New web targets for the discerning hacker
Global awareness of hackers continued to ramp up throughout the month of February, with the launch of new and improved bug bounty programs and the realization that some heroes wear… black hoodies.
That was the feeling, at least, in the French city of Lille, which hosted a two-day live hacking event as part of the 2020 Forum International de la Cybersécurité, an annual security conference and trade show.
The event saw 100 hackers finding bugs in the systems of The Red Cross, Oui SNCF, secure messaging provider Olvid, and Cybermalveillance.gouv.fr, a cybersecurity division of the French government.
“Bug bounties are not only for Uber or Deezer, it’s for any organization inspired by cybersecurity and willing to address the bugs in its systems,” Rodolphe Harand, manager of YesWeHack, the bug bounty platform that hosted the live hacking competition, told The Daily Swig.
Not long after the event, French cyber awareness site Cybermalveillance.gouv.fr announced that it was going public with its bug bounty program, one that it had been running privately on the YesWeHack platform since December 2019.
Bounties awarded for high risk and critical flaws are also set to double under the program’s public scope, The Daily Swig reported this month, alongside an interview with the Belgium-based platform intigriti, which has its sights set on global expansion.
If you’re interested in bug bounty market news, February was full of statistics related to payouts and hacker insights, as Facebook highlighted the $2 million it paid out to security researchers through its bug bounty program in 2019.
Dropbox also patted itself on the back, having doled out $1 million in cash to security researchers since its vulnerability rewards program began in 2014.
In related news, HackerOne published its 2020 Hacker Report, which found that although bug bounty payouts across the platform continue to rise, nearly two-thirds of security researchers (63%) have withheld the disclosure of security vulnerabilities on at least one occasion.
The reasons behind this were multifaceted, but the factors that stood out were fear of reprimand, lack of a clear reporting channel, and organizations being unresponsive to previous bug reports.
“I think we really need to disambiguate what people mean by the term ‘bug bounty’,” Casey Ellis, founder of Bugcrowd, told The Daily Swig in a recent chat about the uptake of IoT bug bounty programs.
“They are usually thinking about a public bug bounty, which definitely is the last line of defense.”
Read the full interview with Bugcrowd founder Casey Ellis.
The latest bug bounty programs for February 2020
February saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:
Celo
Program provider: HackerOne
Program type: Private bug bounty
Max reward: $15,000
Outline: Celo, an open banking platform, puts forward a private bug bounty program, with four of its domains in scope.
Notes: Quick responses to bug submissions and rewards based on the Common Vulnerability Scoring Standard are among Celo’s promises.
Visit the Celo bug bounty page at HackerOne for more info
Evernote
Program provider: HackerOne
Program type: Private bug bounty
Max reward: Undisclosed
Outline: The task management app has launched a private bug bounty program with few details aside from an expanded list of vulnerabilities it considers out of scope.
Notes: Evernote pitches itself as uber responsive, with plans to triage bugs within 10 business days of a successful report submission.
Visit the Evernote bug bounty page at HackerOne for more info
Google API Security Rewards Program
Program provider: HackerOne
Program type: Public bug bounty
Minimum reward: $50
Outline: Google has added another bug bounty program to its repertoire. Security researchers can now report vulnerabilities found in third-party applications accessing OAuth Restricted Scope.
Notes: “Developers of OAuth apps using restricted scopes, with more than 50,000 users, are automatically enrolled into the program after they have passed the security assessment requirement,” outlines the program. Theft of insecure private data through unauthorized access reaps a $1,000 reward. Vulnerabilities must be reported to the relevant app developer first.
Visit the Google API Security Rewards Program at Hackerone for more infoKindred Group
Program provider: HackerOne
Program type: Public bug bounty
Max reward: $2,500
Outline: Online gambling operator Kindred Group has entered the bug bounty scene with HackerOne, putting its two platforms, which host brands like Unibet, bingo.com, iGame, and MariaCasino, in scope.
