New web targets for the discerning hacker
Google gave vendors a pat on the back this month, with the news that security vulnerabilities reported by its Project Zero in 2021 were patched 28 days faster on average than in 2019.
Only one bug exceeded its 90-day fix deadline, with hardware and software vendors taking an average of 52 days to fix security flaws. The company reckons we’ve got responsible disclosure policies to thank.
In payout news this month, security researcher Sriram Kesavan of TG Cyberlabs netted $3,133 for his discovery that the unsubscribe feature in Google Groups could be abused to kick members out without their knowledge or consent. “I could have literally removed Google employees on several official groups, even if I have no access to it,” he told The Daily Swig.
And there was a massive $250,000 bounty for pseudonymous security engineer ‘Tree of Alpha’, who found a vulnerability in Coinbase that let users ‘sell’ currency they didn’t own.
A missing logic validation check in a Retail Brokerage API endpoint allowed a user to submit trades to a specific order book using a mismatched source account – potentially allowing an attacker to steal unlimited cryptocurrency.
Meanwhile, in New Zealand, the Government Communications Security Bureau (GCSB) has called on government agencies to introduce vulnerability disclosure policies (VDPs). Researchers can report bugs on a no-blame basis, although, sadly, there won’t be any bug bounties on offer.
And finally, PortSwigger Web Security has released its annual Top 10 Web Hacking Techniques. Dependency confusion attacks topped the list, with researcher Alex Birsan using the technique to gain access to Apple, Microsoft, and other high-profile companies.
Next up was research from PortSwigger’s James Kettle, showing that many sites that had upgraded to HTTP/2 were still vulnerable to smuggling attacks because they rewrote requests in order to talk to the backend server.
The latest bug bounty programs for March 2022
The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:
Cardano – enhanced
Program provider:
HackerOne
Program type:
Public bug bounty
Max reward:
$20,000
Outline:
Cardano is a public blockchain platform, founded in 2015. As part of a six-week promotion, the Cardano Foundation is offering to double its bug bounty payouts to researchers.
Notes:
Bug bounty hunters who discover critical vulnerabilities in the Cardano Node stand to earn rewards of up to $20,000, starting from February 14. Critical vulnerabilities involving the Cardano Wallet might earn a maximum payout of up to $15,000.
Check out the Cardano bug bounty page at HackerOne for more details
Cloudflare – enhanced
Program provider:
HackerOne
Program type:
Public bug bounty
Max reward:
$3,000
Outline:
CloudFlare, the content delivery network and DDoS mitigation technology provider, has gone public with its previously invite-only bug bounty program, as previously reported.
Notes:
Before going public, Cloudflare and its bug bounty provider refined documentation and guidance in order improve the quality of reports and minimize false alarms – a particular problem in the early stages of Cloudflare’s invite-only program.
Check out Cloudflare’s bug bounty page on HackerOne for more details
Coinstore
Program provider:
HackenProof
Program type:
Public bug bounty
Max reward:
$10,000
Outline:
Coinstore describes itself as a “financial arcade” for cryptocurrency. Vulnerabilities in its website, API, and mobile apps are all in scope for its recently introduced bug bounty program.
Notes:
Payment manipulation, business logic issues, and a wide array of web security issues are also in scope.
Check out the Coinstore bug bounty page at HackenProof for more details
Databricks
Program provider:
HackerOne
Program type:
Public bug bounty
Max reward:
$5,000
Outline:
Databricks markets a cloud-based data warehousing platform to enterprise customers. The vendor’s rewards are based on severity as gauged by CVSS.
As a remote code execution environment, RCE vulnerabilities in general are out-of-scope of the program, except for cases where they violate the security guarantees offered by the platform.
Notes:
Databricks is interested in getting the lowdown on many other common classes of web security vulnerability, including privilege escalation and insecure direct object reference (IDOR) bugs, along with access control issues.
