New web targets for the discerning hacker

Bug Bounty Radar - The latest bug bounty programs for November 2020

This month, we caught up with Tommy DeVoss, who swapped his black hat for a white one after serving a jail term for hacking into US government and military assets as a teenager.

“I’m a convicted black hat and will spend the rest of my life in jail if I [cross the law] again,” he says in an insightful and entertaining interview

One of very few hackers to have broken the $1 million bounty threshold, DeVoss says his bug of choice is server-side request forgery (SSRF), but that he’s currently looking for a job “because I’m bored and I miss working with people”.

For aspiring hackers, he recommends the US Department of Defense disclosure program: no bounties, unfortunately, but “it’s an amazing place to learn different architectures and development stacks to start finding bugs”.

In program news, a Google security researcher has been banned from Call of Duty: Modern Warfare after reverse engineering its networking code in pursuit of memory corruption vulnerabilities.

“As a user, I think I ought to be able to research vulnerabilities when I may be at risk,” he says.

And there’s intrigue over at the Internet Bug Bounty program, where PHP has been unceremoniously dropped from the list of targets. The developers of the scripting language say they was never involved in the program, and that vulnerability reports can me made via its own bugs.php.net.

In payout news, Project Zero researcher Felix Wilhelm has reported a design flaw in Actions, GitHub’s workflow management platform, that can give malicious hackers write access to repositories and reveal encrypted secrets.

Security researcher Pedro Oliveira, meanwhile, has netted $5,000 for uncovering a vulnerability in the mobile version of Firefox that exposed victims’ local files to attackers if they visited a specially crafted web page.

And the Ethereum Foundation is bumping up its rewards in the run-up to the launch of Ethereum 2.0, with bug hunters now able to earn up to $50,000 for critical vulnerabilities (see below for details).

And finally, a bounty of a different kind from Binance. The cryptocurrency exchange has awarded $200,000 to a team of anonymous investigators after they identified a hacker who was later indicted for a 2018 phishing campaign.


The latest bug bounty programs for November 2020

November saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

Avast – enhanced

Program provider:
Independent

Program type:
Public bug bounty

Max reward:
n/a

Outline:
Antivirus specialist Avast has launched a revamped bug bounty program with “straightforward rules and added features”. In particular, the company is keen to field reports of vulnerabilities leading to remote code execution (RCE), privilege escalation, denial of service, and AV scan bypasses.

Notes:
Avast has not set an upper limit to its payout figure, although the vendor said it would pay a minimum of $400 per valid report. Security bugs impacting third-party dependencies can be reported on the company’s separate coordinated vulnerability disclosure page.

Visit the Avast bug bounty page for more info


Basecamp

Program provider:
HackerOne

Program type:
Public bug bounty

Max payout: 
$10,000

Outline:
Diversified technology firm Basecamp has taken its private bug bounty program public, with the company promising rewards of up to $10,000 for critical vulnerabilities impacting in its eponymous project management software and the Hey.com email service.

Notes:
“Our focus is on strong auth (sign-in, sessions, OAuth, account recovery), access control (bypasses, faults, CSRF), and injection prevention (SQL, XSS),” the company said. “Your focus is completely up to you.”

Visit the Basecamp bug bounty page at HackerOne for more info


Ethereum 2.0 – enhanced

Program provider:
Independent

Program type:
Public bug bounty

Max reward:
$50,000

Outline:
The Ethereum 2.0 bug bounty program has bumped up rewards for researchers who submit valid vulnerability reports ahead of the blockchain platform’s shift to a proof-of-stake model.

Notes:
Bug hunters can earn up to $50,000 for critical vulnerabilities in the hotly anticipated Ethereum 2.0 upgrade. The Ethereum Foundation bug bounty panel will decide on financial rewards issued and will lean on the OWASP risk model when making decisions.

