New web targets for the discerning hacker

Best (and worst) practices for vulnerability disclosure were under the spotlight this month via an event held by Microsoft and a damning new report exploring the consumer IoT ecosystem.

During a virtual panel debate, security experts offered praise, advice, and constructive criticism around how the Microsoft Security Response Center (MSRC) and security researchers handle vulnerability reports.

Dr Nestori Syynimaa, senior principal security researcher at Secureworks, advised his peers that persistence sometimes pays off, recalling one instance where an initially rejected report eventually netted him $20,000 after he persuaded MSRC to take a second look into the issue.

And Prevailion CTO Nate Warfield, an ex-MSRC staffer, cast Microsoft’s sometimes unhurried patching process in a sympathetic light: “You’re talking about an ecosystem that’s measured in billions of desktops and servers, so if something goes wrong, the entire world is impacted,” he said.

Pwn2Own Austin 2021 yielded several lucrative “CVSS 10-level bugs” (critical vulnerabilities) according to Brian Gorenc, who heads up Trend Micro’s Zero Day Initiative (ZDI), organizer of the annual hacking contest.

This year’s Masters of Pwn crown went to French outfit Synacktiv, who pwned the Sonos One smart speaker and a network-attached storage (NAS) device from Western Digital, among other hardware.

Total payouts exceeded $1 million for bugs that included 61 unique zero-days.

Alongside TVs, routers, and home automation devices the 2021 edition also saw the debut of a consumer printer category.

Moving onto conventional bug bounty payouts, a URL parsing bug that earned security researcher David Schütz more than $10,000 in bug bounty rewards left an internal Google Cloud project open to server-side request forgery (SSRF) attacks.

“This issue feels like an industry-wide problem since different applications are parsing URLs based on different specifications,” Schütz told The Daily Swig, adding that he’d “seen this getting fixed in products from different companies as well.”

Schütz earned three separate bounties after bypassing the original fix and then discovering that previous versions of a proxy application containing an access token required for exploitation were still up and running.

An alarming vulnerability in Google’s GSuite dating back to 2018 made the news after the security researcher who found the flaw released details as part of a wider project to revisit his earlier Google and Microsoft bug-hunting exploits.

The long-since patched vulnerability, which allowed attackers to add themselves as super admins on any organization’s account, earned Cameron Vincent a bounty under Google’s Vulnerability Reward Program.

Meanwhile, researcher Ashish Dhone earned a $1,000 bounty reward for the discovery of a cross-site scripting (XSS) vulnerability that allowed attackers to run arbitrary JavaScript code on Chrome’s ‘New Tab’ page.

The attacker could apparently exploit the bug by sending a HTML file to the victim that contains a cross-site request forgery (CSRF), which sends a malicious JavaScript code snippet as a search query to Google.

When the user opens the file, the CSRF script runs, and the query is stored in the browser’s search history. At the point when the user opens a New Tab Page and clicks on the Google search bar, the malicious code is triggered.

Finally, IoT research from UK security firm Copper Horse, has revealed that nearly four out of five IoT consumer vendors still appear to lack a vulnerability disclosure program (VDP).

Published by the IoT Security Foundation, the report also found that one in three VDPs fail to offer coordinated vulnerability disclosure, where researchers are publicly credited, involved in patching bugs, and permitted to disclose flaws post-remediation.


The latest bug bounty programs for December 2021

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

Agoric

Program provider:
HackerOne

Program type:
Public

Max reward:
$5,000

Outline:
Agoric is a JavaScript-based smart contract platform built on the Cosmos SDK.

Notes:

Agoric is adding a $250 Mainnet 1 bonus to each valid bug while it works on the next phase of the public mainnet rollout.

Check out the Agoric bug bounty page at HackerOne for more details

Bitrue

Program provider:
HackenProof

Program type:
Public

Max reward:
$1,500

Outline:
Bitrue is a cryptocurrency exchange whose purported mission is to use the blockchain and new technologies to help users worldwide access cutting-edge financial services.

Notes:
Four assets are in scope, including bitrue.com, the Bitrue API, and the Android and iOS apps.

Check out the Bitrue bug bounty page at HackenProof for more details

Bluehost

Program provider:
Bugcrowd

Program type:
Public

Max reward:
$2,500

Outline:
Powering millions of websites, Bluehost is one of the largest providers of web hosting for WordPress.

Notes:
Four web domains are in scope and critical bugs will attract rewards in the range of $2,100 to $2,500.

