New web targets for the discerning hacker

The Hack Your State Department Act, a bill to establish bug bounty programs for US government websites, was introduced in the Senate this month.

It calls for the creation of a “vulnerability disclosure process” and accompanying bug bounty program to help shore up the department’s digital defenses.

The legislation, which requires a pilot program to be launched within a year, will follow the already-successful public sector bug bounty programs established in the US, such as the Hack the Pentagon scheme.

In other news, bug bounty platform HackerOne released its top 10 vulnerability list in June – and unsurprisingly, cross-site scripting (XSS) nabbed the top spot.

The list, which ranks vulnerability types in terms of the amount of bounty payouts awarded across the platform, saw XSS in top place, followed by improper authentication, information disclosure, and privilege escalation.

Check out the full list for details.

Finally, vulnerability disclosure was hotly debated at this month’s BSides London conference, as speaker Chloé Messdaghi called for more to be done to protect hackers from prosecution.

Messdaghi, security researcher advocate at Bugcrowd, told delegates that a safe harbor framework must be adopted by all companies participating in bug bounty programs, reports The Daily Swig’s John Leyden.

After a bumper edition last month, June saw the arrival of just a few new bug bounty programs. Here’s a roundup of the latest targets:

Acorns Grow (enhanced)

Program provider:
Bugcrowd

Program type:
Public bug bounty

Max reward:
$3,500

Outline:
Financial management firm Acorns Grow has increased its maximum bug bounty reward for critical vulnerabilities to $3,500.

Notes:
In addition to the payout hike, the company has updated its safe harbour policy.

Visit the Acorns bug bounty page at Bugcrowd for more info

Personal Capital

Program provider:
Bugcrowd

Program type:
Public bug bounty

Max reward:
$3,000

Outline:
The financial software and wealth management company is asking hackers to hunt for bugs on its front end web application stack and back end API endpoints.

Notes:
Out-of-scope targets include user and email enumeration, which Personal Capital says it allows intentionally.

Visit the Personal Capital bug bounty page at Bugcrowd for more info

Redox

Program provider:
Bugcrowd

Program type:
Public bug bounty

Max reward:
$10,000

Outline:
Healthcare data exchange platform Redox has launched its first public bug bounty program following the success of a private scheme, during which it paid out $5,000 for low-impact bugs.

Notes:
The company states it will hand out the maximum pay out for “extraordinary submissions”, if a researcher “has spent the time and effort to understand our platform and identified a flaw unique to our platform that most others would not find without such investment”.

Visit the Redox bug bounty page at Bugcrowd for more info

Other bug bounty and VDP news:

  • Patches for critical bugs in Magento and VLC were credited, in part, to reports from bug bounty hunters.
  • Google’s annual Capture The Flag (CTF) challenge began this month, with 10 teams qualifying for the live event, to be held later this year.
  • Over at Facebook’s CTF competition, a team of Google employees swiped first place, trolling the social media giant by changing their name to the Google CTF webpage.
  • Bugcrowd was busy this month; the platform announced a partnership with Microsoft to improve payment processes and a deal with IOActive to run its bug bounty and vulnerability disclosure programs (VDP), as well as providing pentesting services.
  • Two new points-only VDPs were launched via Bugcrowd, Algorand and Eze Eclipse.
  • HackerOne announced four new VDPs: Shieldox, UiPath, Soildus, and Upgrade all now have their own programs via the platform.

To be featured in this list next month, email dailyswig@portswigger.net with ‘Bug Bounty Radar’ in the subject line


RELATED Bug Bounty Radar // May 2019