New web targets for the discerning hacker
Since the start of the coronavirus outbreak, Zoom hasn’t been far from the news, thanks not only to a huge increase in use, but also a series of security concerns – from ‘zoombombing’ to a lack of end-to-end encryption.
At the beginning of April, the company responded to security fears with an announcement that it had fixed a raft of widely-publicized bugs, including two macOS flaws and a Uniform Naming Convention (UNC) network path issue. It also instigated a 90-day feature freeze in order to focus on privacy and security.
Now, the video conferencing giant has signed a deal with Luta Security, founded by Katie Moussouris, to help improve its bug bounty program.
“We’ve been working with them for a while, examining their internal process maturity for investigating and resolving bugs,” tweets Katie, who is looking for feedback from the security research community.
In other program news this month, Google has launched a Covid-19 grant fund to underwrite security research during the pandemic.
Any security researcher who has submitted at least two successful vulnerability reports during the past two years is eligible for a one-time $1,337 research grant.
Meanwhile, Mozilla is revamping its bug bounty program, raising payouts for the highest-impact security flaws found in Firefox and related projects. It’s also changed its policy on multiple reports, and will now split bounties between duplicate reporters, rather than awarding them to the first person to report a bug.
And the Ethereum 2.0 bug bounty program is up and running in earnest, in preparation for the blockchain platform’s biggest upgrade since its launch five years ago. Bounties range from $500 for small defects up to $10,000 for bugs that can break the chain.
There was a big payout for Ryan Pickren this month: $75,000 from Apple. The security researcher uncovered seven Safari bugs, including three flaws that, in combination, allowed the creation of a one-click malicious JavaScript-to-webcam access exploit. The vulnerabilities were patched in February and March.
In other news this month, we spoke with Metasploit founder HD Moore about bug bounties, computer security laws, and coronavirus.
“Bug bounties, from the perspective of a 90s hacker, are absolutely amazing,” he says. “Not only do tons of companies allow you to test their security without any pre-approval, but they actually pay for it if you find something!”
Moore is predicting an increase of endpoint security issues, including malware, ransomware, and compromised consumer networking equipment involved in data breaches as a result of the coronavirus crisis.
If researchers are feeling community-minded, they can sign up for HackerOne’s ‘Hack for Good’ sharing initiative, which allows them to donate full or partial amounts of their bounties to select charities each month.
The current recipient is the World Health Organization’s Covid-19 Solidarity Response Fund.
The announcement comes as bug bounty platforms continue to negotiate their way through the coronavirus emergency. Check out our earlier coverage to see what they’ve been up to – from tightening up their own home working practices to preparing for an influx of new customers.
The latest bug bounty programs for April 2020
April saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:
Alibaba
Program provider:
HackerOne
Program type:
Public bug bounty
Max reward:
$2,500
Outline:
Chinese e-commerce giant Alibaba has launched a new public bug bounty program, with dozens of in-scope assets and a maximum reward of $2,500 for critical vulnerabilities.
Notes:
Coupled with the launch of this bug bounty is a promotion that runs until May 31 and promises additional prizes for leading researchers in each country.
Visit the Alibaba bug bounty page at HackerOne for more info
Augur – enhanced
Program provider:HackerOne
Program type:
Public bug bounty
Max reward:
$25,000
Outline:
“The Augur Bug bounty program has been appended to include bounties for finding vulnerabilities in the market creation templates,” according to a statement from the blockchain-based betting exchange platform on the revamp of its program. Bounties in this category will be paid in the amount of $25 (in REP) per vulnerability discovered.
Notes:
Both the Augur core Solidity contracts and Augur SDK are within scope of the wider Augur bug bounty program. The most critical and high-level class of bugs and vulnerabilities the firm is interested in include security flaws that can lead to loss of funds and manipulating of ‘open interest’, the escrowed contract recording system used by Augur.
Visit the Augur bug bounty page at HackerOne for more info
BitTorrent File System
Program provider:
HackerOne
Program type:
Public bug bounty
Max reward:
$5,000
Outline:
BitTorrent File System (BTFS) is pegged as the first scalable decentralized storage system. It’s being developed by team behind the eponymous torrent client, with the newly launched bug bounty program aimed at shining light on any potential vulnerabilities in the platform.
Notes:
“BTFS looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe,” the company said.
Visit the BTFS bug bounty page at HackerOne for more info
Cybermalveillance.gouv.fr – enhanced
Program provider:
YesWeHack
Program type:
Public bug bounty
Max reward:
€1,500
Outline:
Following a successful private program that was launched in December 2019, the bug bounty program for cybermalveillance.gouv.fr, a French government cyber-support site, has been public since April 16 – something we previewed in February.
Notes:
The program’s primary objectives are preventing exfiltration of users’ data, modification of tools used by service providers and cybercrime victims, and redirection of contact requests to malicious destinations.
Visit the Cybermalveillance bug bounty page at YesWeHack for more info
Facebook – enhanced
Program provider:
HackerOne
Program type:
Public bug bounty
Max reward:
~$50,000
Outline:
Facebook has made its established bug bounty program available to security researchers who ply their trade through HackerOne.
