New web targets for the discerning hacker
As 2022 draws to a close, HackerOne has revealed that cloud-based vulnerabilities became increasingly common this year as organizations embark on digital transformation.
The bug bounty platform reported that researchers uncovered more than 65,000 software vulnerabilities through its service during the year, up 21% on 2021.
Misconfiguration vulnerabilities also rose 150% and improper authorization issues by 45% – largely because organizations are instituting ever-more granular permissions as they migrate to the cloud.
Intel recently paid out a $10,000 bug bounty to Julien Ahrens of RCE Security – despite disputing the seriousness of the flaw.
Ahrens bypassed Intel Data Center Manager (DCM) authentication by spoofing Kerberos and LDAP (Lightweight Directory Access Protocol) responses, claiming this led to remote code execution (RCE).
Intel acknowledged the vulnerability and gave it a severity score of 8.8, but says the issue amounted only to a privilege elevation flaw. It was persuaded to make the payout anyway as a one-off.
Meanwhile, a security researcher known by the moniker Peter M demonstrated this month how he bypassed Akamai web application firewalls (WAF) running Spring Boot, potentially leading to remote code execution (RCE).
He says it took 500 crafted attempts and over 14 hours to find an entry point as part of a private Bugcrowd program.
The attack, carried out with the assistance of Synack pentester Usman Mansha, used Spring Expression Language (SpEL) injection.
Read more of the latest bug bounty news
In other bug bounty news, Intigriti says it has paid out nearly three times as much this year compared to last, with the average amount having doubled.
It says ethical hackers increasingly see bug bounty hunting as a full-time career, with 96% saying they’d like to spend more time on it. The biggest draw is the money, along with the ability to work anywhere in the world, the ability to work alone, and the chance to outsmart cybercriminals.
And Meta’s review of its own bug bounty program this year has revealed that it paid out more than $2 million, receiving around 10,000 reports in total, of which it paid out on 750.
Meta also released updated payout guidelines for mobile RCE bugs, and there are new payout guidelines for account takeover (ATO) and two-factor authentication (2FA) bypass vulnerabilities, too. These go up to $130,000 for ATO reports and $300,000 for mobile RCE bugs.
Finally, bug bounty and security services platform for web3 Immunefi says it has paid out just under $66 million this year, with the biggest bounty amounting to $10 million for a vulnerability discovered in Wormhole, a generic cross-chain messaging protocol.
Critical vulnerabilities took the lead with a total of $61 million paid out, accounting for 92.7% of all bounties paid.
The latest bug bounty programs for January 2023
The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:
Axis Communications
Program provider:
Bugcrowd
Program type:
Public
Max reward:
TBC
Outline:
Video surveillance vendor Axis Communications has launched a bug bounty program to find vulnerabilities in its network security products, excluding its 2N products.
Notes:
Axis Communications has yet to release details of payment rewards for finding such bugs, but has released details of how these bugs are scored using the CVSS method.
Check out the Axis Communications bug bounty page for more details
Contentsquare
Program provider:
YesWeHack
Program type:
Public
Max reward:
€2,500 ($2,670)
Outline:
UX analytics provider Contentsquare has launched a bug bounty program focussed on finding issues with its mobile software development kit and collection endpoints, details of which are listed on its bug bounty page.
Notes:
Contentsquare asks ethical hackers to consult the list of in-scope topics beforehand, as the targets are specific.
Check out the Contentsquare bug bounty page for more details
Doppler
Program provider:
HackerOne
Program type:
Public
Max reward:
$2,500
Outline:
Doppler bills itself as a “SecretOps platform developers and security teams trust to provide secrets management at enterprise scale”.
Notes:
Again, there are multiple domains to explore plus Doppler’s source code. There are also five domains that are out of scope for testing.
Check out the Doppler bug bounty page for more details
Engel & Völkers Technology GmbH
Program provider:
HackerOne
Program type:
Public
Max reward:
$1,000
Outline:
IT consulting firm Engel & Völkers Technology GmbH has opened its domains to testing by bug bounty hunters.
