New web targets for the discerning hacker

Bounty hunting remains a popular business, with a report this month revealing that the vast majority of ethical hackers would like to do more.

The survey, from Belgian bug bounty platform Intigriti, found that 96% were keen to spend more time bounty hunting, with two thirds considering it as a full-time career. The biggest draw is the money, cited by nearly half, along with the ability to work anywhere in the world, the ability to work alone, and the chance to outsmart malicious hackers.

Currently, more than half of bug bounty hunters are also in full-time employment elsewhere, and around a third are students. More than one in five, though, get more than a quarter of their total income from bounty payouts.

And for those keen to get stuck in, there’s a new invite-only bug bounty program for the French government’s identity authentication application, France Identité, launched earlier this year to complement the country’s new electronic identity cards.

Hosted by Paris-based ethical hacking platform YesWeHack, the program has recruited 30 ethical hackers so far, with specific skills relating to the application, particularly cryptography. It will eventually be opened to all, and will run for the mobile app’s lifetime.

Finally, Google’s been generous lately, paying out more than $300,000 for reports on a variety of flaws in Google Cloud Platform (GCP) during last year.

Security researcher Sebastian Lutz took first prize, with an award of $133,337, for discovering a bug in in Identity-Aware Proxy (IAP) that offered a way for an attacker to access IAP-protected resources. Second place, meanwhile, went to Hungarian researcher Imre Rad, who earned $73,331 after uncovering a mechanism to take over a Google Compute Engine virtual machine.

The program, which kicked off in 2019, now represents a fair chunk of the total $8.7 million awarded by Google across its complete range of vulnerability disclosure programs.


The latest bug bounty programs for July 2022

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

Animal Friends

Program provider:
Independent

Program type:
Public

Max reward:
£400 ($480)

Outline:
UK pet insurance company Animal Friends has launched a public bug bounty program that’s focused on securing its corporate website, customer portal, vet portal, and sales platform.

Notes:
Discussing the new program, the insurance provider said: “No system is ever perfect, and therefore Animal Friends believes that working with skilled security researchers around the world is crucial to identify and fix any weaknesses.”

Check out the Animal Friends bug bounty page for more details

ClickHouse

Program provider:
Bugcrowd

Program type:
Public

Max reward:
$2,500

Outline:
ClickHouse is an open source, column-oriented OLAP database management system that allows users to generate analytical reports using SQL queries in real time.

Notes:
The main focus of the public program is the open source version of the ClickHouse platform.

Check out the ClickHouse bug bounty page at Bugcrowd for more details

France Identité

Program provider:
YesWeHack

Program type:
Private

Max reward:
Undisclosed

Outline:
The French government has launched an invite-only bug bounty program for its newly launched identity authentication application, ‘France Identité’.

Notes:
Hosted by Paris-based ethical hacking platform YesWeHack, the program will eventually be opened up to all security researchers and then run for the mobile app’s lifetime.

Check out our recent coverage for more details

MetaMask

Program provider:
HackerOne

Program type:
Public

Max reward:
$50,000

Outline:
MetaMask, one of the most widely used wallets for interacting with distributed applications, has launched a bug bounty program offering rewards of up to $50,000 for critical vulnerabilities.

Notes:
MetaMask is particularly seeking reports demonstrating how an attacker could extract the secret recovery phrase or a private key from a wallet, or make a user’s wallet behave in “unexpected ways”.

Check out the MetaMask bug bounty page at HackerOne for more details

Opera

Program provider:
Independent

Program type:
Private

Max reward:
Undisclosed

Outline:
The developers behind the Opera web browser have launched a private bug bounty program to accompany the existing public program that’s housed on the Bugcrowd platform.

Notes:
There are currently few details relating to this private program, although anyone expressing an interest must already have a Bugcrowd ID.

Check out Opera’s private bug bounty page for more details

Phemex

Program provider:
Bugcrowd

Program type:
Public

Max reward:
$2,500

Outline:
Cryptocurrency trading platform Phemex has partnered with Bugcrowd to launch a bug bounty program.

Notes:
Researchers have been tasked with finding bugs in the Phemex website and mobile apps. Cross-site scripting (XSS) and denial-of-service (DoS) exploits are out of scope.

Check out the Phemex bug bounty page at Bugcrowd for more details


Other bug bounty and VDP news this month

  • The 2022 President’s Cup Cybersecurity Competition is due to launch later this summer. Hosted by CISA, the annual national cyber competition aims to identify and reward the best cybersecurity talent in the federal executive workforce. Registration is now open for eligible participants.
  • GameStop, Oanda, and PlanetArt have launched (unpaid) VDPs on HackerOne.
  • Security pro Quinten Bowen has launched a malware analysis capture-the-flag (CTF) competition. Registration is free, and the CTF has “beginner to intermediate level flags” associated with static and dynamic analysis.

Curated by James Walker. Introduction by Emma Woollacott.


PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for June 2022