New web targets for the discerning hacker

Bug Bounty Radar - The latest bug bounty programs for May 2020

Once again, Covid-19 dominated the news this month, with controversy raging over contact-tracing apps and the myriad potential privacy and security issues.

In an effort to allay concerns, India has open-sourced its Aarogya Setu contact-tracing app and has announced a bug bounty program (see below) with a top reward of around $4,000.

European bug bounty platform YesWeHack is also doing its bit to help shore up the security of France’s offering. The company has supplied 20 hackers to test the security of the StopCovid application team, and plans to open a public bug bounty program when the app launches.

HackerOne, too, is on the case, continuing to donate bug bounty awards to the World Health Organization (WHO) and various charities.

At H1’s most recent live hacking event – held virtually, of course – ethical hackers donated more than $5,000 of the bounties they earned to the WHO Covid-19 Solidarity Response Fund.

In bug bounty payout news this month, Uruguayan computer science student Ezequiel Pereira has netted $31,337 for uncovering a security flaw in Google’s Cloud Deployment Manager that posed a remote code execution (RCE) risk. It could potentially have been used to gain RCE on Google’s internal infrastructure.

Meanwhile, a DOM-based cross-site scripting (XSS) vulnerability has been discovered in the Google Voice browser extension by researcher Missoum Said, who was awarded a bug bounty of $3,133.

And another DOM-based XSS vulnerability in the ‘Login with Facebook’ button won $20,000 for researcher Vinoth Kumar, who discovered a weakness allowing third-party websites to authenticate visitors through the Facebook platform.

Elsewhere, the Forum of Incident Response and Security Teams (FIRST) has updated its disclosure guidelines to simplify multi-party, coordinated vulnerability disclosure.

The document is aimed at anyone involved in multi-party vulnerability disclosures, from security researchers to incident response teams, and recommends introducing bug bounty programs.

And finally, as we put the finishing touches to this week’s Bug bounty Radar, HackerOne has just announced that it’s reached a big milestone: the platform has now paid out more than $100 million in bounties.

The platform has delivered around 170,000 valid vulnerability reports to its customers, and says it’s saved them tens of billions of dollars. And the bounties will keep rolling in, it predicts, with hackers set to have earned $1 billion in five years’ time.

The latest bug bounty programs for May 2020

May saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

Aarogya Setu contact-tracing app

Program provider:
Independent

Program type:
Public bug bounty

Max reward:
$4,000

Outline:
The Aarogya Setu contact-tracing app was launched in India a few weeks ago, when coronavirus cases started spiking in the country. The developers have now open-sourced the code and launched a public bug bounty program in an effort to help identify and remedy any potential security vulnerabilities.

Notes:
More than 110 million Indian citizens are reported to have downloaded the Android app since its launch.

Visit the Aarogya Setu GitHub repo for more info

Ethereum 2.0 – enhanced

Program provider:
Independent

Program type:
Public bug bounty

Max reward:
$20,000

Outline:
Rewards for the Ethereum Phase 0 pre-launch bug bounty program have been doubled prior to the mainnet launch. Payouts for critical vulnerabilities are now $20,000.

Notes:
Check out our recent coverage for full details regarding Ethereum 2.0 and the accompanying bug bounty program.

Visit the Ethereum blog for more info

Google Kubernetes Engine – enhanced

Program provider:
Independent

Program type:
Public

Max reward:
$10,000

Outline:
The Google Vulnerability Reward Program now covers all critical open source dependencies of Google Kubernetes Engine (GKE). The announcement comes on the heels of the launch of the Kubernetes bug bounty program back in January.

Notes:
Google has set up a GKE lab cluster, based on an open source, Kubernetes-based capture-the-flag project. Here, researchers can unearth exploitable vulnerabilities that could compromise nodes, such as privilege escalation bugs in the Linux kernel, and in underlying hardware and infrastructure components. Read our coverage to find out more.

Also check out the Google Security Blog for more info

Gusto – enhanced

Program provider:
Bugcrowd

Program type:
Public bug bounty

Max reward:
$5,000

Outline:
Gusto, an outsourced payroll, benefits, and HR services supplier, has increased its bug bounty payouts and added bonuses over and above standard awards for security researchers who uncover multiple vulnerabilities in its systems.

Notes:
In addition to the above enhancements, Gusto has added its GraphQL as a new target for bug hunters.

