New web targets for the discerning hacker

Bug Bounty Radar // The latest bug bounty programs for May 2022

Bug Bounty hunters who’d like a little more financial predictability in their lives were given that option this month, with a new program from Intigriti offering payment by the hour.

A combination of bug bounty hunting and penetration testing models, there will be payment for the number of hours a participant spends searching for vulnerabilities, as well as a capped reward for individual bugs. In a pre-launch pilot, hackers collectively earned more than €100,000 ($106,000).

In payout news, a hacker who goes by the name ‘Stealthy’ netted $36,000 in bug bounties after uncovering critical HTTP request smuggling vulnerabilities affecting three of Apple’s core web applications.

Queue poisoning attacks enabled data disclosure and account takeover with no user interaction required, Stealth explained. The bugs affected servers for business.apple.com, school.apple.com, and mapsconnect.apple.com.

Two hacking contests earlier this month also saw researchers earn a bumper crop of rewards.

There were payouts totalling $400,000 at the second edition of Pwn2Own Miami for dozens of previously undiscovered exploits targeting industrial control systems, for instance.

Daan Keuper and Thijs Alkemade were crowned Masters of Pwn with 90 points and $90,000 accrued for their team, while rewards were given for previously unknown zero-day vulnerabilities in industrial control platforms.

Meanwhile, ‘Hack Me I’m Famous’, an overnight hackathon held by bug bounty platform YesWeHack, saw 40 bug bounty hunters compete to find vulnerabilities in French scale-ups or start-ups valued at more than $1 billion.

Of 109 vulnerability reports, 30% were rated as either high or critical severity bugs, with one researcher netting the maximum payout of €10,000.

And finally, an access control vulnerability in open source scheduling platform Easy!Appointments was found to give unauthenticated attackers easy access to personally identifiable information. An unprotected API could expose names, places, and times of bookings made using the app.

The find earned Francesco Carlucci, founder of vulnerability notification platform OpenCIRT, a “small” reward.


The latest bug bounty programs for May 2022

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

AEX

Program provider:
HackenProof

Program type:
Public

Max reward:
$5,000

Outline:
Digital asset exchange AEX is looking to find critical bugs in its web, mobile, and API targets.

Notes:
There is an extensive list of out-of-scope targets that must be avoided. As ever, it’s worth taking a look before you start hunting.

Check out the AEX bug bounty page at HackenProof for more details

American Systems

Program provider:
HackerOne

Program type:
Public

Max reward:
$3,000

Outline:
Management consulting services firm American Systems said it “looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe”.

Notes:
Rewards are based on severity per CVSS. However, the company said these are “general guidelines, and reward decisions are up to the discretion of American Systems”.

Check out the American Systems’bug bounty page at HackerOne for more details

ExpressVPN – enhanced

Program provider:
Bugcrowd

Program type:
Public

Max reward:
$100,000

Outline:
ExpressVPN has increased its top reward – which is now 10 times higher than the previous highest bounty – with $10,000 now on offer for valid critical flaws unearthed in ExpressVPN’s TrustedServer.

Notes:
ExpressVPN built TrustedServer to mitigate the risks posed by traditional server management and the elevated bug bounty reward supplements an independent security audit by PwC.

Read the related ExpressVPN press release for more details

IoTex

Program provider:
HackenProof

Program type:
Public

Max reward:
$15,000

Outline:
IoTeX is “the leading decentralized network powering the future of web3 and machine economy (MachineFi)”. It is asking researchers to find vulnerabilities in its web domains, mobile apps, and APIs.

Notes:
The top three vulnerabilities in scope are business logic issues, payments manipulation, and remote code execution.

Check out the IoTex bug bounty page at HackenProof for more details

KAYAK

Program provider:
HackerOne

Program type:
Public

Max reward:
$5,000

Outline:
Travel company KAYAK is asking for reports related to vulnerabilities in its website, as well as a number of its subsidiaries.

Notes:
Not all of KAYAK’s subsidiaries are in scope, so make sure to confirm before hacking.

Check out the KAYAK bug bounty page at HackerOne for more details

Mastadon – enhanced

Program provider:
Intigriti

Program type:
Public

Max reward:
€20,000

Outline:
Mastodon has increased its maximum payout bounty to €20,000.

Notes:
The bug bounty platform announced on Twitter that the first hacker to claim the new maximum reward will also be gifted with a swag package. Don’t walk, run!

Check out the Mastodon bug bounty page at Intigriti for more details

SHEIN

Program provider:
HackerOne

Program type:
Public

Max reward:
$2,000

Outline:
Fast fashion retailer SHEIN has launched a bug bounty program that includes targets related to its sister company Romwe.

Notes:
This program comes after a successful, limited program last year.

Check out the SHEIN bug bounty page at HackerOne for more details

Sorare

Program provider:
HackerOne

Program type:
Public

Max reward:
$10,000

Outline:
Sorare is a global fantasy football game where managers can trade official digital collectibles.

Notes:
Three assets are in scope: Sorare.com plus Sorare’s API and WebSocket domain.

Check out the Sorare bug bounty page at HackerOne for more details


Other bug bounty and VDP news this month

  • Pfizer has launched a vulnerability disclosure program with HackerOne, because looking for “potential issues helps us ensure the security and privacy of customers and data”.

  • Love swag? Who doesn’t! Intigriti has been giving away monthly swag bags on Twitter – see here.


Additional reporting by Emma Woollacott.


PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for April 2022