New web targets for the discerning hacker
We kick off this month’s bug bounty roundup with some dramatic payout news – a record $2 million paid by blockchain technology company Polygon for a ‘double spend’ smart contract vulnerability.
The flaw, discovered by ethical hacker Gerhard Wagner, would have enabled an attacker to double the amount of cryptocurrency they intend to withdraw up to 233 times. In this way, a deposit of just $4,500 could have allowed a hacker to withdraw $1 million.
“The opportunities in crypto as a hacker are tremendous,” says Wagner. “I predict we will see high, single-digit, million dollar bounties announced from projects and white hats claiming them in a not-too-distant future.”
Meanwhile, a newly launched bug bounty platform in India is encouraging cybersecurity professionals and enthusiasts to sign up, and is promising free training and access to exclusive programs for its top 100 ethical hackers.
Cyber3ra, based in Nagpur, says the top three will also receive exclusive merchandising and early access to programs.
Researchers ‘s1r1us’ and ‘BlackFan’ have documented prototype pollution vulnerabilities found in more than 1,000 popular websites and 18 widely used JavaScript libraries, including Apple.com, Jira Service Management, HubSpot Analytics, and Segment Analytics.
The researchers believe that prototype pollution is being neglected: “We hope our blog gives more light to this attack surface and helps people mitigate these issues at scale,” they said.
And finally, we caught up with YouTube educator and security expert Katie Paxton-Fear during a Q&A session we held on Twitter for our readers.
She advises those at the start of their careers to play the field a little: “I think my biggest advice is not to get attached to one field right away, spend some time figuring out what about security really sparks joy for you,” she says.
Katie recommends IDORs as a good area of focus for newbies: they’re one of the most common bugs, she says, and can be ‘high’ or ‘critical’ in severity.
“[The] best way to find them is to sign up with two accounts and see if you can do actions to account A while using the cookies of account B,” she says.
The latest bug bounty programs for November 2021
The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:Allbridge
Program provider:
HackenProof
Program type:
Public
Max reward:
$4,000
Outline:
Allbridge describes itself as “a simple, modern, and reliable way to transfer assets between networks”. It is looking for vulnerabilities in both its website and source code, which includes its smart contracts.
Notes:
In-scope vulnerabilities include those with a “clear potential for loss”, such as business logic issues and payments manipulation.
Check out the Allbridge bug bounty page at HackenProof for more details
Celo
Program provider:
HackerOne
Program type:
Public
Max reward:
$20,000
Outline:
Celo is an ‘open platform’ for financial services. It is asking researchers to look for issues in its protocols and smart contracts as well as its web applications.
Notes:
Top payouts are reserved for critical bugs including double-spend vulnerabilities that will shut down the network.
Check out the Celo bug bounty page at HackerOne for more details
Cryptology
Program provider:
HackenProof
Program type:
Public
Max reward:
$5,000
Outline:
Crypto exchange Cryptology is asking researchers to find bugs in its various web applications and iOS and Android apps.
Notes:
The exchange is particularly interested in bugs that result in payments manipulation and remote code execution, as well as injection vulnerabilities.
Check out the Cryptology bug bounty page at HackenProof for more details
DANA (Updated)
Program provider:
YesWeHack
Program type: Public
Max reward: $2,000
Outline: DANA Indonesia provides a digital wallet for holding cryptocurrency.
Notes: This program has been modified since it launched earlier this year. It previously offered $50 for low impact vulnerabilities, but does not offer a reward at all for anything classed as less than medium severity.
Check out the DANA bug bounty page at YesWeHack for more details
Ethereum
Program provider:
Ethereum
Program type:
Public
Max reward:
$100,000
Outline:
Ethereum’s in-house bug bounty program is offering top rewards for critical bugs in the core Eth2 Beacon Chain specification and the Lighthouse, Nimbus, Teku, and Prysm client implementations.
Notes:
The program itself isn’t new, but Ethereum recently announced it was offering double rewards for any flaws found in the ecosystem before its upgrade to Altair.
Check out the Ethereum bug bounty page for more details
Google Android Enterprise
Program provider:
Google
Program type:
Public
Max reward:
$250,000
Outline:
Google has launched a program for Android, offering the maximum reward for critical vulnerabilities that can compromise a Pixel phone or tablet.
Notes:
Google provides an extra reward for a full exploit chain that demonstrates arbitrary code execution, data exfiltration, or a lock-screen bypass. “The actual reward amount is at the discretion of the rewards committee and depends on a number of factors,” says the company.
Check out the Android Enterprise bug bounty page at Google for more details
UG Bazaar
Program provider:
Bugv
Program type:
Public
Max reward:
$100
Outline:
Urban Girl Bazaar is a Nepalese online marketplace for women’s clothing. It has launched its first bug bounty program since it was opened in 2012.
Notes:
There isn’t a wealth of information about the program, but researchers are encouraged to sign up to take part.
Find out more at Bugv’s social media
Other bug bounty and VDP news this month
- After pledging $100 million towards improving open source security in October, Google is sponsoring security reviews of eight major tech projects (including Git, Lodash, and Laravel) through a partnership with the Open Source Technology Improvement Fund.
- The US Federal Judiciary has launched a vulnerability disclosure program (VDP) that aims to improve the security of its courts system and services.
- Web browser security researcher Abdulrhman Alqabandi has penned an interesting post that documents his journey from bug bounty hunter to full-time Microsoft employee.
- The United Arab Emirates’ National Cyber Security Council (NCSC) has launched a ‘national bug bounty program’ that aims to enhance the nation’s cybersecurity posture.
- Rakuten and Gemini have launched unpaid VDPs via Bugcrowd and HackerOne, respectively.
Additional reporting by Emma Woolacott and James Walker.