Visit the Gusto bug bounty page at Bugcrowd for more info

Microsoft Azure Sphere – temporary program

Program provider:
Independent

Program type:
Private bug bounty

Max reward:
$100,000

Outline:
Microsoft is running an application-only security challenge offering special bounty awards for research into its Azure Sphere IoT security product. The Azure Sphere Security Research Challenge “aims to spark new high impact security research in Azure Sphere”.

Notes:
The research challenge will run from the start of June 1 through to the end of August for accredited researchers. Microsoft will award bounties of up to $100,000 to researchers who uncover ways to execute code on either the Microsoft Pluton security subsystem or the Azure Sphere application platform’s Secure World.

Visit the Microsoft security blog for more info

Paddy Power Betfair


Program provider:
HackerOne

Program type:
Public

Max reward:
$2,000

Outline:
Ten assets are in scope for Paddy Power Betfair’s new bug bounty program, with rewards ranging from $100 to $2,000 in various Paddy Power and Betfair domains.

Notes:
The betting and gambling giant – now part of the newly merged Flutter Stars Group, the world's largest online bookmaker – is aiming to respond to reports within two business days and provide bounties within six.

Visit the Paddy Power Betfair bug bounty page at HackerOne for more info

PlanetHoster – enhanced

Program provider:
Bugcrowd

Program type:
Public bug bounty

Max reward:
$2,500

Outline:
Canadian web hosting firm PlanetHoster has expanded the scope of its bug bounty program, adding its Panel World control panel as a new target.

Notes:
The organization’s established bug bounty program invites security researchers to uncover flaws in its website or API that could lead to the exposure of sensitive information such as access to other users’ accounts, information, management systems or hosting panels.

Visit the PlanetHoster bug bounty page at Bugcrowd for more info

StopCovid contact-tracing app

Program provider:
YesWeHack

Program type:
Private

Max reward:
TBC

Outline:
France has become the first country in Europe to secure its government-backed Covid-19 contact tracing app with a bug bounty program. Twenty ethical hackers will probe StopCovid until the program goes public in June.

Notes:
Since the app’s developers are not being paid for their efforts, YesWeHack has agreed to fund the bounties. “We are proud to be able to contribute to reinforce security in the current exceptional situation,” said CEO and co-founder, Guillaume Vassault-Houlière.

Visit the YesWeHack blog for more info

Upwork – enhanced

Program provider:
Bugcrowd

Program type:
Public bug bounty

Max reward:
$5,000

Outline:
Employment website Upwork has expanded the scope of its bug bounty program, with the addition of GraphQL endpoint to the scheme.

Notes:
Upwork has been inviting researchers to test its freelancer platform, mobile, and desktop apps for security vulnerabilities since 2018.

Visit the Upwork bug bounty page at Bugcrowd for more info

Xiaomi

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$6,000

Outline:
Chinese consumer electronics giant Xiaomi has launched an expansive bug bounty program covering the company’s web, mobile, and hardware products.

Notes:
Drilling into the web-specific bugs, Xiaomi will pay up to $2,000 for critical vulnerabilities impacting its public-facing assets and services. Researchers specializing in mobile vulnerabilities are being promised $6,000 for the disclosure of critical flaws impacting any of the company’s Miui Android firmware.

Visit the Xiaomi bug bounty page at HackerOne for more info

Other bug bounty news this month:

  • Polish hacker Kuba Gretzky launched PwnDrop, a new tool that streamlines the process of sharing payloads online without using a third-party server such as Dropbox.
  • HackerOne founder Jobert Abma unearthed a bug in Rails’ ActiveResource package that could have allowed an attacker to access data in unintended ways. Per the platform’s employee rules, Abma was not eligible for a bug bounty payout.
  • Researchers from Doyensec have released an open source tool for testing the validity of polymorphic XSS payloads across popular web-based image processing libraries.
  • The Daily Swig’s Adam Bannister took a deep dive into how possible changes to the US Computer Fraud and Abuse Act could have a major impact on the country’s ethical hackers.
  • Synack has announced the winners of its HackerHangout Europe live hacking competition.
  • And finally, despite the ongoing growth of the bug bounty sector, prominent hacker Sam Curry penned an interesting post urging security enthusiasts not to force themselves to become bug bounty hunters. “Bug bounty success stories are not typically people who have learned how to master something they don’t enjoy doing,” he said.

  • To have your program featured in this list next month, email dailyswig@portswigger.net with ‘Bug Bounty Radar’ in the subject line.


    Compiled by James Walker. Introduction by Emma Woollacott, with additional reporting by John Leyden and Adam Bannister.


    READ MORE Bug Bounty Radar // April 2020