New web targets for the discerning hacker

This month's bug bounty news

This month, we had a chat – socially distanced, of course – with Alex Chapman, who has honed his security skills at companies from Deloitte to HackerOne.

Chapman is particularly interested in source code analysis, reverse engineering, and system analysis, and says he’s spent a lot of the last two years focusing on CI/CD systems.

“I’ll generally work on programs that I know other bug hunters have had good experiences with,” he told The Daily Swig. “I do this full time and I’ve got to pay the mortgage, so I also look at the top 10-15% of programs for payouts.

“Persistence is key – and so is not expecting a huge payout on day one.”

In program news, video sharing app TikTok has launched a public bug bounty program with HackerOne. The announcement was short of detail, but the company has had its fair share of privacy scandals in recent months, and says the program should help “to better uncover potential threats”.

Meanwhile, the German armed forces – the Bundeswehr – has launched a vulnerability disclosure program (VDP) for vulnerabilities found in its IT systems and web applications.

In payout news, a team of hackers this month netted a whopping $288,000 after spending three months hacking Apple’s web domain.

The group discovered 11 bugs marked critical, 29 high severity, 13 medium, and two low severity, and was also able to steal source code from Apple’s internal projects, fully compromising an industrial control warehouse software.

Over at GitHub, the team patched a takeover vulnerability in the Gist code-sharing service. The discovery earned developer and bug bounty hunter William “vakzz” Bowling a $10,000 reward.

Also netting $10,000 was security researcher Sayed Abdelhafiz, who revealed a vulnerability in the download feature of Facebook’s Android application that could be exploited to launch remote code execution (RCE) attacks.

And finally, for those who want to emulate these researchers, it's worth checking out some of the latest hacking tools for Q3 of 2020, including tools released at Black Hat USA and DEF CON.


The latest bug bounty programs for October 2020

October saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

Accellion

Program provider:
Bugcrowd

Program type:
Public bug bounty

Max reward:
$10,000

Outline:
Accellion is looking for vulnerabilities in its Enterprise Content Firewall, which it says “helps IT executives lock down the exchange of confidential enterprise information with customers, suppliers, and partners”.

Notes:
Focus areas include any vulnerabilities that allow for remote code execution, XSS or SQL injection attacks, unauthorized access to messages, files, and folders, and more.

Visit the Accellion bug bounty page at Bugcrowd for more info


Citrix Systems

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$6,000

Outline:
Citrix Systems, the US software company providing cloud computing technology and networking services, has launched its first public bug bounty. In scope is its secure browser software, which is used by corporate networks to protect against attacks.

Notes:
There is an exhaustive list of out-of-scope targets, so it’s worth checking that out before wasting time on finding a bug that isn’t eligible. Despite this, there are 13 assets in scope with a range of payouts starting at $200.

Visit the Citrix Systems bug bounty page at HackerOne for more info


Coinsbit

Program provider:
HackenProof

Program type:
Public bug bounty

Max reward:
$1,200

Outline:
Estonian crypto-exchange Coinsbit, launched in 2018, has a reported two million customers, according to the company. It is asking hackers to help secure its domains, apps, and API.

Notes:
Although the payout for critical bugs is much lower than with some cryptocurrency platforms, Coinsbit does offer an interesting list of in-scope vulnerabilities including payments manipulation, leakage of sensitive information, and access control issues.

Visit the Coinsbit bug bounty page at HackenProof for more info


Cosmos – enhanced

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$5,000

Outline:
Blockchain platform Tendermint has doubled its rewards for bugs on its Cosmos Stargate software. Tendermint is asking security researchers to test the software before its release.

Notes:
Hackers can only take advantage of this until December 31, 2020, so act quick to reap double the rewards.

Visit the Tendermint bug bounty page at HackerOne for more info


Facebook – enhanced

Program provider:
Facebook

Program type:
Public bug bounty

Max reward:
$50,000+

Outline:
Facebook has launched a loyalty program for its in-house bug bounty platform, called Hacker Plus. Security researchers can earn points for each report submitted, and will be rewarded with bonuses and perks.

Notes:
Hackers will be sorted into tiers – Bronze, Silver, Gold, Platinum, and Diamond – based on their score, which will be evaluated by Facebook. Tier entry is based on cumulative quantity, score, and signal-to-noise ratio of their bug submissions over the last year.

Visit the Hacker Plus bug bounty page at Facebook for more info


HP – enhanced

Program provider:
Bugcrowd

Program type:
Public bug bounty

Max reward:
$10,000

Outline:
Computer and electronics giant HP has expanded its bug bounty program to include printer cartridges. The program previously offered rewards for printers, though it now also offers payouts for office-class cartridge security vulnerabilities.

Notes:
HP is asking for vulnerabilities in the interfaces associated with HP Original print cartridges, and is offering a handsome $10k per bug.

Visit the HP bug bounty page at Bugcrowd for more info


Logitech

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$500

Outline:
Logitech has launched a bug bounty program focused on securing its IoT hardware, domains, apps, and other software.

Notes:
Although the rewards are relatively small for this one compared to other programs, there is a huge list of in-scope targets to have a go at. Logitech is also not giving hardware to hackers for testing, it is up to researchers to purchase any devices.

Visit the Logitech bug bounty page at HackerOne for more info


P2PB2B

Program provider:
HackenProof

Program type:
Public bug bounty

Max reward:
$1,000

Outline:
Cryptocurrency exchange P2PB2B has launched its public bug bounty program with HackenProof. The exchange is asking hackers to find bugs including remote code execution, SQLi, server-side request forgery, and other vulnerabilities with a clear potential loss for the company. In scope are two APIs and one web domain.

Notes:
P2PB2B has presented a list of out-of-scope vulnerabilities, which it says are unlikely to be rewarded unless a bug poses a serious business risk. In this case, any sum would be paid at the company’s discretion.

Visit the P2PB2B bug bounty page at HackenProof for more info


TikTok

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$6,900

Outline:
Video sharing platform TikTok announced it was expanding its vulnerability disclosure policy (VDP) to launch a public program with HackerOne. A number of its domains are in target.

Notes:
Rewards are based on severity as per the Common Vulnerability Scoring System (CVSS) – the more severe the bug, the higher the payout.

Visit the TikTok bug bounty page at HackerOne for more info


Other bug bounty and VDP news:

  • Google launched its ‘Fuzzilli’ grant aimed boosting JavaScript engine fuzzing research, offering a total of $50,000 for research projects.
  • Elsewhere at Google, the Android Security and Privacy team announced the Android Partner Vulnerability Initiative, focused on discovering bugs within Android OEMs.
  • The US state of Iowa has partnered with Bugcrowd to create a VDP aimed at protecting its election infrastructure, as officials said election cybersecurity is “a race without a finish line”.
  • A VDP from the IoT Security Foundation – ‘Vulnerable Things’ – was launched this month to further enable smart device vendors to secure their products.
  • Hack the Box has launched Hacking Battlegrounds, a new platform that offers a new way of competing and learning through real-time multiplayer games in timed battles.
  • Twitter user Musab Khan shared this helpful recon map to aid bug bounty hunters in their mission.
  • And finally, bug bounty hunter Ahmad Halabi blogged about his journey to reaching HackerOne’s top 100 leaderboard and shared tips, advice, and resources to help others.

To have your program featured in this list next month, email dailyswig@portswigger.net with ‘Bug Bounty Radar’ in the subject line.


Introduction by Emma Woollacott. Additional reporting by James Walker.


READ MORE Bug Bounty Radar // The latest bug bounty programs for September 2020