New web targets for the discerning hacker

Bug Bounty Radar, August 2019

There was a lot of back-and-forth last month over Valve Corporation’s handling of vulnerability reports, after a researcher claimed he was barred from the video game developer’s bug bounty program.

After Vasily Kravets disclosed a zero-day vulnerability affecting Steam, Valve apparently refused to acknowledge the issue. And when the researcher complained and released details of the bug, he was banned.

Two weeks later, Kravets disclosed a second vulnerability impacting the popular video game distribution platform. All’s well that ends well, though, with Valve eventually admitting the ban was “a mistake”, and promised to update its bug bounty rules.

Over at Microsoft, there’s a new bug bounty program for the revamped Edge web browser, with rewards of up to $30,000 for any high-impact vulnerabilities found.

The tech giant is also doubling its maximum reward for Azure bugs to $40,000. Launching the Azure Security Lab, a set of dedicated cloud-based targets, Microsoft is inviting researchers to “confidently and aggressively test Azure”.

The company says it’s dished out $4.4 million in bounty rewards across all of its programs over the past 12 months.

Google, too, is in generous mood, announcing that its Google Play Security Reward Program (see below) is being expanded to cover all apps in Google Play with 100 million or more installs.

The company is also launching the Developer Data Protection Reward Program. The aim is to identify and mitigate data abuse issues in Android apps, OAuth projects and Chrome extensions. A single report could net as much as $50,000, for the most serious vulnerabilities.

Meanwhile, the Libra Association – the non-profit running Facebook’s planned Libra cryptocurrency – is also working with HackerOne on a bug bounty program. Rewards of up to $10,000 are on offer for bugs and vulnerabilities in the early version of the open-source Libra Core code.

And after catching one of its ‘trusted’ marketing partners scraping millions of users’ data, Facebook is now expanding its data abuse bug bounty to Instagram. Anyone can submit a report if they have “specific and direct” knowledge that a third-party app currently or formerly on Instagram has misused user data.

The news comes as Instagram reveals that it’s paid out $10,000 to India-based security researcher Laxman Muthiyah for discovering a new account takeover vulnerability.

These bounties pale into insignificance, though, compared with Apple’s new top reward: $1 million, up from a previous $200,000. The company’s invite-only bounty program has also been expanded to cover all of its operating systems.

Elsewhere, the US Department of Homeland Security is seeking public comment on a vulnerability disclosure program that would make it easier for security researchers to report vulnerabilities. The program is budgeted to cost as much as $44 million, according to the Congressional Budget Office.

And finally, HackerOne has released its 2019 Hacker-Powered Security Report, claimed as the largest study of bug bounty, vulnerability disclosure, and hacker-powered pen test programs.

Over the last year, it reveals, the average bounty paid for critical vulnerabilities increased to $3,384. Coupled with the report was the announcement that six hackers have now crossed the $1 million earnings threshold.

August saw the arrival of several new bug bounty programs. Here’s a roundup of the latest targets:

Atlassian (enhanced)

Program provider:
Bugcrowd

Program type:
Public bug bounty

Max reward:
$5,000

Outline:
Atlassian, the provider of developer-favorite collaboration tools, has expanded the scope of its bug bounty program to include Confluence Premium, Confluence Server, and Jira Server.

Notes:
Atlassian continues to refine its existing bug bounty program through Bugcrowd. The software developer recently added a new safe harbor clause to its program rules, promising researchers that any testing carried out on in-scope targets will not lead to prosecution.

Visit the Atlassian bug bounty page at Bugcrowd for more info

Dfuse Platform

Program provider:
HackerOne

Program type:
Data integrity testing

Max reward:
$1,000

Outline:
Blockchain API company Dfuse has opened up certain endpoints for data integrity issue testing. “Through this program, we are making a commitment to the integrity of the data available through the Dfuse APIs,” the company said. “The program commits Dfuse to providing only data that is complete and correct, and puts our skin in the game to back this commitment.”

Notes:
Researchers should note that security issues are not in scope for this program, which only covers data integrity issues.

Visit the Dfuse bug bounty page at HackerOne for more info

Facebook (enhanced)

Platform provider:
Independent

Program type:
Data abuse bounty; Instagram

Max reward:
Unlisted

Outline:
Facebook has expanded its Data Abuse Bounty Program to include Instagram. “Our goal is to help protect the information people share on Instagram and encourage security researchers to report potential abuse to us so we can quickly take action,” said Facebook security engineering manager, Dan Gurfinkel. “Just like our bug bounty program, we will reward reports based on impact and quality.”

