New web targets for the discerning hacker
It’s been a month of bumper bug bounty payout news, with Uruguayan researcher Ezequiel Pereira stealing the headlines for winning Google’s GCP VRP Prize 2020.
Using an internal version of the Google Cloud Platform (GCP) service, Pereira was able to exploit a remote code execution vulnerability in Google Cloud Deployment Manager and issue requests to internal endpoints via its global software load balancer.
He netted $133,337 in prize money, as well as a $31,337 bug bounty award under Google’s Vulnerability Reward Program (VRP).
Meanwhile, bug bounty hunter and Google employee Teddy Katz won $25,000 for discovering a security vulnerability that allowed attackers to disclose Actions secrets in GitHub repositories.
And there was a $55,000 payout for researcher Alaa Abdulridha, who found two third-party vulnerabilities that could have compromised Facebook’s internal network.
Authentication cookies used by an unnamed third-party application could be manipulated to compromise accounts belonging to Facebook employees, with a flaw in the application’s form-building feature allowing access to intern.our.facebook.com.
In program news, Microsoft has launched a bug bounty program for 365 applications, starting with Microsoft Teams’ desktop client.
But this looks like small change compared with the new bug bounty reward on offer from bitcoin exchange Sovryn – $1.25 million for security flaws in the Sovryn smart contract. There’s also up to $22,000 for hackers who uncover flaws in the company's websites and web-facing applications.
Find out more in our latest bug bounty programs list below.
Finally, in other news, HackerOne has reported a big rise in the number of hackers reporting vulnerabilities to companies – up by 63% in 2020.
In its latest annual report, the security platform found that more than a third reported spending more time hacking during the pandemic, often focusing on threats from remote working.
The latest bug bounty programs for April 2021
The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:
Avalanche Protocol
Program provider: HackenProof
Program type: Public bug bounty
Max reward: $10,000
Outline: Avalance is an open source platform for launching highly decentralized applications and custom blockchain networks. Security researchers are being rewarded for discovering vulnerabilities in various technologies, including the Avalanche Wallet and public-facing APIs.
Notes: This program is accompanied by the Avalanche General program, which offers rewards for bugs discovered in various web assets.
Visit the Avalanche Protocol bug bounty page at HackenProof for more info
BlockFi
Program provider: HackerOne
Program type: Public bug bounty
Max reward: $3,000
Outline: The second blockchain org in this month’s list of bug bounty newcomers is BlockFi, which provides cryptocurrency savings, loans, and trading services.
Notes: There are minimal details on the company’s bug bounty page, although the company said it “looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe”.
Visit the BlockFi bug bounty page at HackerOne for more info
Mattermost
Program provider: HackerOne
Program type: Public bug bounty
Max reward: $2,000
Outline: Mattermost is an open source collaboration tool for developers. The company’s new bug bounty program offers rewards for cross-site scripting (XSS), cross-site request forgery (CSRF), server-side request forgery (SSRF), denial-of-service exploits, and information disclosure issues.
Notes: To participate in this program, researchers need to enable two-factor authentication.
Visit the Mattermost bug bounty page at HackerOne for more info
Microsoft Applications Bounty Program
Program provider: Independent
Program type: Public
Max reward: $30,000
Outline: A program dedicated to 365 applications has kicked off with Microsoft Teams’ desktop version the sole product in scope and a significantly higher payment ceiling than the $20,000 on offer under its online services program.
Notes: Valid vulnerability reports for Microsoft Teams are also now eligible for a 200% bonus multiplier applied to points earned under the company’s Researcher Recognition Program.
Check out our recent coverage for more info
Scopely
Program provider: HackerOne
Program type: Public
Max reward: $3,000
Outline: Scopely, a publisher of mobile games such as Scrabble Go, Yahtzee, and Wheel of Fortune, has 13 assets in scope, with vulnerabilities affecting games attracting higher rewards than those impacting supporting services.
Notes: Rewards scale up according to impact tiers, from those affecting the security of additional services at the bottom to those disrupting the global game economy earning the biggest payouts, as well as ease of exploitation.
Visit the Scopely bug bounty page at HackerOne for more info
Sovryn
Program provider: Immunefi
Program type: Public
Max reward: $1.25 million
Outline: A chance to become an instant millionaire after Bitcoin exchange Sovryn announced what is believed to be the biggest-ever bug bounty reward for security flaws in the Sovryn smart contract, while website and web app flaws can earn bounties up to $22,000.
Notes: Asked why such a huge reward was on offer, Sovryn co-founder Edan Yago told The Daily Swig: “We believe we are in an arms race for security. The more we offer, the more likely we are able to outbid others in the attention economy for whitehat talent.”
Check out our recent coverage for more info
Step Public Applications
Program provider: Bugcrowd
Program type: Public
Max reward: $4,500
Outline: Step, which develops financial tools to help teenagers manage and save money, has invited ethical hackers to probe its iOS and Android apps.
Notes: Out of scope are bugs related to clickjacking, spam vectors, anti-spoofing email configurations, and rate limit problems that don’t lead to account compromise.
Visit the Step Public Applications bug bounty page at Bugcrowd for more info
Via
Program provider: HackerOne
Program type: Public bug bounty
Max reward: $2,000
Outline: US ride-sharing company Via is asking researchers to probe its Android and iOS apps for security flaws. Up to $3,000 is on offer for critical issues.
Notes: There’s a long list of out-of-scope issues, and researchers should check this thoroughly before starting their engagement.
Visit the Via bug bounty page at HackerOne for more info
Other bug bounty and VDP news this month
- Bug Bounty Switzerland is launching the country’s first ethical hacking platform. It will be built on Microsoft’s cloud infrastructure.
- April 19 will mark the start of a five-day capture the flag competition hosted by Hack the Box…
- … and dependency confusion has also been turned into a capture the flag event, ‘Hack the Empire’.
- Global Payments, Peoplecert, and eToro have launched (unpaid) VDPs on HackerOne.
- GitLab has offered a glimpse behind the scenes at the organization’s bug bounty council.
- Bug bounties may useful in tackling algorithmic bias in facial recognition apps.
- Measurement and sensor manufacturing firm Kistler launched a VDP on Bugcrowd.
Compiled by James Walker. Introduction by Emma Woollacott. Additional reporting by Adam Bannister.
RELATED Bug Bounty Radar // March 2021
