New web targets for the discerning hacker
Last month, we caught up with the three friends – Ron Chan, ‘FileDescriptor’, and ‘EdOverflow’ – behind the ethical hacking video channel Reconless.
With around 8,000 subscribers, Reconless is inspired by Fireship’s application development-focused YouTube channel, and offers short explainers of a number of hacking topics, including soft skills such as writing engaging vulnerability reports.
The trio described the vulnerabilities they are most proud of having uncovered.
“My proudest discoveries were not security vulnerabilities that I uncovered but rather those where I aided someone else,” says EdOverflow. “I get more satisfaction out of knowing that someone was able to progress in this industry thanks to my small nudge.”
In other industry news, popular hacking educator Katie Paxton-Fear had her YouTube channel taken down this month, without a strike warning, for 'severe' guideline violations.
After the university lecturer and part-time bounty hunter was told that her channel contained 'harmful' content, she called for reviewers to be better informed about educational hacking content.
“There’s a lot of people who upload actually harmful activity things like cyberstalking, hacking social media accounts, game hacking… and it can be hard for any system to differentiate between educational and non-educational content,” Paxton-Fear told The Daily Swig.
“However, the strike system is supposed to handle this so your account isn’t removed.”
The channel was swiftly reinstated following Paxton-Fear's appeal, and an outcry from the bug bounty and infosec community.
In program news, the US Department of Defense has expanded its security vulnerability disclosure program to include all its publicly accessible information systems.
That means it now covers all public-facing DoD networks, frequency-based communication platforms, IoT devices, and industrial control systems.
“The department has always maintained the perspective that DoD websites were only the beginning as they account for a fraction of our overall attack surface,” said Kristopher Johnson, director of the DoD Cybercrime Center.
Since its 2016 launch, says the DoD, the program has seen more than 29,000 security vulnerability reports, of which 70% were deemed valid. It expects this number to expand along with the in-scope attack surface.
The latest bug bounty programs for June 2021
The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:
Azbuka Vkusa
Program provider:
HackerOne
Program type:
Public bug bounty
Max reward:
$1,000
Outline:
Russian supermarket Azbuka Vkusa has launched its first bug bounty program and is asking security researchers to look for vulnerabilities in its domains, specific IP addresses, and its wireless networks.
Notes:
There is an extensive list of out-of-scope targets, so it’s worth taking a look at them beforehand.
Visit the Azbuka Vkusa bug bounty page at HackerOne for more info
Mail.ru
Program provider:
Bugcrowd
Program type:
Public bug bounty
Max reward:
$35,000
Outline:
Russian email provider Mail.ru has launched a program with Bugcrowd, the second bug bounty for the company, which has also previously partnered with HackerOne.
Notes:
Mail.ru is offering a huge $35,000 for the most critical target, remote code execution. There’s a detailed list of all in-scope vulnerabilities, ranging from server-side leaks to RCE and SQL injection.
Visit the Mail.ru bug bounty page at Bugcrowd for more info
Opera – enhanced
Program provider:
Bugcrowd
Program type:
Public bug bounty
Max reward:
$10,000
Outline:
After previously conducting a private bug bounty program, Opera has opened its doors to the public, inviting all researchers to take part.
Notes:
The company behind the web browser has expanded its scope to include bugs found across a wide range of its domains and apps, including Opera for Android.
Visit the Opera bug bounty page at Bugcrowd for more info
Sifchain
Program provider:
HackerOne
Program type:
Public bug bounty
Max reward:
$15,000
Outline:
The “world’s first omni-chain decentralized exchange” is offering up to $15,000 for critical bugs in its blockchain.
Notes:
Sifchain notes that its primary concern is any vulnerability where an attacker can siphon assets from users in an unintended way. Secondarily, any vulnerability that could affect or compromise the availability or performance of the blockchain.
Visit the Sifchain bug bounty page at HackerOne for more info
Other bug bounty and VDP news this month
- Security researcher Ahmad Halabi published a blog post tracing his bug bounty journey that led to him ranking in top 10 of the US Department of Defense’s vulnerability disclosure program (VDP).
- Pen tester Andy Gill (@ZephrFish) has released a collection of bug bounty report templates to assist aspiring security researchers with the all-important vulnerability disclosure process.
- Bugcrowd’s Ultimate Guide to Vulnerability Disclosure examines 2021 data around VDPs.
- Companies Aktia, R3, Zego, and LumiraDx have launched unpaid VDPs through HackerOne.
Compiled by James Walker. Introduction by Emma Woollacott. Additional reporting by Jessica Haworth.
PREVIOUS EDITION Bug Bounty Radar // May 2021