Check out the Bluehost bug bounty page at Bugcrowd for more details

Boson

Program provider:
Independent

Program type:
Public

Max reward:
Undisclosed

Outline:
Boson Protocol, a decentralized infrastructure for enabling autonomous commercial exchanges of anyThing, is most interested in vulnerability reports relating to its contracts repo and user interface that could mean users lose access to their funds.

Notes:
“In the world of DeFi where millions are at stake, responsible projects put themselves up for scrutiny via their bug programs,” says Boson.

Read Boson Protocol’s Medium blog post for more details

Bullish Exchange

Program provider:
Bugcrowd

Program type:
Public

Max reward:
$25,000

Outline:
Bullish Exchange claims to be “a powerful new exchange for digital assets that offers deep liquidity, automated market making, and industry-leading security”.

Notes:
Two domains are in scope: bugbounty.bullish.com and api.bugbounty.bullish.com.

Check out the Bullish Exchange bug bounty page at Bugcrowd for more details

Clubhouse

Program provider:
HackerOne

Program type:
Public

Max reward:
$3,000

Outline:
Clubhouse, the audio-based chatroom application, is particularly keen on hardening its applications against security flaws leading to access control bypasses, escalation of permissions, and disclosure of sensitive user information.

Notes:
Clubhouse said: “While many bug bounty programs promise high rewards for catastrophic-level discoveries, our approach keeps the scope broad so we can address as many bugs as possible.”

See our earlier coverage for further details.

CoinDCX

Program provider:
Bugcrowd

Program type:
Public

Max reward:
$2,500

Outline:
CoinDCX, India’s largest cryptocurrency exchange, has invited bug hunters to probe its production systems for security flaws.

Notes:
The biggest rewards will be earned for flaws that enable attackers to compromise wallets, access other users’ personal or financial data, or withdraw funds as a sub account.

Check out the CoinDCX bug bounty page at Bugcrowd for more details

Horizen

Program provider:
HackerOne

Program type:
Public

Max reward:
$10,000

Outline:
Horizen is described as “the zero-knowledge-enabled network of blockchains”, supported by its Zendoo sidechain technology that enables businesses and

developers to build their own public or private blockchains.

Notes:
The Zen Blockchain Foundation, which manages the Horizen ecosystem, is offering $1,000 for ‘medium’ severity bugs, $3,000 for ‘high’ severity issues, and $10,000 for ‘critical’ vulnerabilities.

Check out the Horizen bug bounty page at HackerOne for more details

Kubernetes – temporary program

Program provider:
Google

Program type:
Public

Max reward:
$50,337 (or $250,000 for exploits that work on Android)

Outline:
For a three-month period concluding at the end of January 2022, Google is tripling payouts for its kCTF VRP, a CTF infrastructure written on top of Kubernetes.

Notes:
Google will pay $31,337 to security researchers who exploit privilege escalation in its lab environment with a patched vulnerability, and $50,337 to those who leverage a previously unpatched vulnerability or novel exploit technique.

Read the blog post announcing the news on the Google Security Blog for more details 

Openware

Program provider:
HackenProof

Program type:
Public

Max reward:
$5,000

Outline:
Openware, a San Francisco-based developer of blockchain infrastructures and fintech projects, is offering between $3,000 and $5000 for vulnerabilities that it deems critical.

Notes:
A single asset is in scope: yellow.com, a digital asset exchange platform.

Check out the Openware bug bounty page at HackenProof for more details

Vend by Lightspeed

Program provider:
HackerOne

Program type:
Public

Max reward:
$6,250

Outline:
Vend by Lightspeed, a point-of-sale, inventory management, and ecommerce platform aimed at retailers, has five assets in scope.

Notes:
The vendor is paying between $2,500 and $6,250 for critical bugs, and $750 and $2,000 for ‘high’ severity flaws.

Check out the Vend by Lightspeed bug bounty page at HackerOne for more details


Other bug bounty and VDP news this month

  • Hackers have just a few days left to take part in GitLab’s three-year bug bounty anniversary contest. Until December 3, the top contributors to the organization’s bug bounty program will be greeted with additional swag and reputation points. Payouts have also been increased across the board.
  • Sega, Auvik, and Snowplow have launched points-only vulnerability disclosure programs (VDPs) on the HackerOne platform.
  • For anyone in need of a network forensics refresher, RoseSecurity has created a capture-the-flag challenge that encourages hackers to think outside of the box while digging through obfuscated malware.
  • Boom, a decentralized social media and non-fungible token (NFT) platform, road-tested its beta version by paying out rewards of either 50 or 100 USDT (Tether) to users who found system bugs, errors, or UX/UI issues, or made compelling app design and function suggestions, between November 17-24

Additional reporting by James Walker.


PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for November 2021