manipulation, RCE, SQL injection, access control issues, SSRF, CSRF, XSS, and other vulnerabilities with a “clear potential loss”.
Check out the ZBWeb bug bounty page for more details
Other bug bounty and VDP news this month
- HackerOne has disclosed details of an incident involving a former employee who was accused of accessing internal data for personal financial gain.
- Go Daddy, Trellix, and Fidelity have launched (unpaid) vulnerability disclosure programs (VDPs).
- Advertising platform developer and social media company Meta has released its inaugural ‘Bug Bulletin’, which includes details of some of the notable finds identified in its own, and in third-party, code.
PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for July 2022