Bug Bounty Radar // November 2019

New web targets for the discerning hacker

It’s been another bumper month for new bug bounty programs, whose numbers are apparently being swelled by fresh interest in IoT-focused schemes.

As reported by The Daily Swig, a first-of-its-kind paper from researchers in the Netherlands has deemed crowdsourced methods for unearthing IoT bugs essential, but only as part of a multi-layered approach.

The research comes as bug bounty platforms continue to report triple-digit increases in the number of IoT vulnerability reward programs.

This month also saw a series of mobile bug bounty enhancements from companies including Huawei and Android.

Huawei reportedly invited the hacker elite to a secret meeting to a secret meeting in Munich on November 16, and pledged bounties of up to $220,000 for uncovering critical vulnerabilities in its mobile hardware and software.

Google has ramped up payouts for Android vulnerabilities, with the company announcing that a full chain remote code execution exploit that compromises the Titan M secure element on Pixel devices could now attract a top payout of $1.5 million.

Elsewhere, Line Corporation, whose eponymous messaging app is popular in Asia, has taken its previously private bug bounty program public. We caught up with Line security engineer Robin Lunde to find out more about the company’s intentions.

Over in the gaming world, Rockstar Games has widened its invite-only program to include Red Dead Redemption 2, an action-adventure video game set in the American Wild West.

In payout news, a security researcher netted $500 for spotting a CSS injection vulnerability in Slack that could have exposed users’ chat data.

Matt Langlois reported the bug to the instant messaging platform in August after learning that attribute selectors within the style sheet could be leveraged to log users’ keystrokes.

Having addressing a CCleaner breach facilitated by a compromised VPN, Avast paid out $5,000 for the discovery of an XSS vulnerability in Avast Desktop Antivirus for Windows.

Bugcrowd has paid out a record sum in bounties for a single week – more than $500,000 to 237 recipients in the last week of October.

Finally, the latest annual Pwn2Own hacking contest saw last year’s winners successfully defend their Master of Pwn title with an integer overflow exploit against the Amazon Echo Show 5.

Team Fluoroacetate – congrats to Amat Cama and Richard Zhu – claimed $60,000 in bug bounties after wresting control of the Alexa-powered smart display courtesy of a malicious WiFi hotspot.

Realizing that the device used an older version of Chromium, the duo tested their exploits in a radio frequency shielding enclosure to prevent outside interference.

Android Security Rewards program – enhanced

Program provider:
Independent

Program type:
Public bug bounty

Max reward:
$1.5 million

Outline:
Google has expanded its Android Security Rewards (ASR) program. Among the numerous developments is the introduction of a top prize of $1 million for a full-chain RCE exploit with persistence that compromises the Titan M secure element on Pixel devices. Additionally, the company is launching a specific program offering a 50% bonus for exploits found on specific developer preview versions of Android, meaning its top prize is now $1.5 million.

Notes:
Over the past four years, Google has awarded more than 1,800 reports and paid out over $4 million through the ASR initiative.

Check out the Android Security Rewards program announcement for more info

Coda

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$1,500

Outline:
Coda provides collaborative software that allows multiple users to work on the same document at the same time. The company, which counts Uber, Spotify, and The New York Times among its customers, has launched a public bug bounty with reward levels tied to CVSS score.

Notes:
“Coda looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe,” the company said.

Visit the Coda bug bounty page at HackerOne for more info

Filezilla

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
€5,000 ($5,500)

Outline:
Following a successful run with the EU-FOSSA open source bug bounty program this year, Filezilla has chosen to continue its vulnerability disclosure journey with HackerOne.

Notes:
This bounty program is for the FileZilla client and the libfilezilla library. Rewards are based on the severity of vulnerabilities that are discovered, with CVSS scores of 9.0 and higher netting the top payout of €5,000.

Visit the FileZilla bug bounty page at HackerOne for more info

GitLab – enhanced

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$20,000

Outline:
GitLab is boosting its bug bounty payouts to hackers who discover serious security flaws in its platform, with the company now offering $20,000 for critical vulnerabilities and $10,000 for those flagged as ‘high impact’.

Notes:
Since opening its bug bounty program to the public in December 2018, GitLab has fielded more than 1,200 reports and paid out more than $500,000 in bounties.

Visit the GitLab bug bounty page at HackerOne for more info

Huawei – unconfirmed

Program provider:
Independent

Program type:
Private bug bounty

Max reward:
$220,000

Outline:
Chinese tech giant Huawei is reported to have launched a private, invite-only bug bounty program covering mobile hardware and software. The Daily Swig has asked Huawei to confirm these reports.

Notes:
Citing sources close to the company, TechCrunch security editor Zack Whittaker said the program will cover “past and future” Huawei mobile devices, as well as HarmonyOS.

Check out the TechCrunch article on the Huawei bug bounty program for more info

KU Leuven

Program provider:
Intigriti

Program type:
Public bug bounty

Max reward:
€2,500 ($2,750)

Outline:
KU Leuven, a research university in Flanders, Belgium, has challenged hackers to find bugs in its online enrolment portal, to which 40,000 applicants submit personal information and educational preferences each year.

