New web targets for the discerning hacker

Bug bounty radar on grey background

The coronavirus pandemic is casting its shadow over every area of life, and the bug bounty market is no exception.

We spoke with HackerOne, Bugcrowd, and pen test platform Synack to see how bug bounty and pen test platforms were handling the crisis.

Ashish Gupta, CEO of bug bounty platform Bugcrowd, says the company has seen a sharp rise in vulnerability reports, with the past four weeks generating more than ever before.

“We have seen an increase in the number of vulnerabilities and have also had conversations with researchers who say they are stepping up their efforts to help our customers that are working remotely,” he says.

And in related news, the Pwn2Own 2020 Live hacking contest went virtual with the help of Zoom, with champions Richard Zhu and Amat Cama (Team Fluoroacetate) set to receive their trophy at a later date.

Before the true impact of coronavirus was really apparent, we spoke with Offensive Security CEO Ning Wang. She discussed the recent update to Kali Linux and promised: “We are in the middle of a really exciting stage of the Kali development process, where a lot of behind-the-scenes items have been going public, with more on the way.”

In payout news this month, Russian email platform Mail.ru has handed over $10,000 for a critical security flaw connected to two issues in Nginx and OpenResty.

During the month, we looked at gaming platforms, which are an ever-more tempting prospect for hackers. As a result, platforms are increasingly introducing bug bounty programs, with Microsoft's new bug bounty program for Xbox offering up to $20,000 for vulnerabilities such as remote code execution.

GitHub has revealed that it’s now paid out more than $1 million in bounties – and almost $590,000 in the last year alone.

Meanwhile, security researcher Jacob Archuleta ‘Nullze’ has praised Tesla for its quick response to his report of a denial-of-service vulnerability that allowed an attacker to crash the Tesla Model 3’s Chromium-based web interface. Tesla’s security team quickly worked with him to resolve the issue with a new update, he says.

And, finally, the inaugural Google Cloud Platform vulnerability research prize has been awarded to security researcher Wouter ter Maat for his work in the field of Cloud Shell security – a cool $100,000.

“It makes sure I can provide for my family while I try to improve my game and focus on fun and time-consuming challenges, without having to worry about short-term income,” he says.

The latest bug bounty programs for March 2020

March saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

BMW Group

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$3,000

Outline:
Car manufacturer BMW Group has launched a public bug bounty program with its web applications in scope.

Notes:
“Multiple vulnerabilities caused by one underlying issue will be awarded one bounty,” the program states, with full PoC required with each submission. The German auto engineer has been running a vulnerability disclosure program (VDP) since 2015.

Visit the BMW Group bug bounty page at HackerOne for full program details

Formatic – enhanced

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$5,000

Outline:
Blockchain development experts at Fortmatic have opened up their one-year-old bug bounty program to public participation. Vulnerabilities related to asset security and sensitive information disclosure are marked as high priority.

Notes:
The company’s API endpoint (api.formatic.com) is explicitly listed as out of scope. “We are excited for the creative exploits that this community comes up with and looking forward to working with you individually in the reports,” Formatic says. $1,900 has been paid out under Formatic’s bug bounty program since its invite-only beginnings.

Visit the Formatic bug bounty page at HackerOne for more info

Glassdoor

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$2,500

Outline:
US-based recruiter and job site Glassdoor is asking the security community to find bugs within its website, API, or one of its official mobile apps.

Notes:
Third-party sites, as expected, are excluded from the program. Glassdoor is looking for PoCs that demonstrate issues including remote code execution (RCE), memory corruption, SQL injection, cross-site scripting (XSS), and many more.

Visit the Glassdoor bug bounty page at HackerOne for more info

PegaSys

Program provider:
HackerOne

Program type:
Private bug bounty

Max reward:
$5,000

Outline:
PegaSys, an Ethereum blockchain platform provider, has launched a private bug bounty program, which aims for prompt vulnerability triage, within two days of a successful bug submission.

Notes:
The company lists a range of vulnerability examples, both medium and high severity, from a previous security audit. “Alongside bounties, we’re happy to send swag to anyone who finds a vulnerability,” PegaSys says.

Visit the Pegasus bug bounty page at HackerOne for full program details

NEM

Program provider:
HackerOne

Program type:
Private bug bounty

Max reward:
$10,000

Outline:
Blockchain solutions provider NEM enters the bug bounty market with a new private program aimed at its Symbol project.

Notes:
The project’s applications in scope include the Symbol QR Library, Symbol HD Wallet, Symbol CLI, and Symbol Desktop Wallet, with NEM naming issues as critical in instances of “key generation and persistence, key usage and signing of transactions, and protocol level issues that could corrupt or break the state of the blockchain given a valid signed transaction”.

Visit the Symbol bug bounty page at HackerOne for more info

Other bug bounty and VDP news:

  • GadgetProbe, a new tool developed by researchers at Bishop Fox, aims to reduce the frustration of exploiting Java deserialization bugs.
  • DigitalOcean, Orion Labs, Myndr, and Qulture.Rocks have launched points-only VDPs on HackerOne.
  • According to reports, the launch of Ethereum 2.0 is drawing closer. Following a ‘Phase 0’ audit, project coordinator Danny Ryan said the next step is to launch multi-client test networks and a bug bounty program.
  • In case you missed it, Katie Moussouris and Chris Wysopal’s RSA Conference keynote on coordinated vulnerability disclosure is now available on YouTube.

To have your program featured in this list next month, email dailyswig@portswigger.net with ‘Bug Bounty Radar’ in the subject line.


Additional reporting by Catherine Chapman and James Walker


RELATED Bug Bounty Radar // February 2020