New web targets for the discerning hacker

Apple’s bug bounty program came in for some pretty damning criticism this month, after the Washington Post interviewed two dozen security researchers about their experiences probing its applications for vulnerabilities.

They claimed Apple was slower in paying up than most organizations, poor at communication, and slow to fix bugs once they’d been reported.

The most valuable tech company in the world also paid out a lot less overall than other tech giants, they said. Luta Security CEO Katie Moussouris described Apple’s crowdsourced security offering as “a bug bounty program where the house always wins”.

VMware has also come under fire in recent weeks, with accusations made that it leaked an exploit for a critical vulnerability in Atlassian’s Confluence that was identical to one previously submitted by the accuser. The company said it had investigated the claims and found no evidence to support them.

It was a better month for OWASP, which celebrated its 20th anniversary by announcing the top 10 web security vulnerabilities for 2021. It cited broken access control as the biggest threat, followed by cryptographic failures, injection, and insecure design.

In browser security news, Opera’s product security manager Cezary Cerekwicki highlighted the benefits of its private and public bug bounty programs when quizzed by The Daily Swig about its privacy and security features.

We spoke to Cerekwicki as part of a rundown of leading web browsers’ privacy and security features. New features are expected in Chrome, Firefox, Opera, and DuckDuckGo.

In other Opera news, the browser has patched a My Flow vulnerability that allowed bug bounty hunter ‘Renwa’ to pivot from XSS to full RCE – and net an $8,000 bounty for their pains.

And finally, a new Chrome browser extension has been released to help bug bounty hunters find secret keys in JavaScript code. Truffle Security’s open source TruffleHog extension has already unearthed an AWS key that was buried in the code of the front page of weather.com, a domain that has received over 740 million visitors in the past six months.


The latest bug bounty programs for October 2021

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

Consensys

Program provider:
HackerOne

Program type:
Public

Max reward:
$3,000

Outline:
Ethereum software company Consensys has seven assets in scope and is offering $3,000 for critical bugs and $1,000 for high severity flaws.

Notes:
Consensys says: “Our product suite, composed of Infura, Quorum, Truffle, Codefi, MetaMask, and Diligence, serves millions of users, supports billions of blockchain-based queries for our clients, and has handled billions of dollars in digital assets.”

Check out the Consensys bug bounty page at HackerOne for more details

EazyBI

Program provider:
Bugcrowd

Program type:
Public

Max reward:
$1,500

Outline:
EazyBI is an app for Jira and Confluence, available on Server, Data Center, and Cloud. eazyBI provides easy-to-use drag-and-drop creation of custom custom reports, charts, and dashboard gadgets.

Notes:
The new bug EazyBI bug bounty program, part of the wider Atlassian Marketplace Bounty Program, offers rewards of up to $1,500 for the discovery of a range of vulnerabilities, including remove code execution, server-side request forgery, XSS, cross-site request forgery, SQL injection, HTML injection, and path traversal issues.

Visit the EazyBI bug bounty page at Bugcrowd for more info

Finland Ministry of Foreign Affairs

Program provider:
Hackrfi

Program type:
Public

Max reward:
€5,000 ($5,800)

Outline:
Finland’s Ministry of Foreign Affairs has invited ethical hackers to scour online government services for security vulnerabilities.

Notes:
Rewards range from between €100 and €5,000.

Check out the Hackrfi bug bounty page at Hackrfi for more details

Liechtenstein Cryptoassets Exchange (LCX)

Program provider:
HackenProof

Program type:
Public

Max reward:
$3,000

Outline:
In scope for critical bounties of between $1,500-$3,000 and high severity flaws ranging $900-$1,200 are two domains: .LCX.com and LCX Exchange API.

Notes:
LCX has secured eight crypto-related registrations from the Financial Market Authority Liechtenstein and has introduced a comprehensive crypto compliance suite.

Check out the LCX bug bounty page at HackenProof for more details

Nimbus

Program provider:
HackenProof

Program type:
Public

Max reward:
$10,000

Outline:
Decentralized Finance (DeFi) platform Nimbus is paying out between $5,000 and $10,000 for critical flaws in this Smart Contract, while high severity bugs will net researchers between $2,000 and $5,000.

Notes:
Nimbus describes itself as “a DAO governed platform providing users with 16 earning strategies based on lending and borrowing, classic IPO participation, start-up financing, staking, and more”.