Notes:
“Facebook’s bug bounty program is giving hackers the option to receive bounty payouts via HackerOne,” HackerOne co-founder Michiel Prins explained in a Twitter update. “This gives hackers participating in one of the world’s oldest bug bounty programs access to a variety of fast and reliable payout options.”
Visit Facebook’s announcement for more information on the expansion of the program
NeoPhotonics – enhanced
Program provider:
Bugcrowd
Program type:
Public bug bounty
Max reward:
$3,500
Outline:
NeoPhotonics increased its rewards as of April 14, 2020. Additionally, the company will now reward P4 findings for the first time.
Notes:
The company is a leading designer and manufacturer of optoelectronic solutions for the highest speed communications networks in telecom and data center applications.
Visit the NeoPhotonics bug bounty page at Bugcrowd for more info
NordLocker
Program provider:
Independent
Program type:
Public bug bounty
Max reward:
$10,000
Outline:
NordLocker, the file encryption tool from NordVPN, is inviting hacking enthusiasts to crack an encrypted locker and win $10,000. “Only the first person to open the locker and contact the company will get the reward,” the company said.
Notes:
“We want NordLocker users to feel confident that their files are safe,” said Oliver Noble, encryption specialist at NordLocker. “We need your help to find out whether we’ve missed anything. If you crack open the locker, you’ll have our gratitude and, of course, the generous bounty.”
Visit the NordLocker bug bounty page for more info
Olvid – enhanced
Program provider:
YesWeHack
Program type:
Public bug bounty
Max reward:
€2,000
Outline:
After four months running a private bug bounty program, Olvid, a security-focused instant messaging application, has opened up to allow YesWeHack’s entire community to participate in its program. Flaws in the Android and iOS version of the app as well as Olvid’s API are within the scope of the bug bounty program. Social engineering and exploits that rely on hacks on third-party apps or devices are excluded.
Notes:
Olvid does not rely on a central directory of users, an architecture designed to offer users anonymity advantages over comparable apps such as Signal and WhatsApp.
Visit the Olvid bug bounty page at YesWeHack for more info
Riot Games – enhancedProgram provider:
HackerOne
Program type:
Public bug bounty
Max reward:
$100,000
Outline:
Video games developer Riot Games has modified its longstanding bug bounty program to include Valorant, its proprietary anti-cheat engine.
Notes:
Valorant leverages a kernel driver to combat cheaters. Security researchers are being offered a jaw-dropping $100,000 if they can break it.
Visit the Riot Games bug bounty page at HackerOne for more info
Socrata – enhanced
Program provider:
Bugcrowd
Program type:
Public bug bounty
Max reward:
$2,500
Outline:
Socrata increased its bug bounty rewards as of April 24, with the cloud-based data platform now offering up to $2,500 for critical vulnerabilities.
Notes:
Focus areas for the Socrata bug bounty program include access control vulnerabilities, server-side remote code execution, SQL injection, and path traversal issues.
Visit the Socrata bug bounty page at Bugcrowd for more info
Tencent – enhanced
Program provider:
HackerOne
Program type:
Public bug bounty
Max reward:
$15,000
Outline:
Hackers are being encouraged to look for vulnerabilities in all the products and services of Tencent, the Chinese technology giant. The program will be externally hosted on the Tencent Security Response Centre (TSRC).
Notes:
“To expand its community of researchers and recruit global talent, Tencent is partnering HackerOne to run its Bug Bounty Program,” the organization said.
Visit the Tencent bug bounty page at HackerOne for more info
Other bug bounty news this month:
- On March 25, HackerOne kicked off its first ever virtual live hacking event, #h1-2004, with Verizon Media. Hackers submitted 286 reports over the course of two weeks, resulting in over $673,000 in bounties.
- ParamSpider, a newly launched open source tool, automates the discovery of parameters in URL addresses – a key step in probing websites and applications for vulnerabilities.
- SoundCloud, Mailgun, Ziliqa, Upwork, and Caffeine have all added new targets to their Bugcrowd bug bounty programs.
- As the coronavirus pandemic rages on, YesWeHack is offering free two-month educational licenses for university-based learners and instructors.
- Bug bounties were painted in a less favorable light in a CSO Online article this month. Will the promise of crowdsourced cybersecurity turn out to be a pipe dream?
- The Hack in Paris security conference has been postponed until February 2021 due to the coronavirus pandemic.
- Bugcrowd has launched Classic Pen Test, a new project-based pen testing service aimed at helping organizations reduce testing timelines while meeting compliance requirements.
- RGhost and Amazon have launched points-only vulnerability disclosure programs (VDPs) on HackerOne.
- Will coronavirus impact browser security? We took a closer look at how the pandemic may have far-reaching security implications.
- In research news, Inti De Ceukelaire, head of hackers at bug bounty platform Intigriti, found that 15% of Atlassian Jira Service Desks were public-facing – a 12% increase on scans he’d undertaken before the Covid-19 crisis, dating back to summer 2019.
To have your program featured in this list next month, email dailyswig@portswigger.net with ‘Bug Bounty Radar’ in the subject line.
Compiled by James Walker. Introduction by Emma Woollacott, with additional reporting by John Leyden.
RELATED Bug Bounty Radar // March 2020
