Bug Bounty Radar // May 2019

New web targets for the discerning hacker

Crowdsourced security was a hot topic for the Swig this month, as Bugcrowd CEO Ashish Gupta spoke at length about how the global bug bounty market is developing.

As the security industry continues to evolve, disclosure platforms must move with the times – “The rules of the game are completely changing,” Gupta says.

Elsewhere, Microsoft’s Jarek Stanley, senior program manager for Redmond’s bug bounty program, spoke to the Economic Times.

Stanley opened up about Microsoft’s attitude towards bug bounties, adding that the company believes its Coordinated Vulnerability Disclosure program is the best defense in protecting customers from zero-day attacks.

At the Google I/O conference this month, researchers Artur Janc and Lukas Weichselbaum discussed the tech giant’s own Vulnerability Reward Program.

They revealed that at 35% of the overall reports received by Google, cross-site scripting (XSS) has been the number one security vulnerability discovered by bug bounty hunters.

And finally, researcher Rojan Rijal shared a bug bounty success story this month.

Rijal, who you might remember discovered this Google XSS exploit, told his Twitter followers that he has set up his first company using rewards gained through bug bounty programs.

He name-dropped Bugcrowd, HackerOne, and Google, thanking them for helping him to reach his goal.

May saw the arrival of several new bug bounty programs. Here’s a roundup of the latest targets:

Alwaysdata

Program provider:
Independent

Program type:
Public bug bounty

Max reward:
€500 ($558)

Outline:
Hosting provider alwaysdata has launched its own bug bounty program, asking researchers to hunt for bugs on its website and related applications. Maximum rewards are paid out for critical vulnerabilities, including accessing the core platform architecture in read or read-write mode.

Notes:
Any type of denial-of-service (DoS) attack is strictly prohibited, as well as any interference with network equipment and alwaysdata infrastructure.

Visit the alwaysdata bug bounty page for more info

Chainlink

Program provider:
HackerOne

Program type:
Private bug bounty

Max reward:
$4,000

Outline:
The Chainlink node and its smart contracts are the core focus of the program. All smart contracts on the GitHub repo are in scope, and bonuses will be awarded if a bug is found through creating Chainlink requests.

Notes:
Any type of DoS attacks, again, are prohibited, as are social engineering attacks or any exploits requiring man-in-the-middle or physical access to devices.

Visit the Chainlink bug bounty page at HackerOne for more info

Gnosis

Program provider:
Independent

Program type:
Public bug bounty

Max reward:
$10,000

Outline:
Ethereum (ETH) wallet provider Gnosis is running a bug bounty program for recently revised smart contracts on its DutchX decentralized trading protocol. All bugs are considered for a bounty, Gnosis states. Attacks that could lead to the stealing of funds, tokens, or Magnolia (MGN) would be considered a high threat, and would be eligible for the maximum reward.

Notes:
All rewards will be paid in ETH. “Additionally, we will fund the MGN Pool with $5,000 worth of ETH and $5,000 worth of GNO in order to incentivize hackers to attack it,” Gnosis stated.

Visit the Gnosis blog for more info

OKCoin

Program provider:
Independent

Program type:
Public bug bounty

Max reward:
8-10 ETH – maximum $2,550 according to current value

Outline:
Trading platform OKCoin will reward security researchers with cryptocurrency in return for disclosing a range of vulnerabilities. At the serious end, it states “loopholes in core business systems that endanger the security of users’ assets and data” as being eligible for the top payout.

Notes:
Researchers should report the bugs directly to the company’s security response team, which will deposit the funds into the finder’s account if it is eligible.

Visit the OKCoin blog for more info

SoundCloud (enhanced)

Program provider:
Bugcrowd

Program type:
Public bug bounty

Max reward:
$1,500

Outline:
The popular music streaming platform took its private bug bounty program public this month, offering rewards for vulnerabilities found on its website, API, and mobile apps.

Notes:
The main focus of the program falls to remote code execution (RCE), XSS, account takeover, and access to exclusive content without paying, among other areas.

Visit the SoundCloud bug bounty page at Bugcrowd for more info

Squid Cache (IBB)

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$12,000

Outline:
Squid is a caching proxy for the web supporting HTTP, HTTPS, FTP, and more. In cooperation with Dropbox, the program will pay out for vulnerabilities rated ‘critical’ or ‘high’, including RCE, bypass in Squid’s proxy filtering, and URL parsing vulnerabilities with a demonstrable security impact.

Notes:
“These bounties are our way of saying ‘Thanks’ to the security researchers who take up this challenge,” the company said.

Visit the Squid Cache bug bounty page at HackerOne for more info

VeChainThor VIP191

Program provider:
HackenProof

Program type:
Public bug bounty

Max reward:
$10,000

Outline:
VeChain is looking for possible vulnerabilities in its multi-party payment protocol, VIP191, which allows co-signers to pay transactions on behalf of the sender.

Notes:
VeChain states it is looking for bugs related to transaction or messages malleability, and other vulnerabilities or viable attack vectors that could affect the protocol.

Visit the VeChain bug bounty page at HackenProof for more info

Zaim

Program provider:
BugBounty.jp

Program type:
Public bug bounty

Max reward:
¥132,000 ($1,200)

Outline:
Household accounting service Zaim has opened its program for vulnerabilities found on its website and mobile applications. Higher rewards will be awarded for cross-site request forgery attacks, RCE, SQL injection, and other critical vulnerabilities.

Notes:
There’s an extensive list of bugs that aren’t eligible for bounty, including vulnerabilities found through automated scans or tools, so it’s worth checking the page out beforehand.

Visit the Zaim bug bounty page at BugBounty.jp for more info

Other bug bounty and VDP news:

• Zero Day Initiative has updated its Targeted Initiative Program by adjusting some rules, adding new targets, and increasing rewards to more than $2 million.
• An independent academic study is looking to get in touch with researchers to understand the challenges and motivations behind being a bug bounty hunter.
• Bugcrowd revealed that submissions for bugs in IoT devices have increased by 383% year on year. Data also showed that the average payout for Q1 in 2019 was $2,320 per vulnerability – up 78%.
• Atlassian announced it has adopted a safe harbor clause in its program rules, promising researchers that any testing carried out on in-scope targets will not lead to prosecution.
• And disclosure platform Intigriti is offering the chance to win a Burp Pro license, swag, and private bug bounty invites. All you have to do is find the XSS here.

To be featured in this list next month, email dailyswig@portswigger.net with ‘Bug Bounty Radar’ in the subject line

RELATED Bug Bounty Radar // April 2019