New web targets for the discerning hacker

Welcome to the first Bug Bounty Radar of 2021, back with a bang after a short hiatus. As you’ll see, we’ve introduced a smart new design – but rest assured, you’ll still find the same mix of the latest bug bounty news, programs, and vulnerability write-ups.

We kicked off the year with an interview with Swiss bounty hunter ‘Xel’ – AKA Raphaël Arrouas – who shared the secrets of his success, along with tips for those just starting out.

“Focusing on impact rather than quantity allows me to dedicate more time to researching vulnerabilities in depth and learn something in the process,” he says. “And it is worthwhile considering the payout scales, which usually greatly favor high and critical impact vulnerabilities.”

Elsewhere, bug hunter Alex Birsan netted $130,000 by showing how a novel supply chain attack allowed him to hack into systems belonging to Apple, Microsoft, PayPal, and other major tech companies.

By exploiting a vulnerability dubbed ‘dependency confusion’, he was able to execute malware within the companies’ networks by overriding privately-used dependency packages with malicious, public packages with the same name.

And precisely this supply chain attack has already been seen in the wild. A developer at automated software testing specialist Qentinel reported the failure of a build pipeline when fetching internal libraries and traced the problem to suspicious packages in the Python Package Index repository. The problem was fixed a day later.

You’ll find more information on supply chain attacks in our latest deep dive on the issue, including prevention and mitigation advice.

In military news, the German armed forces – or ‘Bundeswehr’ – says it’s received more than 60 valid reports since the start of its vulnerability disclosure program (VDP) three months ago. They included cross-site scripting (XSS), SQL injection, misconfiguration, data leakage, and open redirect bugs.

Meanwhile, DARPA – the US military’s technology R&D agency – has given an update on its own bug bounty program. The agency says it’s exposed 10 vulnerabilities, seven critical and three high, with four already patched and the others soon to be resolved.

And finally, for those who missed it, HTTP/2 (H2C) cleartext smuggling has been voted the best web hacking technique of 2020.

“Conceptually similar” to last year’s WebSocket smuggling, “request tunnelling exploitation is an emerging art so this one may be a slow burn, but we anticipate some serious carnage in future”, said James Kettle, head of research at PortSwigger Web Security.

It’ll be interesting to see which of these techniques becomes the bug hunters’ favorite in 2021.


The latest bug bounty programs for March 2021

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

Aruba Networks

Program provider: Bugcrowd

Program type: Public bug bounty

Max reward: $5,000

Outline: Aruba Networks, the wireless networking subsidiary of Hewlett Packard Enterprise, has launched a new bug bounty program to help shore up the security of various products and services, including ArubaOS Controllers and Access Points, Aruba Instant, Aruba InstantOn, Aruba ClearPass Policy Manager, ArubaOS-CX, and more.

Notes: In order to exploit many of the in-scope flaws, researchers must be in possession of Aruba Access Point hardware. While these devices will not be supplied, the company said it will pay up to $5,000 for the disclosure of unauthenticated vulnerabilities impacting its technology.

Visit the Aruba Networks bug bounty page at Bugcrowd for more info

Chime Financial, Inc.

Program provider: HackerOne

Program type: Public

Max reward: $10,000

Outline: Chime Financial is looking for security vulnerabilities in its bank account and money management app Chime.

Notes: There is a rather extensive list of out-of-scope vulnerabilities, so it’s worth checking these out before diving in. This includes denial-of-service attacks and vulnerabilities in third-party services that are not owned by Chime.

Visit the Chime Financial bug bounty page at HackerOne for more info

FetLife

Program provider: HackerOne

Program type: Public bug bounty

Max reward: $5,000

Outline: FetLife, a “social network for the BDSM, fetish, and kinky community”, is asking the security community to test its systems for vulnerabilities, with a particular focus on web-based exploits including SQL injection, XSS, cross-site request forgery (CSRF), and more.

Notes: “No technology is perfect, and FetLife believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology,” the company said.

Visit the FetLife bug bounty page at HackerOne for more info

FTX.US

Program provider: Hacken Proof

Program type: Public bug bounty

Max reward: $2,500

Outline: Security researchers can now try their hand at attacking FTX.US, a brand new, US-regulated cryptocurrency exchange. The company is paying up to $2,500 for vulnerabilities impacting its web and mobile apps.

Notes: “Our mission is for FTX.US to grow the digital currency ecosystem, offer US traders a platform that inspires their loyalty, and become a market leading US cryptocurrency exchange over the next two years,” the company said.

Visit the FTX.US bug bounty page at Hacken Proof for more info

LaunchDarkly

Program provider: HackerOne

Program type: Public

Max reward: $4,500

Outline: Development management tool LaunchDarkly is looking for researchers to tests its programs used by businesses worldwide to deploy code.