Check out the Databricks bug bounty page at HackerOne for more details
ExpressVPN – enhanced
Program provider:
Bugcrowd
Program type:
Public bug bounty
Max reward:
$10,000
Outline:
Virtual private network (VPN) technology vendor ExpressVPN has increased its incentives to security researchers. Rewards are on offer to security researchers able to demonstrate “unauthorized access, remote code execution, IP address leakage or the ability to monitor unencrypted (non-VPN encrypted) user traffic”.
Notes:
Payouts per validated vulnerability on offer range from $150-$2,500 per bug, depending on the severity of the flaw demonstrated. The first person to demonstrate a valid vulnerability will be entitled to claim a $100,000 bonus.
Check out the ExpressVPN bug bounty page at Bugcrowd for more information
Intel – enhanced
Program provider:
intigriti
Program type:
Public bug bounty
Max reward:
$100,000
Outline:
Intel has enhanced its established bug bounty program with ‘Project Circuit Breaker’.
Notes:
Vulnerabilities in “firmware, hypervisors, GPUs, chipsets, and more” are in scope.
Check out the Intel bug bounty page at intigriti for more information
Kiteworks
Program provider:
Bugcrowd
Program type:
Public bug bounty
Max reward:
$50,000
Notes:
Kiteworks – the enterprise technology vendor formerly known as Accellion – offers file sharing and collaboration technology to business.
The highest payouts under the company’s new bug bounty program will go to researchers who discover remote code execution and privilege escalation to root/admin vulnerabilities. However, lesser vulnerabilities will be eligible to lower payouts on a sliding scale down to $250.
Check out the Kiteworks bug bounty page at Bugcrowd for more information
Lachain.io
Program provider:
HackenProof
Program type:
Public bug bounty
Max reward:
$1,500
Outline:
Decentralized finance technology provider Lachain.io has opened a new bug bounty program. In-scope vulnerabilities include payment manipulation, business logic issues, and a wide range of web security vulnerabilities.
Notes:
Rewards are on offer for discovered SQL injection, remote code execution, or server-side request forgery (SSRF) flaws, among others.
Check out the Lachain.io bug bounty page at HackenProof for more information
MakerDAO – enhanced
Program provider:
Immunefi
Program type:
Public bug bounty
Max reward:
$10,000,000
Outline:
Cryptocurrency firm MakerDAO has launched a bug bounty program that offers maximum payouts of $10 million, as previously reported by The Daily Swig.
Notes:
Vulnerabilities in its smart contracts technology stand to earn the greatest reward, but bugs in Maker DAO’s website and applications are also in scope.
Check out the MakerDAO bug bounty page at Immunefi for more information
Pandora (Smart Contract and Web)
Program provider:
HackenProof
Program type:
Public bug bounty
Max reward:
$50,000 (smart contract), $8,000 (web)
Outline:
Decentralized finance technology provider Pandora has launched two related bug bounty programs that cover its web infrastructure and smart contracts technology, respectively.
Notes:
Pandora Web is pegged as a “next-gen decentralized ecosystem that aims to redefine and disrupt decentralized finance through AMM, NFTs, and GameFi”.
Check out the Pandora web and Pandora smart contracts bug bounty pages at HackenProof for more information
Other bug bounty and VDP news this month
- Intigriti will be hosting a free, virtual bug bounty conference on March 12. The conference will feature 10 speakers and a 24-hour capture-the-flag competition.
- European bug bounty platform YesWeHack continues its strong growth trajectory, with annual revenues more than doubling globally over the past 12 months. More than 35,000 hackers now operate on the platform.
- UPS, Alohi, and Tenable have launched unpaid vulnerability disclosure programs (VDPs) on HackerOne.
- The Microsoft Security Response Center is expanding its researcher recognition program, with the company making improvements to its researcher leaderboard and program guidelines for hackers.
- HackenProof has launched ‘Hacken Cyber Army’, which aims to help citizens of Ukraine during the conflict that’s unfolding on its home soil.
Additional reporting by Emma Woollacott and James Walker.
PREVIOUS EDITION Bug Bounty Radar // February 2022