New web targets for the discerning hacker
The ethical hacking community saw a big boost this month, with the news that the US Supreme Court has tightened up the definition of unauthorized access.
Previously, penetration testers and ethical hackers ran the risk of being deemed to have violated the Computer Fraud and Abuse Act (CFAA).
Now, though, the court has ruled that the act potentially criminalized “a breathtaking amount of commonplace computer activity”, and that violations only take place where data is accessed from prohibited files, folders, or databases.
In program news, Asian e-commerce giant Lazada has kicked off its first public bug bounty program with YesWeHack, offering up to $10,000 for successful vulnerability reports.
And in another first, the US Cybersecurity and Infrastructure Security Agency (CISA) has launched a federal civilian security vulnerability disclosure program (VDP) in partnership with Bugcrowd. Researchers are invited to test for vulnerabilities in Federal Civilian Executive Branch (FCEB) agencies.
Meanwhile, GitHub is aiming to become more bug-hunter-friendly, with an update to its policy on malware and exploit research. Dual-use security research and collaboration on GitHub is now explicitly permitted, though this permission will be withdrawn if abused.
In payout news, Indian bug hunter Mayur Fartade has netted $30,000 for revealing a vulnerability in Instagram that potentially exposed victims’ private content. The exploit involved brute-forcing the target’s Media ID and sending a POST request to one of two vulnerable endpoints.
There was a $3,000 payout for Nepalese security researcher Samip Aryal, who discovered a vulnerability in Facebook’s Messenger Rooms video chat feature that allowed attackers access to a victim’s private Facebook photos and videos, and to be able to submit posts – even on devices that are locked.
And finally, a poll of security researchers who reported vulnerabilities through alternative channels has revealed that many flaws don’t seem to be being patched.
Belgium-based bug bounty platform Intigriti found that 12% believed their submission was not successful in reaching security teams, while 19% were unsure about the outcome.
The latest bug bounty programs for July 2021
The past month saw the arrival of just a few new bug bounty programs. Here’s a list of the latest entries:
Public bug bounty
Bunicorn, self-described as an automated market-making (AMM) decentralized exchange, is asking security researchers to help prevent loss of user funds by looking for both web security vulnerabilities and smart contract/blockchain flaws.
Bunicorn has included a link to its smart contracts as well as a list of in-scope vulnerabilities. Some of the issues to look out for are any bugs that cause economic-financial attacks, remote code execution attacks, and SQL injection vulnerabilities.
Check out the Bunicorn bug bounty page at HackenProof for more details
Public bug bounty
Elementor, an open source WordPress plugin, has expanded its public bug bounty program.
The targets for this engagement are the Elementor application, the primary Elementor website, and the Public API. The target web applications are WordPress instances. There is a fairly short list of exclusions, which should be considered before partaking in the program.
Check out the Elementor bug bounty page at Bugcrowd for more information
Public bug bounty
Microsoft has launched its own bug bounty program, asking security researchers to attempt to break its SIKE cryptographic algorithm in exchange for big monetary rewards.
The new target is being touted as a challenge, but is still subject to Microsoft’s bug bounty rules and conditions. There are prizes up for grabs for solving two of the algorithms instances, which can be viewed online.
Check out the Microsoft Quantum bug bounty page for more information
Other bug bounty and VDP news this month
- GitHub is celebrating the seventh anniversary of its bug bounty program, with the code collaboration platform reporting that it awarded more than $524,000 to researchers last year.
- Amazon has unveiled AWS BugBust, the world’s first global competition that challenges Java and Python developers to collectively fix a million software bugs.
- Blackrock, Logsnitch, Cedars-Sinai, and Thomson Reuters have launched (unpaid) VDPs through HackerOne.
- June also saw the launch of VDPs for Bluehost India, Reseller Club, and SnapNames via Bugcrowd.
- More than $150,000 was awarded to researchers who participated in Hack the Army 3.0.
Compiled by Jessica Haworth. Introduction by Emma Woollacott. Additional reporting by James Walker.
PREVIOUS EDITION Bug Bounty Radar // June 2021