New web targets for the discerning hacker

Last month two Italian security researchers revealed they had netted more than $46,000 in bug bounties after discovering a misconfiguration vulnerability in Akamai – despite receiving nothing from Akamai itself.

The exploit, which leveraged HTTP smuggling and hop-by-hop header abuse techniques, instead achieved payouts from several of the company’s customers. These included $25,200 from PayPal and rewards from Airbnb, Hyatt Hotels, Valve, Zomato, and Goldman Sachs.

In other payout news, researcher Saajan Bhujel bagged a $10,000 bounty from GitHub after finding a way to spoof the platform’s login interface. Bypassing HTML filtering in the MathJax display engine allowed him to inject form elements and change the website’s CSS, potentially fooling users into entering credentials into a fake login page.

Apple, meanwhile, has invited researchers to apply for the Apple Security Research Device Program, with applications open until the end of November.

Successful applications will receive a Security Research Device (SRD) – a specially-fused iPhone that allows iOS security research to be carried out without having to bypass its security features. Shell access is available, and researchers can run any tools, choose their own entitlements, and customize the kernel.

Apple has also revamped its ‘Apple Security Research’ website, with researchers now able to track bug reports via real-time status updates. The program has paid out nearly $20 million in bounties since launching 2.5 years ago.

Meanwhile, the Swiss National Cyber Security Centre (NCSC) has launched a private bug bounty program that involves probing the federal government’s web applications, APIs, and critical infrastructure.

Amazon’s new hardware-focused program, managed by HackerOne, is offering rewards ranging up to $25,00 for bugs in Fire, Echo, FireTV, Halo, Luna Controller, and Kindle devices, along with corresponding applications and firmware.

And finally, the US Department of Defense said it paid out a total of $75,000 in bounties for 648 bug reports submitted by 267 researchers during a hackathon that took place in July.


The latest bug bounty programs for November 2022

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

Apple Security Research Device Program

Program provider:
Independent

Program type:
Private

Max reward:
$1 million

Outline:
Apple will send selected security researchers a Security Research Device (SRD), a specially fused iPhone that allows shell access, kernel customization, and iOS security research without the need to bypass security features.

Notes:
Applications can be submitted until November 30, 2022, with successful candidates receiving an SRD for 12-month renewable periods, and reports potentially eligible for rewards through the upgraded Apple Security Bounty.

Check out the Apple SRD bug bounty page for more details

Amazon

Program provider:
HackerOne

Program type:
Public

Max reward:
$25,000

Outline:
Fire, Echo, FireTV, Halo, Luna Controller, and Kindle devices, along with corresponding applications and firmware, make up the 36 assets in scope under the Amazon Vulnerability Research Program.

Notes:
Rewards for bugs in services and apps range up to $20,000, while bounties for devices rise higher still to $25,000.

Check out the Amazon bug bounty page for more details

Beanstalk

Program provider:
Immunefi

Program type:
Public

Max reward:
$1.1 million

Outline:
The bug bounty program for Beanstalk – a permissionless fiat stablecoin protocol built on Ethereum – centers on smart contracts and preventing the loss of user funds.

Notes:
Beanstalk describes itself as forming “the monetary basis of an Ethereum-native, rent-free economy facilitated by the positive carry of its native fiat currency, a stablecoin called Bean”.

Check out the Beanstalk bug bounty page for more details

BigCommerce

Program provider:
Bugcrowd

Program type:
Public

Max reward:
$2,500

Outline:
A NASDAQ-listed provider of Software-as-a-Service (SaaS) ecommerce services to retailers.

Notes:
Valid targets include bigcommerce.net, bigcommerce.com, and related iOS and Android apps.

Check out the BigCommerce bug bounty page for more details

Blend Labs

Program provider:
HackerOne

Program type:
Public

Max reward:
$5,000

Outline:
Blend Labs is a provider of cloud-based software for financial services firms in the US.

Notes:
Just one target is in scope – knox.beta.blendlabs.com – with blend.com not a viable target.

Check out the Blend Labs bug bounty page for more details

Deribit

Program provider:
HackerOne

Program type:
Public

Max reward:
$6,000

Outline:
The Amsterdam-based cryptocurrency option exchange is offering between $2,500 and $6,000 for critical vulnerabilities.