Notes:
The registration and login processes are out of scope. Instead, the university wants to eliminate flaws in the subsequent application process that potentially enables privilege escalation, information theft, or data modification.

Check out the KU Leuven bug bounty page at Intigriti for more info

Line Corporation

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$30,000

Outline:
Line Corporation – one of the biggest messenger apps in the world – has taken its private bug bounty program public. Ethical hackers from around the world are now being invited to test Line’s core messenger application and web domains for potential security flaws. Bounty awards will range from $500 to $30,000 for eligible vulnerabilities.

Notes:
Since starting its private, self-run bug bounty programs in June 2016, Line has received more than 1,000 reports and paid over $300,000 in bounties. “As being transparent about security issues is very important to us, we wanted a convenient way to disclose such information,” said Naohisa Ichihara, head of Line’s cybersecurity department. “Our original platform did not have an easy way of achieving this, so it was also a contributing factor in deciding to move to HackerOne.”

Visit the Line Corporation bug bounty page at HackerOne for more info

Mozilla Security Bug Bounty – enhanced

Program provider:
Independent

Program type:
Public bug bounty

Max reward:
$15,000

Outline:
To celebrate 15 years since the launch of Firefox 1.0, Mozilla has made significant enhancements to its bug bounty program. The organization is doubling all web payouts for critical, core, and other Mozilla sites as per the Web and Services Bug Bounty Program page. In addition Mozilla is tripling payouts to $15,000 for RCE payouts on critical sites.

Notes:
The expansion of Mozilla’s bug bounty program has included the addition of numerous services and sites, including Firefox Monitor, Autograph, Phabricator, and Ship It.

Check out the Mozilla Security Blog for more info

Oasis Protocol Foundation

Program provider:
HackerOne

Program type:
Private

Max reward:
$10,000

Outline:
Researchers who discover security flaws in this self-described “community of privacy pioneers, security dreamers, and decentralized believers” can earn rewards ranging from $150 to $10,000.

Notes:
Rewards are based on severity per CVSS. With no public endpoint to test against, researchers must spin up their own testnet.

Check out the Oasis bug bounty page on HackerOne for more info

Pillar Project Worldwide

Program provider:
HackerOne

Program type:
Private

Max reward:
$3,000

Outline:
Pillar wants bug hunters – especially experts in network security – to check for vulnerabilities in its wallet mobile app and supporting APIs. The goal is making Pillar Wallet the most secure token and cryptocurrency wallet around.

Notes:
Critical bugs include those that lead to horizontal privilege escalation, remote code execution on API hosts, or private key leakage on non-rooted or jailbroken devices.

Check out the Pillar Project bug bounty page at HackerOne for more info

GovTech Singapore – temporary program

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$10,000

Outline:
The Government Technology Agency (GovTech) of Singapore is conducting its third bug bounty program. This time around, the agency has expanded the initative to cover 12 internet-facing government systems, digital services, and mobile apps.

Notes: This temporary program ends on December 8, 2019.

Visit the GovTech bug bounty media release for more info

TomoChain

Program provider:
HackerOne

Program type:
Private

Max reward:
$5,000

Outline:
TomoChain, a developer of blockchain technology, has 12 assets in scope and 31 reports already resolved at the time of writing.

Notes:
The new program offers $250 for low-risk bugs, $500 for medium risk, $1,500 for high risk, and $5,000 for critical vulnerabilities.

Check out the TomoChain bug bounty page at HackerOne for more info

Tumblr

Program provider:
HackerOne

Program type:
Public

Max reward:
$5,000

Outline:
Six years after launch, Tumblr’s program is being migrated to HackerOne. The blogging platform’s scheme was previously independent.

Notes:
Tumblr, which Verizon Media offloaded to Automattic in August, is offering rewards of between $100 and $5,000.

Check out the Tumblr bug bounty page an HackerOne for more info

Other bug bounty and VDP news:

• The team behind the EU’s open source bug bounty program, EU-FOSSA, held an AMA on Reddit this week. Issues covered included patents and standards, standard document formats, and EU funding for open source projects.
• BitDiscovery and Blend have launched points-only vulnerability disclosure programs (VDPs) through Bugcrowd.
• Intel has launched a new blog for security topics and bug bounty news. Technology@Intel will serve as a resource for security updates, bug bounty topics, new security research, and engagement activities within the security research community.
• Security pros Chloé Messdaghi and Alyssa Herrera have started a bug bounty team that has more than 100 women members. @WomenHackerz is on the lookout for more new recruits.
• Genasys Technologies, Streak, Logitech, Gmelius, MobiSystems, Natur.com, Stripo, have launched points-only VDPs on HackerOne.

To have your program featured in this list next month, email dailyswig@portswigger.net with ‘Bug Bounty Radar’ in the subject line.

Additional reporting by James Walker.

RELATED Bug Bounty Radar // October 2019