New web targets for the discerning hacker
HackerOne’s bug bounty challenge with the National University of Singapore (NUS) has come to an end, with 13 valid vulnerabilities in NUS’ digital infrastructure safely reported by students and US$4,550 awarded in bounties.
It’s the second time HackerOne has partnered with a university to help students secure its systems, following a similar event in 2017. The company says it now plans to make it an annual event.
HackerOne is not the only bug bounty platform to team up with a university this month, with YesWeHack holding a workshop with Singapore Polytechnic.
Around 30 students working towards a diploma in infocomm security management took part in a live experience to discover vulnerabilities and bugs in two selected applications. The students found nine critical vulnerabilities, with one successfully gaining full admin rights to one of the apps.
In military hacking news, the US Air Force plans to encourage hackers to hijack an orbiting satellite at the DEF CON hacking conference next year. Participants will attempt to take control of the satellite's camera, either through the ground station or directly, using an emitter.
Over in Europe, the final report into the Swiss Post ‘public intrusion test’ has been published. Researchers discovered 16 low-impact vulnerabilities, netting them a total of just $2,000.
One researcher did rather better earlier this month, when he discovered serious security flaws in a developer version of Google Chrome. Securitum’s Michal Bentkowski uncovered the issue with the browser’s experimental ‘portal’ element, winning him a bounty of $10,000.
Even happier is Terry Zhang, who has scooped $40,000 for his discovery of an auth issue on the main login endpoint of Microsoft Cloud.
Meanwhile, exploit acquisition platform Zerodium has upped its rewards for mobile exploits, making Android exploits more lucrative than those for iOS attacks for the first time.
And, finally, PayPal is celebrating its first anniversary on HackerOne, having paid out more than $1.5 million in bounties and resolved over 300 vulnerabilities.
Other bug bounty and VDP news:
- Secure messaging app Telegram has announced a coding competition for building smart contracts for the Telegram Open Network (TON) blockchain. A prize fund of up to $400,000 is on offer.
- People Interactive, Copper, and MailTime Technology have launched points-only vulnerability disclosure programs (VDPs) through HackerOne.
To be featured in this list next month, email firstname.lastname@example.org with ‘Bug Bounty Radar’ in the subject line.
Additional reporting by James Walker.
RELATED Bug Bounty Radar // August 2019