Notes:
There are more than 10 domains available to attack, ranging from critical to medium severity. There are also a handful of domains that are out of scope and shouldn’t be tested.
Check out the Engel & Völkers Technology GmbH bug bounty page for more details
Harman International
Program provider:
YesWeHack
Program type:
Public
Max reward:
$5,000
Outline:
Electronics manufacturer Harman, a Samsung company, is asking for help with “hardening of the entire ecosystem” related to JBL devices.
Notes:
There are 16 targets in scope including physical devices, web APIS, and applications, so there’s something for everyone to get stuck into.
Check out the Harman International bug bounty page for more details
Moonpay
Program provider:
HackerOne
Program type:
Public
Max reward:
$20,000
Outline:
Crypto exchange platform Moonpay is offering big rewards for security vulnerabilities in multiple domains and its source code.
Notes:
There are four domains out of scope, so these should be checked before proceeding. Moonpay also details an extensive list of vulnerabilities that aren’t eligible for reward, so this should be checked, too.
Check out the Moonpay bug bounty page for more details
Navitas
Program provider:
Bugcrowd
Program type:
Private
Max reward:
$2,500
Outline:
Australian education provider Navitas is offering rewards for reproducible bugs in its services, with rewards based on the severity of the issue.
Notes:
Although the company is based in Australia, the rewards are open to ethical hackers worldwide, on an invite basis.
Check out a press release regarding the Navitas bug bounty program for more details
Ooredoo
Program provider:
YesWeHack
Program type:
Public
Max reward:
$1,500
Outline:
Ooredoo is a Qatari telco providing mobile, wireless, wire line, and content services for businesses and homes, domestically and internationally.
Notes:
Up to $1,500 on offer for critical vulnerabilities in any of four in-scope assets and a ceiling of $700 for high severity flaws.
Check out the Ooredoo bug bounty page for more details
OVO
Program provider:
YesWeHack
Program type:
Public
Max reward:
$3,000
Outline:
Indonesian payment, rewards and financial services platform is asking hackers to find bugs in four of its mobile and web apps, providing plenty of opportunity to seek a reward.
Notes:
OVO has explicitly noted that staging environments are out of scope, as are any other targets that aren’t specifically listed on its bug bounty page.
Check out the OVO bug bounty page for more details
Swapcard
Program provider:
YesWeHack
Program type:
Public
Max reward:
€2,000 ($2,140)
Outline:
Swapcard describes itself as an event app and matchmaking platform powered by artificial intelligence, which holds events in the sectors of security, government, and health.
Notes:
There is an extensive list of applications and APIs that can be targeted, so this is worth checking out before making a start. Also note that Swapcard states that reports with a detailed proof of concept will be rewarded at a quicker rate, if eligible, than those without.
Check out the Swapcard bug bounty page for more details
VFS
Program provider:
YesWeHack
Program type:
Public
Max reward:
$1,500
Outline:
VFS manages the administrative and non-judgmental tasks related to visa, passport and consular services for its client governments.
Notes:
The maximum reward is for vulnerabilities deemed as ‘critical’. Examples include, but aren’t limited to, the leaking of visa applicant personally identifiable information, Insecure Direct Object References (IDOR) issues resulting in significant leak of sensitive user information, and scripts that can automate the completion of the user registration flow.
Check out the VFS bug bounty page for more details
Yuga Labs
Program provider:
HackerOne
Program type:
Public
Max reward:
$25,000
Outline:
Yuga Labs is offering an impressive $25,000 for the discovery of critical vulnerabilities in its web3 platform.
Notes:
The company is asking for reports on bugs in not only its domains but its Discord servers too. Anyone wanting to attack the Discord servers should check out the separate policy on Yuga Labs’ bug bounty page first.
Check out the Yuga Labs bug bounty page for more details
Additional reporting by Emma Woollacott.
PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for December 2022