New web targets for the discerning hacker

It’s been a bounteous month for the crowdsourced security community, with major payouts from Apple and Facebook and a generous new bug bounty program from Sony.

Ahead of the upcoming PS5 launch, Sony’s new HackerOne program for its PS4 console and PlayStation Network replaces an invitation-only program. Minor flaws in the PlayStation Network could earn rewards of between $100 and $3,000, while PS4 security bugs could be worth between $500 and $50,000, or even higher.

Meanwhile, Bugcrowd says it’s seen a big influx of Indian bug hunters over the last few months. Indeed, the country has now supplanted the US as the most heavily represented country on the crowdsourced security platform.

The number of Indian researchers has grown by 83% since last year – “exponentially faster than other countries that are also experiencing growth”, says the report. After the US comes Pakistan, Bangladesh, and Indonesia.

In terms of payouts, too, Indian researchers have been doing well. New Delhi-based Bhavuk Jain, for one, is celebrating a whacking $100,000 win for finding flaws in the ‘Sign in with Appleauthentication technology.

There was a $31,500 payout for another Indian security researcher, Bipin Jitiya, who identified several security flaws in Facebook and third-party business intelligence portal MicroStrategy.

This included $30,000 for an internal blind SSRF in the source code of a publicly accessible endpoint, built using tools from MicroStrategy, that performed custom data collection and content generation.

Meanwhile, Microsoft and Kubernetes have paid bounties to French researchers Brice Augras of Groupe Asten and Christophe Hauquiert of Nokia for revealing vulnerabilities in versions of Kubernetes’ container technology that were hosted on Microsoft Azure.

Israeli researcher Zohar Shachar netted $3,134 for revealing that G Suite’s email configuration was vulnerable to a Simple Mail Transfer Protocol exploit that allowed attackers to spoof email messages from Google’s servers.

And Polish bug hunter Michał Bentkowski claimed more than $30,000 for finding flaws in the copy and paste functionality used by web browsers, text editors, and websites that can be abused to execute cross-site scripting (XSS) attacks and data exfiltration.

Last week, in an exclusive interview with The Daily Swig, GitHub’s Nico Waisman said securing open source needs an open source approach.

“We want to nurture a community of security researchers around GitHub and around OS projects,” he said. “We need the help of everyone we can get to secure open source projects.”

His team found 122 vulnerabilities this year, and is broadening out to target BadClasses.

Finally, a serious vulnerability found in the website of Inventory Hive – which The Daily Swig was the first media outlet to reveal – has prompted the property inventory firm to launch a bug bounty program with HackerOne.

The researcher who discovered the flaw, Marco Menozzi, said the site was leaking users’ names and addresses, plus pictures taken of their property, including the entrance lock and house intrusion alarms, before being swiftly remedied by Inventory Hive.

The latest bug bounty programs for May 2020

May saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

Sony PlayStation – enhanced

Program provider:
HackerOne

Program type:
Public

Max reward:
$50,000 plus

Outline:
Sony’s invite-only program has now been relaunched as a public program, with its PS4 console and PlayStation Network in scope. Critical flaws start at $50,000 – more than twice the $20,000 ceiling in the programs run by console rivals Nintendo and Microsoft.

Notes:
In-scope assets include the PS4 system, accessories, and current release or beta version of the system software, plus eight PlayStation Network domains.

Visit the PlayStation bug bounty page at HackerOne for more info

Jumbo Privacy

Program provider:
Bugcrowd

Program type:
Public

Max reward:
$20,000

Outline:
Researchers are invited to test both iOS and Android versions of the privacy assistant app, which was launched in 2019 to prevent users from unknowingly leaking personal data while online.

Notes:
The maximum reward is $4,500, unless vulnerabilities can potentially lead to the remote exfiltration of a huge volume of user data, in which case bounties could reach $20,000.