Notes:
Launched in April last year, the data abuse bounty is aimed at rewarding researchers who uncover any misuse of data by app developers. The addition of Instagram to this program was coupled with Facebook’s announcement of a separate, invite-only bug bounty program for the new Checkout on Instagram e-commerce service.

Check out Facebook’s security blog post for more info

Google – Developer Data Protection Reward Program

Platform provider:
HackerOne

Program type:
Managed bug bounty

Max reward:
~$1,000

Outline:
Launched in collaboration with HackerOne, Google’s Developer Data Protection Reward Program is aimed at making the Android, OAuth, and Chrome Extension ecosystem safer for the two billion people who use these services daily.

Notes:
Similar to Facebook (above), this program focuses on data abuse issues, rather than traditional security vulnerabilities. Other out of scope issues include man-in-the-middle attacks, phishing or social engineering, and website scraping, among others.

Visit the Developer Data Protection Reward Program page at HackerOne for more info

Google Play (enhanced)

Platform provider:
HackerOne

Program type:
Managed bug bounty

Max reward:
$20,000

Outline:
Google has increased the scope of its Play Store Security Reward Program to include all apps in the marketplace with 100 million or more installs. To date, the program has paid out more than $265,000 in bounties.

Notes:
If the target app already has its own bug bounty program, researchers can collect rewards directly from the developers, on top of the rewards from Google. “We encourage app developers to start their own vulnerability disclosure or bug bounty program to work directly with the security researcher community,” the company said.

Check out Google’s security blog post for more info

The Libra Association

Program provider:
HackerOne

Program type:
Managed bug bounty

Max reward:
$10,000

Outline:
The Libra Association – the non-profit running Facebook’s planned Libra cryptocurrency – is working with HackerOne on a new bug bounty program. Rewards of up to $10,000 are on offer for bugs and vulnerabilities in the early version of the open-source Libra Core code.

Notes:
“The Libra bug bounty program is intended to strengthen the security of the blockchain,” reads the program overview. “It enables developers to submit bugs and alert the association to security and privacy issues and vulnerabilities to help ensure a scalable, reliable, and secure launch.”

Visit the Libra website and the HackerOne bug bounty page for more info

VeChainThor / VeChainThor Wallet

Program provider:
Hacken Proof

Program type:
Public bug bounty

Max reward:
$10,000 / $3,000

Outline:
VeChainThor is pegged as a “general purpose blockchain” that’s highly compatible with the Ethereum ecosystem. The developers have opened up a new bug bounty program via Hacken Proof, offering up to $10,000 for critical vulnerabilities discovered in the platform’s source code.

Notes:
In addition to the platform bug bounty, the developers have also rolled out a separate bug bounty program for VeChainThor Wallet. Up to $3,000 will be awarded to researchers who identify flaws in the iOS or Android versions of the mobile cryptocurrency wallet.

Visit the VeChainThor and VeChainThor Wallet bug bounty pages at Hacken Proof for more info

Other bug bounty and VDP news:

  • Registration is now open for Driven2Pwn, a live hacking event that’s taking place in Abu Dhabi, alongside the inaugural HITB+CyberWeek conference. Bug bounty rewards of up to $1.2 million are on offer.
  • Throughout August, all donations to the Tor Project were funneled into the non-profit’s Bug Smash Fund, which is aimed at improving the security of the anonymity network.
  • Bugcrowd has announced several updates to its Crowdcontrol bug bounty intelligence platform. The company has also rolled out a new service to help organizations improve the security of their digital marketplaces, or app stores.
  • Maintainers of the open source FileZilla project have spoken on the success of the EU-FOSSA bug bounty program.
  • The UK’s National Cyber Security Centre (NCSC) has launched a points-only vulnerability disclosure program (VDP) through HackerOne.
  • At Black Hat USA last month, researchers showcased Eyeballer – a new AI utility that scours websites for vulnerabilities using nothing but screenshots.

To be featured in this list next month, email dailyswig@portswigger.net with ‘Bug Bounty Radar’ in the subject line.


Additional reporting by Emma Woollacott


RELATED Bug Bounty Radar // July 2019