New web targets for the discerning hacker

Bug bounties got off to a running start in 2019, as researchers welcomed the arrival of a new, EU-funded scheme to offer payments on flaws that are discovered in free and open source software projects.

As previously reported by The Daily Swig, the bug bounty program is an extension of the Free and Open Source Software Audit (FOSSA) project. It will reward ethical hackers who uncover flaws in key components of internet technologies such as Drupal and Apache Tomcat, as well as consumer utilities such as the VLC Media Player.

The full list of FOSSA bug bounties can be found on Julia Reda MEP’s blog page.

Over in the US, the SECURE Technology Act (HR 7327) has now been signed into law. The legislation includes a provision to establish a pilot vulnerability disclosure program (VDP) for the Department of Homeland Security.

The government’s move to codify its federal-level bug bounty programs comes just two years after HackerOne partnered with the Department of Defense for the month-long Hack the Pentagon pilot program.

Check out our recent interview with Mårten Mickos to hear the HackerOne CEO’s thoughts on shifting perceptions of bug bounties in the public sector.

In payout news, Oath announced it awarded a total of $5 million in bounties in 2018 – nearly five times the bounties paid in 2017. The media conglomerate, whose brands include Yahoo!, AOL, Verizon, and TechCrunch, received more than 1,900 valid vulnerabilities through its private bug bounty program.

But that’s enough reflecting on 2018. January is the month of new beginnings, and there are plenty of new bug bounty targets and VDPs for hackers to sink their teeth into this year.

GitLab

Program provider:
HackerOne

Program type:
Public bug bounty

Max payout:
$12,000

Outline:
GitLab is a web based git-repository manager for developers. The company’s new public bug bounty program will pay out between $1,000 and $12,000 for flaws rated low, medium, high, and critical.

Included in the scope of the program is a user’s GitLab installation, GitLab.com production services, and other products, including the organization’s Software as a Service offering.

Notes:
“Since launch, the GitLab VIP (invite-only, private program) and the public VDP have resolved nearly 250 vulnerabilities thanks to the over 100 participating hackers,” said GitLab’s director of security, Kathy Wang.

The GitLab VDP has paid out $194,700 in bounties since 2014.

Visit the GitLab bug bounty page at HackerOne for more info

Hyatt Hotels Corporation

Program provider:
HackerOne

Program type:
Public bug bounty

Max payout:
$4,000

Outline:
Hyatt Hotels has become the first global hospitality organization to launch a public bug bounty program. Assets in scope include hyatt.com, world.hyatt.com, and the Hyatt Hotels mobile app.

The company’s bug bounty program will pay out between $300 and $4,000 for flaws rated low, medium, high, and critical.

Notes:
In October 2017, Hyatt Hotels discovered unauthorized access to payment card information at 41 of its properties around the world. This came less than two years after the hotelier disclosed a data breach that affected guests’ cards used at 250 hotels.

Visit the Hyatt Hotels bug bounty page at HackerOne for more info

Microsoft – Azure DevOps Services

Program provider:
Microsoft

Program type:
Public bug bounty

Max payout:
$20,000

Outline:
The latest addition to Microsoft’s growing list of bug bounty targets is Azure DevOps Services – the vendor’s cloud service for collaborating on code development.

Qualified submissions are eligible for bounty rewards of $500 to $20,000 for vulnerabilities discovered in Azure DevOps Services (formerly Visual Studio Team Services) and the latest publicly available versions of Azure DevOps Server.

Notes:
“Azure DevOps Services is committed to providing rock-solid security, and as a part of that we believe in close partnerships with security researchers and our user community,” said Microsoft.

Visit the Microsoft Azure DevOps bug bounty page for more info

Skyscanner

Program provider:
Bugcrowd

Program type:
Public bug bounty

Max payout:
$2,000

Outline:
Skyscanner, a leading travel fare aggregator website, has taken its bug bounty program public. The UK-based company will award up to $2,000 for each vulnerability identified on its website, API, and mobile apps.

Skyscanner’s private bug bounty program resulted in the discovery of more than 200 vulnerabilities.

Notes:
Commenting on the new public bug bounty, Ante Gulam, Skyscanner CISO, said: “Keeping data safe and secure is a top priority and a core company value for us. We welcome the contribution of external security researchers and look forward to rewarding them for their invaluable contribution to the security of Skyscanner.”

Visit the Skyscanner bug bounty page at Bugcrowd for more info

Other Bug Bounty and VDP news:

  • On January 19, Bugcrowd hosted LevelUp 0x03, the third installation of its free, day-long conference for bug bounty hunters. There were two tracks this year – one on Twitch and another on YouTube.
  • Stanford University has rolled out a bug bounty program, although only current students can participate. The program’s inaugural hackathon took place on January 19, with students uncovering more than 20 flaws across 13 Stanford websites.
  • HackerOne has partnered with the Singapore government to launch new bug bounty programs aimed at protecting public-facing websites.
  • Ford Motor Company has rolled out an (unpaid) vulnerability disclosure program for numerous web domains, along with its Android and iOS apps
  • Facebook and Google have come together to launch BountyCon, a joint, two-day invitation-only conference that will take place in Singapore on March 30-31. A capture the flag competition is running on Facebook and Google sites, and the highest scoring researchers will receive complementary airfare and accommodation.
  • A late entry in this month’s Bug Bounty Radar, FileZilla has joined the EU-FOSSA project.

To be featured in this list next month, email dailyswig@portswigger.net with ‘Bug Bounty Radar’ in the subject line