Visit the Ethereum bug bounty page for more info


Exodus

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$10,000

Outline:
Another new bug bounty entry in cryptocurrency space this month is Exodus, which develops desktop, mobile, and hardware crypto-wallets. In-scope issues include technical vulnerabilities or security-related problems in any of the company’s web-facing assets, along with problems in the desktop wallet application.

Notes:
“Our number one goal is to ensure that our users never have their wallet funds at risk,” the company said. “Because our wallet is largely software-based, we’re hoping the security community can help.”

Visit the Exodus bug bounty page at HackerOne for more info


Hotbit

Program provider:
HackenProof

Program type:
Public bug bounty

Max reward:
$1,500

Outline:
Cryptocurrency trading platform Hotbit is asking security researchers to probe its website, REST API, and mobile apps for vulnerabilities. The organization is offering rewards of up to $1,500 for critical bugs, down to $100 for low-impact issues.

Notes:
Researchers have been asked to avoid using web application security scanners for automated vulnerability searching, which generates “massive traffic”.

Visit the Hotbit bug bounty page at HackenProof for more info


Netlify

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$2,000

Outline:
Netlify is a San Francisco-based cloud services company that provides hosting and serverless backend services for web applications and static websites.

Notes:
In-scope are app.netlify.com and api.netlify.com, with critical flaws attracting bounties of $2,000, and high severity finds earning bug hunters $1,000.

Visit the Netlify bug bounty page at HackerOne for more info


WhiteBIT

Program provider:
Independent

Program type:
Public bug bounty

Max reward:
$1,500

Outline:
WhiteBIT, a cryptocurrency exchange with more than 300,000 users in Europe, Asia, and the CIS countries, is offering $1,500 for critical vulnerabilities.

Notes:
Valid targets include two websites, the company’s API, and Android and iOS apps.

Visit the WhiteBIT bug bounty page for more info


Xilinx

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$5,000

Outline:
Integrated circuit manufacturer Xilinx has opened its doors to the security research community by launching a new bug bounty program through HackerOne.

Notes:
This program pertains only to the company’s Bootgen and Xilinx Runtime (XRT) projects. “Examples of out-of-scope products include… BootROM, u-boot, FSBL, PetaLinux, Xilinx owned websites, Xilinx silicon, hardware accelerators, and QEMU used for security,” the manufacturer said.

Visit the Xilinx bug bounty page at HackerOne for more info


Yoti

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$3,000

Outline:
Mobile authentication start-up Yoti has launched a new vulnerability disclosure program. The company is offering payouts of up to $3,000 for the coordinated disclosure of vulnerabilities in its iOS and Android applications, backend services, and website.

Notes:
The Yoti security team has asked researchers to avoid testing the ‘free trial’ URL, as some known issues against this endpoint are currently being triaged.

Visit the Yoti bug bounty page at HackerOne for more info


Other bug bounty and VDP news:

  • The third iteration of the US Department of Defense’s Hack the Army bug bounty program is due to begin on December 14 and will continue until January 14, 2021.
  • Secure Code Warrior has launched Missions – a series of hands-on, interactive coding simulations of real-world applications that encourage developers to experience the impact of poor code practices in a safe environment.
  • RMS, Jimdo, ImpressCMS, Navient Solutions, and Mendix have all launched (unpaid) VDPs on HackerOne.
  • Speaking at the FIRST annual conference this month, Project Zero’s Ben Hawkes confirmed that Google’s elite security team will create a ‘crystal ball’ forecast panel to help improve the vulnerability disclosure process.
  • The Flat Network Society has open-sourced CTFNote, a collaborative tool that aims to help capture-the-flag teams organize their work. Check out the GitHub repo for full details.
  • European bug bounty platform Intigriti has won the Deloitte 2020 Rising Star award for most promising tech start-up in Belgium. “We’re incredibly proud to receive this title,” said CEO Stijn Jans.

To have your program featured in this list next month, email dailyswig@portswigger.net with ‘Bug Bounty Radar’ in the subject line.


Introduction by Emma Woollacott. Additional reporting by Adam Bannister.


READ MORE Bug Bounty Radar // October 2020