Visit the Jumbo Privacy bug bounty page at Bugcrowd for more info

DARPA (Defense Advanced Research Projects Agency)

Program provider:
Synack

Program type:
Public

Max reward:
$25,000

Outline:
DARPA, the US Department of Defense research arm, has invited researchers to help enhance its hardware security protections, in line with its goal of addressing security issues at source rather than through after-the-fact patches, as reported by The Daily Swig.

Notes:
Hackers will tackle emulated systems running on Amazon EC2 F1 instances, including a RISC-V processor core containing hardware security protections developed through SSITH. The program will run from July to September 2020 following a qualifying capture the flag session in June.

Read DARPA’s press release announcing the program for more info

StopCovid – enhanced

Program provider:
YesWeHack

Program type:
Public

Max reward:
€2,000 ($2,240)

Outline:
The private program for France’s official Covid-19 contact-tracing app is now public, as reported recently by The Daily Swig.

Notes:
The French government is the first in Europe to subject its coronavirus contact-tracing app to the scrutiny of crowdsourced security research. The open source app was developed without payment, so YesWeHack has agreed to fund the bounties.

Visit the StopCovid bug bounty page at YesWeHack for more info

Equilibrium

Program provider:
Independent

Program type:
Public

Max reward:
$5,000

Outline:
Equilibrium is an all-in-one interoperable DeFi hub for managing cryptocurrency in a decentralized fashion.

Notes:
The scope encompasses both front-end and smart contracts with products including EOSDT, native utility token, block producer voting, staking pool, and rates subscription.

Visit Equilibrium’s bug bounty page at GitHub for more info

Matic Network

Program provider:
HackerOne

Program type:
Private

Max reward:
$5,000

Outline:
Matic Network, the blockchain transaction platform powered by point-of-sale side chains, is offering rewards of up to $5,000 for the coordinated disclosure of security vulnerabilities.

Notes:
Matic Network wants to protect its platform from the theft of tokens from the node, manipulation of the blockchain history to invalidate transactions, and undermining of the consensus mechanism to split the chain, among other threats.

Visit the Matic Network bug bounty page at HackerOne for more info

Magisto

Program provider:
HackerOne

Program type:
Public

Max reward:
$2,000

Outline:
Researchers are tasked with finding flaws in Magisto’s eponymous, artificial intelligence-powered online video editor.

Notes:
Six assets are in scope, with critical flaws netting bug hunters between $1,000-$2,000.

Visit the Magisto bug bounty page at HackerOne for more info

Other bug bounty news this month:

  • Ben Sadeghipour has documented his 2018 co-discovery, with Cody Brocious, of an SSRF flaw in the Lyft ride-sharing app – both in a blog post and video filmed on the roads of New York.
  • The Courier app, which upgrades outbound user notifications to optimize channel selection, and Bitwala, the blockchain banking service, have launched points-only VDPs through HackerOne.
  • The defensive and attacking capabilities of machine learning systems are being stress-tested at a Microsoft-sponsored event that ends on September 18.
  • The latest instalment of YesWeHack’s vulnerability coordination series has offered a framework for surmounting the hurdles to effective coordinated disclosure.
  • Nearly 300 white hat hackers discovered 33 security vulnerabilities and earned $30,800 in bounties at the third HackerOne-run Singapore Government Bug Bounty Programme.
  • Nytr0gen, Zoczus, and bugra triumped at the H1-2006 CTF, having been the quickest to retrieve access to the HackerOne CEO’s BountyPay account.
  • Intigriti, the Belgian ethical hacking platform, has raised €4.1 million ($4.6 million) to power international growth and develop services to protect sustainable-tech companies.
  • PandaDoc, the document automation software, has launched a VDP with a focus on threats including XSS, SQLi, CSRF, RCE, data breaches.

To have your program featured in this list next month, email dailyswig@portswigger.net with ‘Bug Bounty Radar’ in the subject line.


Introduction by Emma Woollacott.


READ MORE Bug Bounty Radar // The latest bug bounty programs for May 2020