New web targets for the discerning hacker

Bug Bounty Radar - the latest bug bounty programs for December 2022

Bug bounty platform HackerOne has launched a scheme to encourage customers to adopt a standard policy geared towards protecting hackers from potential legal problems.

The Gold Standard Safe Harbor (GSSH) is designed to be “short, broad, [and] easily-understood”, according to HackerOne.

Many bug bounty and vulnerability disclosure programs offer safe harbor agreements that allow hackers acting in good faith to do their thing. HackerOne’s standard policy is designed to collate best practices while reducing the administrative burden for hackers, who will have no need to scrutinize the terms and conditions of targets before looking for in-scope vulnerabilities.

European crowdsourced security platform Intigriti, meanwhile, has launched Bug Bounty Calculator, a tool designed to help bug bounty program owners pitch their payout rates at the appropriate level.

To generate reward suggestions program providers select their industry and describe their assets in terms of risk level, maturity level, and incentive curve.

Inti de Ceukelaire, head of hackers at Intigriti, explained why he built the tool: “Anyone can set up a bug bounty program, but if you aren’t sure what you’re doing, you may pay too much for vulnerabilities. Even worse, set your bounties too low and you may not attract any researchers at all.”

The maximum payout awards under a growing number of programs have reached $1 million and more. Earlier this week The Daily Swig took a closer look into these high potential reward programs and discovered that market forces, in particular a scarcity of skilled talent, are driving up the value of rewards offered.

Web 3.0 and crypto platforms, in particular, are competing to offer dazzlingly high potential rewards. However, experts questioned by The Daily Swig pointed out the rarity of firms in this arena actually paying out seven-figure sums, which suggests some are offering enormous potential bounties in an attempt to court publicity.

Against this are several examples of six-figure payouts by more established tech vendors such as Apple and Intel. However, HackerOne reports that the median payouts for critical vulnerabilities comes in at $3,000 – a figure worth bearing in mind by anyone tempted to quit their day job in pursuit of greater riches on the bug bounty circuit.

An example of an interesting flaw on the lower end of the scale dropped early in November when a researcher revealed that they had earned a $250 bug bounty payout after discovering a code injection flaw in Acronis’ cloud management console that could be abused for data theft.

On November 4, ‘Medi’ (under the alias ‘mr-medi’), published a technical analysis of the client-side path traversal flaw, which they described as the “favorite bug” they’d ever found.


The latest bug bounty programs for December 2022

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

Abraxas (enhanced)

Program provider:
Bug Bounty Switzerland

Program type:
Public

Max reward:
CHF 30,000 ($26,167)

Outline:
Abraxas, which provides IT services for the government and public sector in Switzerland, has tripled maximum payouts from 10,000 Swiss francs to 30,000 francs.

Notes:
Program has a particular focus on vulnerabilities that could enable attackers to manipulate the outcome of Swiss elections.

Check out the Abraxas bug bounty page for more details

Amber AI

Program provider:
HackerOne

Program type:
Public

Max reward:
$5,000

Outline:
AMBER AI, a “crypto-finance service provider”, is offering between $2,500 and $5,000 for the submission of valid critical bugs.

Notes:
Vulnerabilities in AMBER AI’s core business services qualify for the highest payout tier but the web 3.0 business is also interested in a wide range of web security vulnerabilities such as SQL injection, CSRF, and denial-of-service issues.

Check out the AMBER AI bug bounty page for more details

Echobox

Program provider:
YesWeHack

Program type:
Public

Max reward:
€6,000 ($6,310)

Outline:
Echobox, which uses AI to automate the distribution of emails, newsletters, and other content, has launched a public program with 10 targets in scope after a number of successful private programs.

Notes:
In a recent Q&A, Echobox CTO Marc Fletcher said: “The public program gives us greater exposure and access to YesWeHack’s community of 45,000 ethical hackers […] no other social media publishing companies seem to be running public bug bounty programs like ours.”

Check out the Echobox bug bounty page for more details

Expedia Group

Program provider:
HackerOne

Program type:
Public

Max reward:
$5,000

Outline:
Expedia runs a portfolio of travel websites that offer hotel, flight booking, and more.

Notes:
A range of targets are in scope including hotels.com. orbitz.com, and expedia.com.

Check out the Expedia Group bug bounty page for more details

Magic Eden

Program provider:
HackerOne

Program type:
Public

Max reward:
$2,500

Outline:
Magic Eden styles itself as a community-centric NFT marketplace.

Notes:
The bug bounty program is focused on smart contracts and on guarding against the freezing of funds, direct theft, denial of business function, or other attacks that interfere with the smooth operation of the marketplace.

Check out the Magic Eden bug bounty page for more details

Teleport

Program provider:
HackerOne

Program type:
Public

Max reward:
$5,000

Outline:

Teleport offers open source technology based around the zero trust model and designed for the administration of servers and cloud-based applications.

Notes:
Vulnerabilities in both the on-premises software and cloud-based versions of Teleport’s technologies fall within the scope of the program.

Check out the Teleport bug bounty page for more details

ThousandEyes

Program provider:
Bugcrowd

Program type:
Public

Max reward:
$4,500

Outline:
ThousandEyes, which offers network intelligence software, has invited elite hackers to probe five targets for security flaws.

Notes:
In-scope targets include ThousandEyes' website, application platform, customer-accessible API, and enterprise and agent software. The firm reopened its previously dormant bug bounty program in late November.

Check out the ThousandEyes bug bounty page for more details

ZeroBounce

Program provider:
HackerOne

Program type:
Public

Max reward:
$3,000

Outline:
ZeroBounce offers email marketing services, targeted towards the needs of enterprise customers.

Notes:
A broad array of web security vulnerability (such as XSS) on the zerobounce.in domain and flaws in the associated API library (api.zerobounce.in) are within scope.

Check out the ThousandEyes bug bounty page for more details


PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for November 2022