Bug Bounty Radar // April 2019

New web targets for the discerning hacker

Bug bounties were off to a positive start in April, as Microsoft outlined the continued improvements it has been making to its privately-run vulnerability rewards programs.

According to a blog post from the Microsoft Security Response Center (MSRC), Redmond awarded more than $2 million in bounties last year.

During the first three months of 2019, Microsoft has raised top award levels from $15,000 to $50,000 for the Windows Insider Preview bounty, and from $15,000 to $20,000 for the Microsoft Cloud Bounty.

Looking ahead, the tech giant announced it would be partnering with HackerOne for faster bug bounty payment processing.

Elsewhere, Swiss Post has put its e-voting program on hold after security researchers uncovered critical security errors in the system.

Online voting in Switzerland was thrust into the spotlight back in February, when Swiss Post announced it would open up the source code and invite hackers to test its new voting system for security vulnerabilities.

However, before the planned ‘public intrusion test’ had even started, the code came under the scrutiny of an international team of researchers, who discovered three critical flaws that could lead to undetectable vote manipulation, among other shortcomings.

The Linux Foundation recently unveiled CommunityBridge, a new platform that aims to give developers the resources they need to make open source technologies more secure. This includes provisions for a vulnerability scanning and bug bounty service.

We spoke with Subhra Kar, vice president of products, engineering, and operations at LF, who talked us through the initiative.

In bounty hunter news, Santiago Lopez and Sam Curry discuss how they are using their technical skills for good – and earning top payouts in the process.

And finally, The Daily Swig’s Jessica Haworth caught up with Mårten Mickos at Black Hat Asia last month.

The HackerOne CEO discussed the challenges and opportunities for bug bounties in Asia, and outlined how the company’s Hacker-Powered Pen Test is gathering pace.

April saw the arrival of several new bug bounty programs. Here’s a roundup of the latest targets:

CODEX Exchange

Program provider:
HackenProof

Program type:
Public bug bounty

Max reward:
$3,000

Outline:
The cryptocurrency and digital assets trading platform launched its first public bug bounty earlier this month. Both web and API targets are in scope, with up to $3,000 rewarded for flaws including RCE, authentication bypass, and SQL injection.

Notes:
As well as the above vulnerabilities, CODEX said it is keen to hear about any bugs that could cause clear potential for financial or data loss.

Visit the CODEX Exchange bug bounty page at HackenProof for more info

Livestream

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$2,000

Outline:
The streaming platform launched its public bug bounty program on April 15 and has already paid out more than $40,000 in rewards. There are three domains in scope, as well as Livestream software, and its Android and iOS applications.

Notes:
Top payouts are reserved for critical vulnerabilities such as RCE, SQLi, and root access to any systems. High severity flaws include stored XSS that can be used against logged in users and account authentication issues, such as account bypass.

Visit the Livestream bug bounty page at HackerOne for more info

Priceline (enhanced)

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$3,000

Outline:
Online travel firm Priceline has taken its previously invite-only bug bounty program public, complete with expanded scope and boosted rewards. At the time of writing, the company has paid out more than $80,000 in bounties.

Notes:
“Cybersecurity is of critical importance to Priceline,” said chief information security officer Matt Southworth. “This is why we are enhancing this essential layer of protection with our expanded bug bounty program.

“Above all else, we prioritize protecting the information our customers entrust us with. We have been processing online transactions for 20 years and customers continue to trust us with that information. We take that responsibility very seriously.”

Visit the Priceline bug bounty page at HackerOne for more info

Smartsheet

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$2,000

Outline:
Cloud-based collaboration platform Smartsheet has launched a new public bug bounty program through HackerOne. The company is offering tiered payouts for vulnerabilities discovered in app.smartsheet.com and api.smartsheet.com/2.0.

Notes:
Security researchers are being directed towards the following focus areas: account takeover, privilege escalation, and customer information disclosure.

Visit the Smartsheet bug bounty page at HackerOne for more info

Trustpilot

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$2,000

Outline:
Consumer review website Trustpilot is now offering rewards to security researchers who discover vulnerabilities across a wide range of public-facing web assets. The company listed $2,000 as the maximum vulnerability payout, although it said this may increase based on the severity, cause of the bug, and solutions suggested.

Notes:
“Bugs in third-party services should be reported directly to the them respectively, unless the bug relates to our implementation of the service,” Trustpilot said.

Visit the Trustpilot bug bounty page at HackerOne for more info

UMA Project

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$7,500

Outline:
UMA is a decentralized financial contracts platform built to enable the open source Universal Market Access protocol. The technology has two components: self-enforcing smart contract design templates and a “provably honest oracle”.

The organization is encouraging researchers to test the security of the first component in the UMA system to be publicly released – a smart contract that lets participants create and distribute synthetic asset tokens on the Ethereum blockchain.

Notes:
Out of scope vulnerabilities in this bug bounty program include flaws previously documented in the Trail of Bits security audit; issues discussed UMA protocol GitHub repo; attacks requiring man-in-the-middle or physical access to a user’s device; and any activity that could lead to denial of service in UMA’s running production service.

Visit the UMA Project bug bounty page at HackerOne for more info

Other Bug Bounty and VDP news:

• Pen testers have been given an alternative to Kali Linux with a Windows-based, security-focused distribution from FireEye that comes pre-packed with scores of hacking tools.
• PayPal awarded more than $1 million in bug bounty payouts over a seven-month period.
• Cloud computing firm ZEIT, forum software phpBB, Capital One, and TomTom have all rolled out (unpaid) vulnerability disclosure programs.
• Open Bug Bounty has announced a new service to help spot the accidental exposure of personal data on websites.
• Bug bounty enthusiast Jaggar Henry has compiled every security report disclosed on HackerOne into a digestible list. More than 6,000 reports are included.

To be featured in this list next month, email dailyswig@portswigger.net with ‘Bug Bounty Radar’ in the subject line

Additional reporting by Jessica Haworth

RELATED Bug Bounty Radar // March 2019