New web targets for the discerning hacker

The global bug bounty market ended on something of a high note this year, as Apple announced that it was (finally) opening up its security rewards program to the public.

The company’s bug bounty program – previously limited to a select few researchers – is now open to everybody capable of finding vulnerabilities within macOS, iOS, tvOS, watchOS, or iCloud.

The most severe classes of vulnerabilities are eligible for payouts of up to $1 million or more in cases where a bug occurs in both release and beta versions of Apple’s technology.

The scale of payout depends on an exploit chain’s complexity and severity, but can reach up to a maximum of $1.5 million.

Elsewhere, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) announced plans for a new directive that would require all US federal agencies to create their own vulnerability disclosure policy (VDP).

According to CISA, most federal agencies currently lack any formal mechanism to receive information from security researchers about potential vulnerabilities in their systems, and many have no defined strategy for handling reports when they do come in.

CISA is now seeking public comment on operational directive BOD 20-01 that would mandate a VDP and appropriate handling procedures.

In related news, the Internet Engineering Steering Group (IESG) has issued a final call for comment on security.txt, a web security policy that aims to make the vulnerability disclosure process as simple as possible for researchers.

Interested parties have less than a month to submit comment on the policy, which, after having gained traction over recent years, may soon become a recommended vulnerability disclosure reporting standard for all websites.

In other bug bounty news this month, NordVPN has launched a public program, with rewards potentially exceeding $5,000.

The VPN provider, which claims more than 12 million users worldwide, first announced plans to set up a paid vulnerability disclosure program in late October, after it emerged that its private encryption keys had been stolen and disseminated online.

And finally, bug bounty platform HackerOne paid out a $20,000 bounty late last month, after a researcher was able to access other users’ vulnerability reports.

As previously reported by The Daily Swig, a HackerOne community member was engaged in a conversation with one of HackerOne’s security analysts.

In one message, the analyst copied a cURL command from a browser console and sent it to the hacker.

The HackerOne staffer accidentally included a valid session cookie that gave the ability to read the data that they had access to. This included report titles, a certain amount of metadata, and some report contents.


December saw the arrival of several new bug bounty programs. Here’s a roundup of the latest targets:

Apple, Inc.

Program provider:
Independent

Program type:
Public bug bounty

Max reward:
$1.5 million

Outline:
Apple has taken its private bug bounty program public, with the tech giant now offering rewards to researchers who discover vulnerabilities in the latest versions of iOS, iPadOS, macOS, tvOS, and watchOS.

Notes:
Bounty payments are determined by the level of access or execution obtained by the reported issue. Issues that are unique to developer or public betas can result in a 50% additional bonus if the issues were previously unknown to Apple.

Visit the Apple Security Bounty page for more info

DataStax

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$3,000

Outline:
DataStax provides enterprise organizations with hybrid and multi-cloud data architectures.

Notes:
Visit the DataStax bug bounty page at HackerOne for more info

NordVPN

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$5,000

Outline:
NordVPN is encouraging security researchers to hunt for vulnerabilities in its Windows, macOS, iOS, Android, and Linux applications. The bug bounty program also covers the vendor’s browser extensions, VPN servers, backend services, and website.

Notes:
The launch of the rewards program follows an earlier security incident that resulted in private encryption keys being stolen from the company and disseminated online.

Visit the NordVPN bug bounty page at HackerOne for more info

OnePlus

Program provider:
HackerOne

Program type:
Private bug bounty

Max reward:
$7,000

Outline:
Global mobile technology company OnePlus has announced the launch of the OnePlus Security Response Center and accompanying bug bounty program. Rewards for qualifying bugs reports will range from $50 to $7,000, depending on the potential impact of the threat.

Notes:
The HackerOne collaboration will start as a pilot program. A public version of the program is slated to go live later in 2020.

Visit the OnePlus Security Response Center for more info

Zenly

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$5,000

Outline:
Zenly is a real-time location sharing app available via the Apple and Google Play stores. The company is offering rewards of up to $5,000 to researchers who discover security vulnerabilities in the Zenly app or API endpoints.

Notes:
“We will reward reports according to their severity on a case-by-case basis as determined by our security team,” the company said. “We may pay more for unique, hard-to-find bugs; particularly on our mobile clients.”

Visit the Zenly bug bounty page at HackerOne for more info

Other bug bounty and VDP news:


To have your program featured in this list next month, email dailyswig@portswigger.net with ‘Bug Bounty Radar’ in the subject line.


RELATED Bug Bounty Radar // November 2019