Notes:
Testing is only allowed within Deribit’s test environment.

Check out the Deribit bug bounty page for more details

Jungle Smart Contract

Program provider:
HackenProof

Program type:
Private

Max reward:
$1 million

Outline:
A peer-to-peer NFT marketplace for digital goods, art, collectibles, and other virtual assets backed by the blockchain.

Notes:
Some 14 protocols are in scope.

Check out the Jungle Smart Contract bug bounty page for more details

Lido on Polkadot and Kusama

Program provider:
Immunefi

Program type:
Public

Max reward:
$2 million

Outline:
Lido, a liquid staking solution for Ethereum, has launched bug bounty programs focused on DOT (Polkadot) and KSM (Kusama).

Notes:
Smart contract bugs could command rewards of up to $2 million, while flaws in websites and applications max out at $40,000.

Check out the Lido on Polkadot and Kusama bug bounty pages for more details

Private Internet Access (PIA)

Program provider:
Bugcrowd

Program type:
Public

Max reward:
$1,250

Outline:
PIA, which already had a vulnerability disclosure program, is now incentivizing researchers to probe its technologies with rewards ranging up to $1,250.

Notes:
Priority bugs are those enabling remote code execution, unlicensed access to VPN servers, or third-party monitoring or leaking of user data.

Check out the PIA bug bounty page for more details

Rec Room

Program provider:
Bugcrowd

Program type:
Public

Max reward:
$2,500

Outline:
A video game and video game creation platform available on Windows, Xbox, PlayStation, Oculus Quest, Apple devices, and Android.

Notes:
Rec Room web application and API are in scope, but the free, cross-platform Rec Room game is the “primary target”.

Check out the Rec Room bug bounty page for more details

Redox

Program provider:
Bugcrowd

Program type:
Public

Max reward:
$5,000

Outline:
Redox technology facilitates the transferring of electronic healthcare records between organizations.

Notes:
Critical bugs ordinarily fetch rewards of between $3,000-$4500, but submissions that “reflect an understanding of the platform and can describe the vulnerability and its impact and how to resolve it clearly and concisely” could net bounties of $5,000.

Check out the Redox bug bounty page for more details

Stravito

Program provider:
Intigriti

Program type:
Public

Max reward:
Undisclosed

Outline:
The market research platform claims McDonalds, Electrolux, Comcast, and Carlsberg among its customers.

Notes:
Said Stravito founder and CEO Thor Olof Philogène: “Partnering with Intigriti, the leaders in this space, allows us to add an additional layer of stress testing to ensure we continue delivering the most robust and secure platform in our space.”

Check out the Stravito bug bounty page for more details

Swiss National Cybersecurity Centre

Program provider:
Bug Bounty Switzerland

Program type:
Private

Max reward:
Undisclosed

Outline:
The Swiss National Cybersecurity Centre (NCSC) is seeking submissions for bugs in the federal government’s web applications, APIs, and critical infrastructure.

Notes:
As previously reported by The Daily Swig, the program follows a pilot project conducted in 2021 where ethical hackers probed IT systems of the Swiss parliament and Federal Department of Foreign Affairs for security vulnerabilities.

Check out the Swiss NCSC bug bounty page for more details


Other bug bounty and VDP news this month

  • HackerOne is expanding numbers of its ‘Hacker Success Managers’ to assist bug hunters, and has launched a new attack surface management platform, HackerOne Assets
  • Bugcrowd is now a CVE numbering authority, and has also launched a program management platform to help customers coordinate pen test, bug bounty, VDP, and ASM assets
  • European platform Intigriti has launched Hybrid Pentesting, which purports to combine the ‘pay-for-impact’ bug bounty model with the dedicated resourcing strategy of penetration testing
  • YesWeHack has launched MyOpenVDP, a turnkey vulnerability disclosure program-hosting solution
  • Open Bug Bounty has surpassed the milestone of notching one million web security vulnerabilities (PDF) reported and patched eight years after the platform’s launch

Curated by Adam Bannister. Additional reporting by Emma Woollacott.


PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for October 2022