New web targets for the discerning hacker
We begin this month’s bug bounty round-up with news that the European Commission (EC) has launched another open source-focused program, this time dedicated to projects underpinning its public services.
Following the “remarkable success” of the EU-FOSSA program, the EC is offering bug hunters up to €5,000 ($5,600) for unearthing vulnerabilities in LibreOffice, LEOS, Mastodon, Odoo, and CryptPad.
The Open Source Programme Office (EC OSPO), which is hosted by European bug bounty platform Intigriti, offers 20% bonuses where vulnerability submissions include effective code fixes.
In payout news, there was an enormous windfall for researcher Ryan Pickren after he demonstrated how vulnerabilities in iCloud and Safari 15 gave attackers a means to compromise macOS webcams and, thereafter, victims’ online accounts.
Pickren netted $100,500 for a universal cross-site scripting (uXSS) bug and a total of four flaws.
The uXSS exploit could give an “attacker full access to every website ever visited by the victim,” said the researcher.
Elsewhere, the discovery of 70 web cache poisoning vulnerabilities affecting Apache Traffic Server, GitHub, and HackerOne, among others, earned Iustin Ladunca $40,000.
Although attacks were limited to static files, Ladunca said the impact was still significant since modern websites rely heavily on JavaScript and CSS, and so “taking those files down would really affect application availability”.
Omer Gil from Cider Security, meanwhile, has warned that CI/CD platforms are an increasingly popular attack target after detailing a flaw in GitHub Actions that made it possible to circumvent code review safeguards.
Gil, who praised GitHub for rapidly addressing and paying a bounty for the flaw in the hugely popular continuous integration (CI) service, said authorization bypass weaknesses open the door to planting malicious software within the tributaries that feed production software.
Finally, the Internet Bug Bounty (IBB), a partnership between tech giants that aims to address vulnerabilities in critical open source software projects, paid $2,500 for a remote code execution (RCE) vulnerability in Apache HTTP Server.
Researcher ‘chamal’ earned $2,000 for the discovery in line with the program’s policy of paying bounties according to an 80/20 split between the bug hunter and relevant project.
The latest bug bounty programs for February 2022
The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:
Google Chrome VRP – enhanced
Program provider:
Independent
Program type:
Public
Max reward:
$150,000
Outline:
Google has introduced a new reward tier for the Chrome Vulnerability Reward Program (VRP). “Memory corruption/RCE bugs in highly privileged processes, such as GPU or network process, can now earn you up to $7,000 for a baseline report, $10,000 for a high-quality report, and $15,000 for high-quality reports with a functional exploit,” the tech giant tweeted recently.
Notes:
Google is interested in bugs that make it to stable, beta, and dev channels, including those in third-party components.
Check out the Chrome VRP bug bounty page for more details
European Commission – Open Source Programme Office
Program provider:
Intigriti
Program type:
Public
Max reward:
$5,600
Outline:
The Open Source Programme Office (EC OSPO) is dedicated to open source projects underpinning its public services, specifically LibreOffice, LEOS, Mastodon, Odoo, and CryptPad.
Notes:
EC OSPO will pay 20% bonuses where vulnerability submissions include effective code fixes.
Read our previous coverage of the EC OSPO launch for more details
Olympus DAO
Program provider:
Independent
Program type:
Public
Max reward:
$3.3 million
Outline:
Olympus DAO, a decentralized reserve currency protocol based on the OHM token, says payouts could potentially reach $3.3 million for issues in its smart contracts or app that might lead to loss of treasury, user, or bond funds.
Notes:
“Olympus has a goal of becoming the reserve asset for all of DeFi,” said Olympus DAO bug bounty manager ‘@Proof_Steve’. “To achieve that we need to ensure its security, and that’s exactly why the community authorized this bug bounty program”.
Check out the related Olympus DAO press release for more details
Payoneer
Program provider:
HackerOne
Program type:
Public
Max reward:
$5,000
Outline:
Payoneer is a US financial services company that provides online money transfers, digital payment services and working capital.
Notes:
Payoneer.com is the sole asset in scope, with critical flaws attracting bounties up to $5,000, while high severity issues will earn bug hunters up to $2,000.
Check out the Payoneer bug bounty page at HackerOne for more details
Skroutz
Program provider:
Bugcrowd
Program type:
Public
Max reward:
$4,500
Outline:
Skroutz, a Greek e-commerce platform, has invited bug hunters to probe its web application and associated API on the live production environment.
Notes:
The application is built with Ruby on Rails and uses many open source components, as detailed on GitHub.
Check out the Skroutz bug bounty page at Bugcrowd for more details
Other bug bounty and VDP news this month
- Google is inviting hackers to take part in its Kubernetes capture-the-flag competition, with prizes of up to $50,337 on offer.
- The Bug Bounty Hunters Discord team has unveiled a new hackathon that aims to spark the creation of new bounty hunting tools.
- Hy-Vee, Costco, JetBlue, and OpenSea have launched (unpaid) vulnerability disclosure programs (VDPs) on HackerOne.
Additional reporting by James Walker.
PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for January 2022