New web targets for the discerning hacker

The latest bug bounty news and programs for April 2021

It’s been a month of bumper bug bounty payout news, with Uruguayan researcher Ezequiel Pereira stealing the headlines for winning Google’s GCP VRP Prize 2020.

Using an internal version of the Google Cloud Platform (GCP) service, Pereira was able to exploit a remote code execution vulnerability in Google Cloud Deployment Manager and issue requests to internal endpoints via its global software load balancer.

He netted $133,337 in prize money, as well as a $31,337 bug bounty award under Google’s Vulnerability Reward Program (VRP).

Meanwhile, bug bounty hunter and Google employee Teddy Katz won $25,000 for discovering a security vulnerability that allowed attackers to disclose Actions secrets in GitHub repositories.

And there was a $55,000 payout for researcher Alaa Abdulridha, who found two third-party vulnerabilities that could have compromised Facebook’s internal network.

Authentication cookies used by an unnamed third-party application could be manipulated to compromise accounts belonging to Facebook employees, with a flaw in the application’s form-building feature allowing access to intern.our.facebook.com.

In program news, Microsoft has launched a bug bounty program for 365 applications, starting with Microsoft Teams’ desktop client.

But this looks like small change compared with the new bug bounty reward on offer from bitcoin exchange Sovryn – $1.25 million for security flaws in the Sovryn smart contract. There’s also up to $22,000 for hackers who uncover flaws in the company's websites and web-facing applications.

Find out more in our latest bug bounty programs list below.

Finally, in other news, HackerOne has reported a big rise in the number of hackers reporting vulnerabilities to companies – up by 63% in 2020.

In its latest annual report, the security platform found that more than a third reported spending more time hacking during the pandemic, often focusing on threats from remote working.


The latest bug bounty programs for April 2021

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

Avalanche Protocol

Program provider: HackenProof

Program type: Public bug bounty

Max reward: $10,000

Outline: Avalance is an open source platform for launching highly decentralized applications and custom blockchain networks. Security researchers are being rewarded for discovering vulnerabilities in various technologies, including the Avalanche Wallet and public-facing APIs.

Notes: This program is accompanied by the Avalanche General program, which offers rewards for bugs discovered in various web assets.

Visit the Avalanche Protocol bug bounty page at HackenProof for more info

BlockFi

Program provider: HackerOne

Program type: Public bug bounty

Max reward: $3,000

Outline: The second blockchain org in this month’s list of bug bounty newcomers is BlockFi, which provides cryptocurrency savings, loans, and trading services.

Notes: There are minimal details on the company’s bug bounty page, although the company said it “looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe”.

Visit the BlockFi bug bounty page at HackerOne for more info

Mattermost

Program provider: HackerOne

Program type: Public bug bounty

Max reward: $2,000

Outline: Mattermost is an open source collaboration tool for developers. The company’s new bug bounty program offers rewards for cross-site scripting (XSS), cross-site request forgery (CSRF), server-side request forgery (SSRF), denial-of-service exploits, and information disclosure issues.

Notes: To participate in this program, researchers need to enable two-factor authentication.

Visit the Mattermost bug bounty page at HackerOne for more info

Microsoft Applications Bounty Program

Program provider: Independent

Program type: Public

Max reward: $30,000

Outline: A program dedicated to 365 applications has kicked off with Microsoft Teams’ desktop version the sole product in scope and a significantly higher payment ceiling than the $20,000 on offer under its online services program.

Notes: Valid vulnerability reports for Microsoft Teams are also now eligible for a 200% bonus multiplier applied to points earned under the company’s Researcher Recognition Program.

Check out our recent coverage for more info

Scopely

Program provider: HackerOne

Program type: Public

Max reward: $3,000

Outline: Scopely, a publisher of mobile games such as Scrabble Go, Yahtzee, and Wheel of Fortune, has 13 assets in scope, with vulnerabilities affecting games attracting higher rewards than those impacting supporting services.

Notes: Rewards scale up according to impact tiers, from those affecting the security of additional services at the bottom to those disrupting the global game economy earning the biggest payouts, as well as ease of exploitation.

Visit the Scopely bug bounty page at HackerOne for more info

Sovryn

Program provider: Immunefi

Program type: Public

Max reward: $1.25 million

Outline: A chance to become an instant millionaire after Bitcoin exchange Sovryn announced what is believed to be the biggest-ever bug bounty reward for security flaws in the Sovryn smart contract, while website and web app flaws can earn bounties up to $22,000.

Notes: Asked why such a huge reward was on offer, Sovryn co-founder Edan Yago told The Daily Swig: “We believe we are in an arms race for security. The more we offer, the more likely we are able to outbid others in the attention economy for whitehat talent.”

Check out our recent coverage for more info

Step Public Applications

Program provider: Bugcrowd

Program type: Public

Max reward: $4,500

Outline: Step, which develops financial tools to help teenagers manage and save money, has invited ethical hackers to probe its iOS and Android apps.

Notes: Out of scope are bugs related to clickjacking, spam vectors, anti-spoofing email configurations, and rate limit problems that don’t lead to account compromise.

Visit the Step Public Applications bug bounty page at Bugcrowd for more info

Via

Program provider: HackerOne

Program type: Public bug bounty

Max reward: $2,000

Outline: US ride-sharing company Via is asking researchers to probe its Android and iOS apps for security flaws. Up to $3,000 is on offer for critical issues.

Notes: There’s a long list of out-of-scope issues, and researchers should check this thoroughly before starting their engagement.

Visit the Via bug bounty page at HackerOne for more info


Other bug bounty and VDP news this month


Compiled by James Walker. Introduction by Emma Woollacott, Additional reporting by Adam Bannister.


RELATED Bug Bounty Radar // March 2021