Notes: LaunchDarkly is asking for reports that include reproducible steps – any submitted without these will not be eligible for a reward. Payout figures are guidelines, and any reward is at the discretion of the company.

Visit the LaunchDarkly bug bounty page at HackerOne for more info

Matrix.org Foundation

Program provider: Intigriti

Program type: Public

Max reward: €5,000 ($6,000)

Outline: Intigriti has launched an EU-backed program for secure communications tool Matrix under a drive from the European Commission, the executive branch of the European Union, to secure critical open source software projects.

Notes: Security researchers are offered up to $6,000 for flaws, and can earn an additional 20% of their rewards if a viable patch is provided with the report.

Visit the Matrix.org Foundation bug bounty page at Intigriti for more info

O1 Labs

Program provider: HackerOne

Program type: Public

Max reward: $10,000

Outline: O1 Labs is a software development company specializing in cryptography and cryptocurrency. It is looking for any vulnerabilities that may endanger the security of its businesses and customers.

Notes: A number of known vulnerabilities are already listed so it’s worth taking a look to avoid reporting any duplicates. These include a DDoS vulnerability and remote persistent throwout. Also, O1 Labs has provided a list of possible bugs to be explored.

Visit the O1 bug bounty page at HackerOne for more info

Panther Labs

Program provider: HackerOne

Program type: Public

Max reward: $1,337

Outline: Panther Labs, a platform for log analysis, cloud security, and data analytics, is looking for vulnerabilities from user data exposure to remote code execution (RCE).

Notes: You may notice that Panther Labs has had a little fun with its max payout figure, which is rewarded for critical issues including RCE and SQL/NSQL injection.

Visit the Panther Labs bug bounty page at HackerOne for more info

Sixt

Program provider: HackerOne

Program type: Public

Max reward: $3,000-$4,000

Outline: Worldwide car rental and ride hailing platform Sixt is asking bug hunters to search for vulnerabilities in both its web platform and mobile applications.

Notes: There are two maximum payouts in this program, $3,000 for web vulnerabilities and $4,000 for security issues in the Sixt Android and iOS applications. Also, Sixt has listed a number of in-scope targets under its bug bounty program, however out-of-scope targets may be eligible for its vulnerability disclosure program, which could earn researchers Sixt swag.

Visit the Sixt bug bounty page at HackerOne for more info

Step

Program provider: Bugcrowd

Program type: Public bug bounty

Max reward: $4,500

Outline: Step is a financial services company that aims to provide younger generations with the tools to make budgeting, saving, and managing money easy. The company’s new bug bounty program is focused on securing the Step Android and iOS apps.

Notes: No test account has been provided, and so bug hunters have been asked to sign up and create a free Step account using their own details.

Visit the Step bug bounty page at Bugcrowd for more info

Unistake Smart Contracts

Program provider: Hacken Proof

Program type: Public bug bounty

Max reward: $5,000

Outline: Unistake is a decentralized token protocol built “to empower DeFi projects and incentivize liquidity providers”. The developers are looking for security shortcomings that might lead to incorrect behavior of the smart contract that could cause unintended functionality, such as loss of funds, unauthorized transactions, or reordering.

Notes: In special cases, the size of the bug bounty award can be increased if the researchers demonstrate how the vulnerability can be used to inflict maximum harm.

Visit the Unistake bug bounty page at Hacken Proof for more info


Other bug bounty and VDP news this month

  • The Hilton hotel group, Ohio Secretary of State, Hud App, the World Health Organization’s Covid-19 mobile app, and Checkout have all launched (unpaid) VDPs through HackerOne.
  • Google has launched OSV, a new service that aims to improve the company’s vulnerability triage for developers and consumers of open source software.
  • French bug bounty platform Yogosha is hosting a 24-hour capture-the-flag competition in partnership with Kaspersky, on March 13. Check out the Yogosha blog for full details.
  • Infosecurity Magazine’s Phil Muncaster recently pulled focus on the growing scourge of ‘beg bounties’, which come in the form of unsolicited security vulnerability reports that are usually sent out to small businesses with no bug bounty program in place.
  • OrderBox, Host Gator, and Web.com have launched points-only VDPs on Bugcrowd.
  • As reported by Dark Reading, security researchers are pushing for a ‘bug bounty program of last resort’ to help protect the world’s most critical digital infrastructure.
  • In case you missed it, we recently profiled Malvuln.com, the first website “exclusively dedicated” to revealing security vulnerabilities in malware.

Additional reporting by Jessica Haworth and James Walker.


YOU MIGHT ALSO LIKE Cybersecurity conferences 2021: A schedule of virtual and potentially in-person events