Check out the Nimbus bug bounty page at HackenProof for more details

Polkalokr

Program provider:
HackenProof

Program type:
Public

Max reward:
$5,000

Outline:
Polkalokr, a multi-chain token escrow platform, has invited bug hunters to probe bridgr-testnet.polkalokr.com for business logic flaws, payments manipulation, RCE, SQLi, file inclusions, access control issues, sensitive information leakage, SSRF, and other vulnerabilities with a clear potential for losses.

Notes:
Critical vulnerabilities attract bounties of between $3,000 and $5,000, while high severity bugs will see rewards handed out in the range of $1,500-$3,000.

Check out the Polkalokr bug bounty page at HackenProof for more details.

Singapore Government Technology Agency (GovTech)

Program provider:
HackerOne

Program type:
Private

Max reward:
$150,000

Outline:
The Singapore government’s digital arm is offering up to $5,000 – except for “vulnerabilities that could cause exceptional impact”, where the ceiling is $150,000.

Notes:
Eligible white hats – those with ‘HackerOne Clear’ status – can request an invite through HackerOne. The Singapore government launched its first bug bounty program in 2018, also with HackerOne, focusing on securing public-facing government websites.

Check out our previous coverage for further detail

SnapNames

Program provider:
Bugcrowd

Program type:
Public

Max reward:
$2,500

Outline:
Domain name auction site SnapNames has launched a new bug bounty program that offers rewards of up to $2,500 for critical vulnerabilities.

Notes:
In a note to bug hunters, SnapNames reiterated that testing is only authorized on the targets listed as in scope. The company has also released a HTTP testing header so researchers can avoid having their IP blocked.

Visit the SnapNames bug bounty page at Bugcrowd for more info

Tinder

Program provider:
HackerOne

Program type:
Public

Max reward:
$10,000

Outline:
The world’s most popular dating app and ‘swipe right’ pioneer is offering $10,000 for critical vulnerabilities, $4,000 for high severity flaws, and $1,000 for medium risk vulnerabilities.

Notes:
Four assets are in scope: Tinder for iOS and Android, .gotinder.com, and .tinder.com (except where explicitly listed out of scope).

Check out the Tinder bug bounty page at HackerOne for more details

US General Services Administration (GSA)

Program provider:
HackerOne

Program type:
Public

Max reward:
$3,000

Outline:
A mammoth 47 assets are in scope at the GSA, a US government agency that supports other federal agencies by building and managing government buildings, procuring products and services, and developing government-wide policies.

Notes:
The GSA says it “expects to evolve its structure over time and welcome[s] feedback on areas for improvement”. Critical bugs net bug hunters $3,000 while high severity flaws will command rewards of $1,000.

Check out the GSA bug bounty page at HackerOne for more details

ZeroHybrid Network

Program provider:
Independent

Program type:
Public

Max reward:
500 ZHT (cryptocurrency)

Outline:
Blockchain company ZeroHybrid Network, which will bring the program to an end when 200,000 ZHT rewards have been paid out, has invited bug hunters to find bugs in the ZeroHybrid APP.

Notes:
ZeroHybrid Network, an ARM-based decentralized trusted computing network that uses mobile devices to provide computing power, said a critical bug would cause “a breakdown of the ZerpHybrid APP” and affect functionality.

Check out ZeroHybrid Network’s blog post for more details


Other bug bounty and VDP news this month

  • Google has launched a new vulnerability disclosure program (VDP) for its Tsunami security scanner.
  • Raider is a new framework designed to test authentication protocols and plug the gaps left by popular vulnerability scanning tools. The tool is the brainchild of start-up DigeeX Security.
  • HackerOne has announced the next evolution of the Internet Bug Bounty (IBB) program. The updated program provides a new pooled funding model so more organizations can leverage the IBB to secure open source dependencies within their software supply chains.
  • French multinational Atos has partnered with European bug bounty platform Intigriti to release an “end-to-end bug bounty offering” for organizations.
  • Bugcrowd has issued a call to security researchers who have niche skills or necessary experience to take part in some of the company’s private bug bounty programs.
  • Russian web hosting business Timeweb has penned an interesting opinion piece (in Russian) that details the potential pros and cons of running a bug bounty program.

Introduction by Emma Woollacott. Additional words by Adam Bannister and James Walker.


PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for September 2021