New web targets for the discerning hacker
This month’s big news was the Uber hack that saw the breach of the ride-sharing app firm’s internal networks, which appeared to have been carried out via a social engineering attack targeting an employee.
The attacker also gained access to an employee’s HackerOne account before commenting on multiple tickets, implying that they had accessed highly sensitive bug bounty reports that could reveal security vulnerabilities in Uber products and infrastructure.
A 17-year-old in the UK has been arrested in connection with the breach, the City of London Police confirmed.
This incident wasn’t Uber’s only embarrassment this month, as its former security head Joe Sullivan stood trial in the US.
Former Uber engineers testified about their concerns over Sullivan’s decision to treat a 2016 hack as a white hat bounty and pay the hackers $100,000 – thus avoiding scrutiny from the Federal Trade Commission.
In bug bounty news, Immunefi says it has paid out $60 million in bounties and helped to avoid $25 billion worth of losses from web3 hacks averted.
The company connects web3 projects that need their code checked and secured with whitehat hackers, offering rewards that can reach as much as $10 million.
Meanwhile, NFT marketplace OpenSea says it has paid out $200,000 to two ethical hackers for finding vulnerabilities, at least one of which was rated critical. The details of the flaws weren’t revealed, but the company says it has moved fast to fix them.
Finally, bounty hunter Sam Curry of Yuga Labs was baffled to receive a $250,000 bounty from Google this month. The only problem? He hadn't submitted any bug report.
According to a company spokesperson – and no doubt disappointingly for Curry – the payment was made in error, and Google planned to ask for it back.
And finally, a survey conducted by SANS Institute and cybersecurity firm Bishop Fox found that the typical ethical hacker can uncover a vulnerability that offers a route beyond the network perimeter in less than 10 hours.
Moreover, 58% can hack into an environment in under five hours once a security flaw has been identified.
The latest bug bounty programs for October 2022
The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:
ALSCO
Program provider:
HackerOne
Program type:
Public
Max reward:
$1,500
Outline:
Network security provider ALSCO is asking ethical hackers to look for vulnerabilities in its domain.
Notes:
All rewards are based on the CVSS standard. However, ALSCO says that these are general guidelines and payouts are decided at its discretion.
Check out the ALSCO bug bounty page for more details
Aptos Petra Wallet
Program provider:
Immunefi
Program type:
Public
Max reward:
$100,000
Outline:
Aptos Petra Wallet is offering a bumper bounty of $100,000 for the most critical vulnerabilities in its websites and applications.
Notes:
It’s worth checking out the list of top targets on the bug bounty page that could earn the hunter the top prize.
Check out the Aptos Petra Wallet’s bug bounty page for more details
Bing Xchange
Program provider:
HackenProof
Program type:
Public
Max reward:
$4,000
Outline:
Bing Xchange, a crypto social trading exchange that offers spot, derivatives, and copy trading services to more than 100 countries worldwide, is asking for vulnerability reports on two domains, two apps, and its web API.
Notes:
There is an extensive list of out-of-scope targets, so these should be consulted before trying your hand at any targets.
Check out Bing Xchange’s bug bounty page for more details
Caisse d'Epargne Normandie
Program provider:
YesWeHack
Program type:
Public
Max reward:
€2,000
Outline:
The European bank has a number of web applications and APIs to target, and is offering up to €2,000 for the most critical bugs.
Notes:
The bank has noted that any issue in Yousign or mangopay is not in scope, and therefore should not be targeted.
Check out the Caisse d'Epargne Normandie bug bounty page for more details
LinkTree
Program provider:
HackerOne
Program type:
Public
Max reward:
$6,000
Outline:
Social media link sharing tool LinkTree is opening multiple domains and two of its mobile apps to bug bounty hunters looking for security flaws.
Notes:
There are 14 different domains to target and two mobile apps, offering plenty of chances to partake.
Check out the LinkTree bug bounty page for more details
MongoDB
Program provider:
HackerOne
Program type:
Public
Max reward:
$5,000
Outline:
MongoDB is asking for reports on security vulnerabilities in two of its domains and its GitHub repositories.
Notes:
There are detailed instructions for bug bounty hunters on how to submit reports, so make sure to read these beforehand.
Check out the MongoDB bug bounty page for more details
Poloniex
Program provider:
HackerOne
Program type: Public
Max reward:
$5,000
Outline:
Cryptocurrency exchange Poloniex is asking researchers to look for issues in five of its web domains.
Notes:
The most critical bugs can potentially net bug bounty hunters £5,000.
Check out the Poloniex bug bounty page for more details
Stader for NEAR
Program provider:
Immunefi
Program type:
Public
Max reward:
$1 million
Outline:
Ethical hackers are being offered the chance to bag an eye-watering one million dollars for vulnerabilities in Stader, a “non-custodial smart contract-based staking platform that helps you conveniently discover and access staking solutions”.
Notes:
Bug severities – and therefore payouts – are classified according to Immunefi’s own scoring system.
Check out the Stader for NEAR bug bounty page for more details
Curated by Jessica Haworth. Additional reporting by Emma Woollacott.
PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for September 2022