Bug Bounty Radar // March 2019

New web targets for the discerning hacker

Ahead of this year’s Black Hat Asia security conference, HackerOne cut the ribbon on its new Asia-Pacific headquarters in Singapore, focusing on its government, technology, and enterprise customers. It says it’s also looking to hire “top talent” in the area.

Meanwhile, it turns out that ethical hacking can be a nice little earner: self-taught 19-year-old Santiago Lopez has become the first hacker in the world to make $1 million in bug bounties.

Lopez, who goes by the handle @try_to_hack, started reporting security weaknesses through HackerOne bug bounty programs in 2015, and since then has uncovered more than 1,600 security flaws.

Elsewhere, Facebook has launched Whitehat Settings to make it easier for researchers to find security flaws in its website, Messenger, and Instagram Android applications.

The settings allow researchers to bypass the Certificate Pinning security mechanism while running Facebook’s mobile apps. They also enable proxying for Platform API requests, allow TLS 1.3 support to be disabled and permit user-installed security certificates.

In other platform news, Intigriti has added a Bug Bounty Roulette feature; Yes We Hack has released a template manager to help researchers better document their security reports; and Bugcrowd has rolled out Traffic Control 2.0 – the newest version of its VPN technology, giving its bug bounty customers increased control over their security testing programs.

Elsewhere, Richard Zhu and Amat Cama – aka Team Fluoroacetete – took home the grand prize of bug bounty hunting after dominating Pwn2Own Vancouver to win $375,000 and a Tesla Model 3 sports car in the process.

The event saw the disclosure of a cumulative total of 19 bugs in Apple Safari, Microsoft Edge and Windows, VMware Workstation, Mozilla Firefox, and the Tesla infotainment system.

Last month, Mechele Gruhn, principal security program manager for the Microsoft Security Response Center, said she was watching the event closely.

“We absolutely love it when teams go up against our products and find vulnerabilities… so that we can fix them,” she said.

March saw the arrival of several new bug bounty programs. Here’s a roundup of the latest targets:

BlueJeans Network (enhanced)

Program provider:
Bugcrowd

Program type:
Public bug bounty

Max reward:
$2,000

Outline:
BlueJeans Network – a provider of cloud-based video conferencing services – has added monetary rewards to its previously points-only bug bounty program.

The California-based company will now pay out up to $2,000 for critical vulnerabilities.

Notes:
“BlueJeans is interested in any vulnerabilities that can be used to gain access to another BlueJeans service user’s account and meeting video recordings,” the company said.

Visit the Blue Jeans Network bug bounty page at Bugcrowd for more info

Credit Karma

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$5,000

Outline:
Credit Karma is a personal finance technology company with more than 85 million members in the US and Canada.

The organization has opened up several of its public-facing web properties for vulnerability rewards, along with its Android and iOS apps.

Notes:
The company has advised researchers to focus their efforts on authentication, session, horizontal privilege escalation, and critically sensitive data exposure. “We consider these type of findings as critical findings,” Credit Karma said.

Visit the Credit Karma bug bounty page at HackerOne for more info

DarkMatter (enhanced)

Program provider:
Bugcrowd

Program type:
Public bug bounty

Max reward:
$2,400

Outline:
Rewards for the DarkMatter bug bounty program have now doubled, with the end-to-end security firm now paying out up to £2,400 per vulnerability.

Researchers looking for some low-hanging fruit will also be pleased to hear that the company is now offering rewards for P4 – low impact – submissions.

Visit the Dark Matter bug bounty page at Bugcrowd for more info

Melonport

Program provider:
Independent

Program type:
Public bug bounty

Max reward:
Undefined

Outline:
Melonport is inviting security researchers to test its crypto asset management protocol for vulnerabilities.

The Swiss company has set aside a total rewards pool of $250,000 for those who successfully identify flaws in Melon Protocol v1.0.

Notes:
“In order to test the security of our smart contracts and thereby to detect possible vulnerabilities in our code, we invite and challenge everyone out there to find attack vectors/security vulnerabilities in the Melon protocol,” the organization said in a blog post.

Visit the Melonport bug bounty page for more info

Lob

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$5,000

Outline:
Marketing services company Lob launched a new bug bounty program at the end of March. Payouts range from $100-$500 for flaws including XSS, privilege escalation, and CSRF to $5,000 for RCE.

Notes:
“One of the most likely places in our architecture for RCE to occur is in our content rendering pipeline,” the company explained. “As a result we have sandboxed all rendering, such that even if you have full code execution you cannot read the mail content of other customers. Therefore RCEs in our rendering pipeline will only pay out $1,500, unless you can find a sandbox escape to read other customers’ data, which would then qualify for a full $5,000.”

Visit the Lob bug bounty page at HackerOne for more info

Omise

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$2,000

Outline:
Asia-focused payments processor Omise is asking security researchers to test the Omise Vault, API, Dashboard, and Exchange for security flaws.

Eligible vulnerabilities include RCE, SQL injection, authentication bypass, live account takeover, and XSS.

Notes:
The company said: “We will reward in the range of $100 to $2,000 USD depending on the application, risk, complexity, impact, and overall severity of the vulnerability.”

Visit the Omise bug bounty page at HackerOne for more info

Tube8

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$25,000

Outline:
Pornographic video sharing site Tube8 has launched a public bug bounty program. The organization is offering a maximum payout of $25,000 for vulnerabilities discovered on its main site and core subdomains.

Notes:
At this time, the scope of this program is limited to security vulnerabilities found on Tube8.com and its associated language-based domains and subdomains.

Vulnerabilities reported on other properties or applications are currently not eligible for monetary reward, although the company said “high impact vulnerabilities outside of this scope might be considered on a case-by-case basis”.

Visit the Tube8 bug bounty page at HackerOne for more info

Other Bug Bounty and VDP news:

• During the Cyber Security Agency of Singapore’s latest hacking challenge, researchers earned $11,750 for reporting 26 security vulnerabilities in public-facing government systems.
• Sprout Social, Dell, and Stackpath have launched points-only vulnerability disclosure programs (VDPs) through Bugcrowd.
• Security researchers discovered more than 40 bugs in various blockchain platforms in the 30 days up until March 15, reports The Next Web.
• The MidPoint identity management and governance system has become the latest addition to the EU-FOSSA open source bug bounty initiative.
• Iconloop has taken its private bug bounty program public.
• On March 5, Bugcrowd and Secure Code Warrior announced the Secure Code Warrior Partnership, aimed at providing “a more robust framework for bridging the gap between security and development teams”.
• Starling Bank and Sonatype have launched unpaid VDPs through HackerOne.

To be featured in this list next month, email dailyswig@portswigger.net with ‘Bug Bounty Radar’ in the subject line

Additional reporting by Emma Woollacott

RELATED Bug Bounty Radar // Feb 2019