New web targets for the discerning hacker

The latest bug bounty programs for February 2022

We begin this month’s bug bounty round-up with news that the European Commission (EC) has launched another open source-focused program, this time dedicated to projects underpinning its public services.

Following the “remarkable success” of the EU-FOSSA program, the EC is offering bug hunters up to €5,000 ($5,600) for unearthing vulnerabilities in LibreOffice, LEOS, Mastodon, Odoo, and CryptPad.

The Open Source Programme Office (EC OSPO), which is hosted by European bug bounty platform Intigriti, offers 20% bonuses where vulnerability submissions include effective code fixes.

In payout news, there was an enormous windfall for researcher Ryan Pickren after he demonstrated how vulnerabilities in iCloud and Safari 15 gave attackers a means to compromise macOS webcams and, thereafter, victims’ online accounts.

Pickren netted $100,500 for a universal cross-site scripting (uXSS) bug and a total of four flaws.

The uXSS exploit could give an “attacker full access to every website ever visited by the victim,” said the researcher.

Elsewhere, the discovery of 70 web cache poisoning vulnerabilities affecting Apache Traffic Server, GitHub, and HackerOne, among others, earned Iustin Ladunca $40,000.

Although attacks were limited to static files, Ladunca said the impact was still significant since modern websites rely heavily on JavaScript and CSS, and so “taking those files down would really affect application availability”.

Omer Gil from Cider Security, meanwhile, has warned that CI/CD platforms are an increasingly popular attack target after detailing a flaw in GitHub Actions that made it possible to circumvent code review safeguards.

Gil, who praised GitHub for rapidly addressing and paying a bounty for the flaw in the hugely popular continuous integration (CI) service, said authorization bypass weaknesses open the door to planting malicious software within the tributaries that feed production software.

Finally, the Internet Bug Bounty (IBB), a partnership between tech giants that aims to address vulnerabilities in critical open source software projects, paid $2,500 for a remote code execution (RCE) vulnerability in Apache HTTP Server.

Researcher ‘chamal’ earned $2,000 for the discovery in line with the program’s policy of paying bounties according to an 80/20 split between the bug hunter and relevant project.


The latest bug bounty programs for February 2022

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

Google Chrome VRP – enhanced

Program provider:
Independent

Program type:
Public

Max reward:
$150,000

Outline:
Google has introduced a new reward tier for the Chrome Vulnerability Reward Program (VRP). “Memory corruption/RCE bugs in highly privileged processes, such as GPU or network process, can now earn you up to $7,000 for a baseline report, $10,000 for a high-quality report, and $15,000 for high-quality reports with a functional exploit,” the tech giant tweeted recently.

Notes:
Google is interested in bugs that make it to stable, beta, and dev channels, including those in third-party components.

Check out the Chrome VRP bug bounty page for more details

European Commission – Open Source Programme Office

Program provider:
Intigriti

Program type:
Public

Max reward:
$5,600

Outline:
The Open Source Programme Office (EC OSPO) is dedicated to open source projects underpinning its public services, specifically LibreOffice, LEOS, Mastodon, Odoo, and CryptPad.

Notes:
EC OSPO will pay 20% bonuses where vulnerability submissions include effective code fixes.

Read our previous coverage of the EC OSPO launch for more details

Olympus DAO

Program provider:
Independent

Program type:
Public

Max reward:
$3.3 million

Outline:
Olympus DAO, a decentralized reserve currency protocol based on the OHM token, says payouts could potentially reach $3.3 million for issues in its smart contracts or app that might lead to loss of treasury, user, or bond funds.

Notes:
“Olympus has a goal of becoming the reserve asset for all of DeFi,” said Olympus DAO bug bounty manager ‘@Proof_Steve’. “To achieve that we need to ensure its security, and that’s exactly why the community authorized this bug bounty program”.

Check out the related Olympus DAO press release for more details

Payoneer

Program provider:
HackerOne

Program type:
Public

Max reward:
$5,000

Outline:
Payoneer is a US financial services company that provides online money transfers, digital payment services and working capital.

Notes:
Payoneer.com is the sole asset in scope, with critical flaws attracting bounties up to $5,000, while high severity issues will earn bug hunters up to $2,000.

Check out the Payoneer bug bounty page at HackerOne for more details

Skroutz

Program provider:
Bugcrowd

Program type:
Public

Max reward:
$4,500

Outline:
Skroutz, a Greek e-commerce platform, has invited bug hunters to probe its web application and associated API on the live production environment.

Notes:
The application is built with Ruby on Rails and uses many open source components, as detailed on GitHub.

Check out the Skroutz bug bounty page at Bugcrowd for more details


Other bug bounty and VDP news this month


Additional reporting by James Walker.


PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for January 2022