New web targets for the discerning hacker

Bug Bounty Radar - The latest bug bounty programs for April 2022

With all eyes on Ukraine this month, HackerOne has been forced to apologize after bug bounty hunters in the country were temporarily locked out of their accounts, preventing access to their funds.

Chief hacking officer and CISO Chris Evans blamed the problem on delays in backend payment systems. The problem occurred following sanctions in the region, with HackerOne first suggesting that payments to bug bounty hunters in Russia and Belarus would be automatically donated to charity. It later backtracked, saying the money would be held in their accounts.

Meanwhile, concerns have been raised over a plan by Estonia-based bug bounty platform HackenProof to unearth critical vulnerabilities in the digital infrastructure of both the Ukrainian and Russian governments, with the aim of bolstering Ukraine’s defenses. Hackers said they were concerned that the plan could potentially escalate the conflict.

In other news, Password manager 1Password has upped its maximum bug bounty reward to $1 million – one of the biggest potential payouts in the industry. It says logic issues are likely to net the biggest rewards, and that one researcher has managed to claim nearly half of the total payouts to date by looking for issues such as this.

There was a second bite of the cherry this month for security researcher Youssef Sammouda – last year, he netted $126,000 for discovering three flaws in Facebook’s Canvas technology, used for embedding online games and interactive apps in its platform. Sammouda has now won an extra $98,000 for revealing problems with Facebook’s initial attempt at a fix.

And finally, Chromium developers have patched an inappropriate implementation in HTML parser which was discovered by Michał Bentkowski, a penetration tester for Polish cybersecurity firm Securitum. The medium-severity bug meant that websites thought to be XSS-protected could have been unintentionally exposed to XSS attacks in Chrome sessions.


The latest bug bounty programs for April 2022

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

1Password

Program provider: Bugcrowd

Program type: Public

Max reward: $1 million

Outline: Password manager 1Password is asking security researchers to probe for vulnerabilities in three of its web domains.

Notes: The $1 million figure is the maximum reward for a capture the flag challenge, which forms part of the bug bounty program. The highest reward for single vulnerabilities is $30,000.

Check out the 1Password bug bounty page at Bugcrowd for more details

BitForex

Program provider: HackenProof

Program type: Private

Max reward: $15,000

Outline: Cryptocurrency exchange BitForex is seeking security vulnerabilities in its web and iOS products.

Notes: The list of out-of-scope targets is extensive for both its web and mobile applications, so take a look before starting any bug hunting.

Check out the BitForex bug bounty page at HackenProof for more details

CoinDCX – updated

Program provider: Bugcrowd

Program type: Public

Max reward: $2,500

Outline: CoinDCX is offering rewards for security issues found in its web and mobile apps and API.

Notes: CoinDCX is asking researchers to focus on three areas: accessing another account’s personal or financial information, accessing the wallets of other users, and withdrawing funds as a sub-account.

Check out the CoinDCX bug bounty page at Bugcrowd for more details

Kraden

Program provider: HackerOne

Program type: Public

Max reward: $3,000

Outline: Kraden is a secure messaging app from Dragon. It is looking for vulnerabilities in a number of domains and its Android APK.

Notes: The blog domain is out of scope, so researchers should steer clear of this asset.

Check out the Kraden bug bounty page at HackerOne for more details

Palantir

Program provider: HackerOne

Program type: Public

Max reward: $10,000

Outline: Big data analytics firm Palantir has launched a program to find vulnerabilities in its public-facing interfaces and public cloud resources including AWS and Microsoft Azure infrastructures.

Notes: Palantir has based its severity scoring on CVSS scores, but says it withholds the right to adjust this on a case-by-case basis.

Check out the Palantir bug bounty page at HackerOne for more details

SMTP2GO

Program provider: HackerOne

Program type: Private

Max reward: $2,000

Outline: SMTP2GO is a scalable email service provider for sending transactional and marketing emails and viewing reports on email delivery. It is asking researchers to look for vulnerabilities in three of its domains.

Notes: As this is a private program, participation is on an invite-only basis.

Check out the SMTP2GO bug bounty page at HackerOne for more details

Socket

Program provider: Independent

Program type: Public

Max reward: $1,000

Outline: Designed to secure the JavaScript supply chain, Socket “uses deep package inspection to peel back the layers of a dependency to characterize its actual behavior”, according to its architects.

Notes: In scope are socket.dev and socketusercontent.com and all subdomains therein.

Check out the Socket’s bug bounty page for more details

Telenor Sweden

Program provider: YesWeHack

Program type: Public

Max reward: $4,000

Outline: Swedish telecoms provider Telenor Sweden has launched a new program with the European bug bounty platform.

Notes: Remote code execution appears to be the company’s main target, with a list of guidelines dedicated to this attack alone.

Check out the Telenor Sweden bug bounty page at YesWeHack for more details

Trade Republic Bank

Program provider: HackerOne

Program type: Public

Max reward: $8,500

Outline: Trade Republic Bank is a financial services provider which helps with investing in stocks, ETFs, derivatives, and cryptocurrencies.

Notes: There is a long list of out-of-scope attacks, which is worth checking out beforehand.

Check out the Trade Republic Bank bug bounty page at HackerOne for more details


Other bug bounty and VDP news this month

  • The US Department of Defense’s annual Vulnerability Disclosure Program (VDP) report is now available to download. The program saw the disclosure of nearly 12,000 new vulnerabilities in 2021.
  • Security Scorecard, The Walt Disney Company, and Circle have launched unpaid VDPs on HackerOne.
  • The European Commission is inviting hackers to register for the NextGov Hackathon, which takes place on April 25 to May 10.
  • Bugcrowd is hosting a new VDP from Sigma.
  • HackerOne has removed Kaspersky from its bug bounty platform amid the ongoing war in Ukraine. In a tweet last month, the Russian antivirus vendor said that vulnerabilities can be reported via its website.

Additional reporting by Emma Woollacott.


PREVIOUS EDITION Bug Bounty Radar // March 2022