New web targets for the discerning hacker

Bug Bounty Radar // The latest bug bounty programs for June 2022

The US Department of Justice (DoJ) has said it won’t prosecute security researchers acting “in good faith”, as part of changes to the Computer Fraud and Abuse Act (CFAA). While the DoJ says this was always the case in practice, the changes provide more certainty for researchers, pen testers, and bug bounty hunters.

Meanwhile, the UK government remains half-hearted about bug bounty programs, with Dr Ian Levy, technical director of the UK’s National Cyber Security Centre (NCSC), saying there are no plans for a broad rollout any time soon. Speaking at the CyberUK conference, he commented: “The reason for that is that we just don’t seem to need to – people are more than happy to come and tell government we’ve screwed up.”

LinkedIn, meanwhile, has launched a public bug bounty program with rewards of up to $18,000 that replaces its invite-only program. Hosted by HackerOne, LinkedIn invites hackers to probe its main web domain, LinkedIn.com, for security flaws, as well as the LinkedIn API and Android and iOS mobile apps.

Blockchain bridge Wormhole has handed over a record $10 million reward to a bug hunter with the online pseudonym ‘satya0x’. Had it been exploited successfully, the critical vulnerability that attracted the reward could have seen all the funds residing in in the Wormhole core bridge contract on Ethereum lost forever.

In other payout news, Youssef Sammouda netted $44,625 for discovering a series of bugs that could have allowed a malicious actor to take over Facebook accounts. They included a cross-site request forgery (CSRF) bug allowing an attacker to force a victim to log out from their Facebook account in their browser, and a flaw forcing a login to the attacker’s Facebook account inside the victim’s browser.

Pwn2Own Vancouver, the flagship hacking contest, took place last month, handing out more than $1 million for bugs in products from Microsoft, Mozilla, Apple, and others. Participants unearthed 27 qualifying vulnerabilities in total, with a team from Star Labs in Singapore being crowned this year’s Masters of Pwn.

And finally, Vidoc Security Lab has published a security advisory warning of more than 60 instances of a web security flaw in the Swagger-UI library, potentially leading to account takeover. Bug bounty programs operated by PayPal, Shopify, Atlassian, Microsoft, GitLab, and Yahoo were alerted, among others.


The latest bug bounty programs for June 2022

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

Aztec Network

Program provider:
Immunefi

Program type:
Public

Max reward:
$1 million

Outline:
A privacy-first recursive, zero-knowledge rollup built on Ethereum that purports to being the “only zkRollup built from the ground up to be privacy-preserving”.

Notes:
Bounties on offer potentially range up to $1 million, with $25,000 for high severity issues, and $5,000 for medium severity bugs.

Check out the Aztec Network bug bounty page at Immunefi for more details

Balancer

Program provider:
Immunefi

Program type:
Public

Max reward:
$2.4 million

Outline:
“Community-driven protocol, liquidity provider, and price sensor that empowers decentralized exchange and the automated portfolio management of tokens on the Ethereum blockchain and other EVM compatible systems.”

Notes:
Payouts in Ethereum could reach $2.4 million, while high severity vulnerabilities can command rewards of up to $600,000.

Check out the Balancer bug bounty page at Immunefi for more details

Chain

Program provider:
Immunefi

Program type:
Public

Max reward:
$5 million

Outline:
Eye-watering payouts in the millions on offer by Chain, which builds “cryptographic ledgers that underpin breakthrough financial products and services”.

Notes:
Payouts are issued in USDC, XCN, USDT and ETH, with the ratio at Chain’s discretion.

Check out the Chain bug bounty page at Immunefi for more details

Cudos Network

Program provider:
Bugcrowd

Program type:
Public

Max reward:
$4,500

Outline:
A decentralised platform that runs over multiple p2p nodes and enables developers to build complex smart contract functionality.

Notes:
Top-tier rewards given for cryptographic exploits allowing for the manipulation of BFT consensus, while certain DDoS exploits qualify as tier two.

Check out the Cudos Network bug bounty page at Bugcrowd for more details

Doctolib

Program provider:
YesWeHack

Program type:
Public

Max reward:
€20,000

Outline:
Doctolib develops appointment booking software used by more than 300,000 healthcare personnel and 60 million patients across Europe.

Notes:
High severity issues command rewards of up to €4,000 and critical bugs will net hackers up to €20,000, with two web domains and iOS and Android apps in play.

Check out the Doctolib bug bounty page at YesWeHack for more details

Gojek

Program provider:
HackerOne

Program type:
Public

Max reward:
$5,000

Outline:
Gojek is an Indonesian, on-demand, multi-service platform and digital payment technology group.

Notes:
Maximum bounty of $5,000 on offer for tier-one assets, and $2,000 for tier-two assets.

Check out the Gojek bug bounty page at HackerOne for more details

LinkedIn

Program provider:
HackerOne

Program type:
Public

Max reward:
$15,000

Outline:
LinkedIn has launched a public bug bounty program to replace the invite-only program running since 2014, as previously reported by The Daily Swig.

Notes:
Critical security vulnerabilities discovered on the business-oriented social media platform will net researchers bounties ranging from $5,000 up to $15,000.

Read our previous coverage to find out more

Razorpay

Program provider:
HackerOne

Program type:
Public

Max reward:
$3,000

Outline:
Razorpay claims to be the only payments solution in India that allows businesses to accept, process, and disburse payments.

Notes:
Critical flaws will command bounties of between $1,000 and $3,000, with four in-scope targets comprising the dashboard, API, checkout, and invoice domains.

Check out the Razorpay bug bounty page at HackerOne for more details

Quebec Ministry of Cybersecurity and Digital

Program provider:
YesWeHack

Program type:
Public

Max reward:
$1,500

Outline:
Le ministère de la Cybersécurité et du Numérique in Quebec has launched its program, with details written in French, on Paris-base bug bounty platform YesWeHack.

Notes:
The ministry has 12 web assets in scope and is offering a maximum payout of $1,500.

Check out Le ministère de la Cybersécurité et du Numérique in Quebec bug bounty page at YesWeHack for more details

Wealthsimple

Program provider:
HackerOne

Program type:
Public

Max reward:
$20,000

Outline:
The Canadian investment management service has financial tools for stock trading, ETFs, managed investing, and crypto.

Notes:
Critical bugs can attract $20,000 rewards, while high and medium severity vulnerabilities could net bug hunters $5,000 or $1,000 respectively.

Check out the Wealthsimple bug bounty page at HackerOne for more details


Other bug bounty and VDP news this month

  • Another nine new programs in a bumper May for Immunefi included programs from the Bancor Protocol (max reward $900,000) plus Orca and Wombat Exchange (both with a maximum payout of $500,000)
  • Cloudflare and security researchers from Assetnote have documented the discovery and remediation of vulnerabilities in Cloudflare Pages
  • YesWeHack is launching an ethical hacking virtual reality game and holding a live bug bounty challenge at the upcoming International Cybersecurity Forum in June
  • The US Cyber Games, a NICE-NIST collaboration, enters its second season in July, starting with Capture the Flag (CTF) competitions and culminating in the top cybersecurity athletes representing the US internationally
  • Some 401 security flaws were remediated during the 12-month pilot of the US Defense Industrial Base-Vulnerability Disclosure Program (DIB-VDP), which concluded in April


Additional reporting by Emma Woollacott.


PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for May 2022