Notes: Remote code execution, SQL injection, and other critical bugs pay $2,500. Less severe vulnerabilities, such as Flash-based reflective XSS or captcha bypass, generate a $150 reward.
Visit the Kindred Group bug bounty page at HackerOne for full program details
Microsoft Azure – enhanced
Program provider: Independent
Program type: Public bug bounty
Max reward: $40,000
Outline: Microsoft’s established Azure Bounty Program has expanded its scope to include Azure Sphere to run alongside the general release of the IoT security platform.
Notes: “The goal of the Microsoft Bug Bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of our customers,” Microsoft says. Many low-severity issues are out of scope.
Visit the latest Microsoft blog post for full program details
Microsoft Xbox
Program provider: Independent
Program type: Public bug bounty
Max reward: $20,000
Outline: Awards range from $500 to $20,000 for vulnerabilities found in the Xbox Live network and services, although Redmond says higher payouts are possible.
Notes: In-scope vulnerabilities include all the regular suspects with full PoC exploit: cross-site scripting, cross-site request forgery, insecure direct object references, insecure deserialization, code injection flaws, server-side code execution, significant security misconfiguration (when not caused by user), and exploits in third-party components.
Visit the Xbox bug bounty page for full program details
Monolith
Program provider: HackerOne
Program type: Public bug bounty
Max reward: $10,000
Outline: Ethereum-based banking alternative Monolith has linked with HackerOne to let hackers find bugs in its smart contract wallet and the internet-facing Monolith platform.
Notes: “The most important class of bugs we’re looking for are ones that would cause our users to lose their funds or have them rendered frozen and unusable within their Smart Contract Wallet,” Monolith says.
Visit the Monolith bug bounty page at HackerOne for full program details
TokenCoreX
Program provider: Independent
Program type: Public bug bounty
Max reward: $10,000
Outline: Developers at imToken, a popular cryptocurrency wallet, have launched a new bug bounty program covering the TokenCoreX library that underpins the application.
Notes: The program is a partnership with blockchain security specialists SlowMist, and covers defects in the implementation of the core encryption algorithm, along with vulnerabilities in chain-related logic code or the wallet application layer. Rewards are paid in Tether cryptocurrency, with critical vulnerabilities amounting to issues that result in an attacker stealing crypto-assets.
Visit the latest imToken blog post for more info
Visma
Program provider: HackerOne
Program type: Public bug bounty
Max reward: $2,500
Outline: Business software provider Visma wants security researchers to break their domains, with payouts ranging from $100 for low impact bugs to $2,500 for those defined as critical.
Notes: Critical exploits include RCE and SQL injection. Low-rated vulnerabilities such as open redirect or application level denial-of-service also warrant payouts. “Any reports outside these categories will be triaged on a case by case basis by Security Analysts from Visma,” the company adds.
Visit the Visma bug bounty page at HackerOne for more info
Other bug bounty and VDP news
- Katie Moussouris, quite possibly the Queen of the bug bounty, spoke on the Threatpost podcast about the challenges in implementing successful programs
- The Hacker News ran an interview with the Open Bug Bounty project, a non-profit that's demonstrated significant growth over the past year.
- Bug hunter Alex Chapman published a blog post on his transition from pen tester to full-time bounty hunter.
- Hyatt expanded its public bug bounty program on its one-year anniversary last month with HackerOne, widening its scope with higher bounties.
- Marriott is running a vulnerability disclosure program (unpaid) with HackerOne, as are mobile banking providers bunq, Canadian banking provider Koho, photo video editing app PicsArt, and Belgium-based REM-B Hydraulics.
- Bugcrowd also saw the SoundCloud bug bounty program increase its rewards last month, now offering a maximum $4,500 for high priority bugs.
To have your program featured in this list next month, email dailyswig@portswigger.net with ‘Bug Bounty Radar’ in the subject line. Read more bug bounty news from The Daily Swig.
RELATED Bug Bounty Radar // January 2020
