New web targets for the discerning hacker

Bug Bounty Radar - the latest bug bounty programs for October 2022

This month’s big news was the Uber hack that saw the breach of the ride-sharing app firm’s internal networks, which appeared to have been carried out via a social engineering attack targeting an employee.

The attacker also gained access to an employee’s HackerOne account before commenting on multiple tickets, implying that they had accessed highly sensitive bug bounty reports that could reveal security vulnerabilities in Uber products and infrastructure.

A 17-year-old in the UK has been arrested in connection with the breach, the City of London Police confirmed.

This incident wasn’t Uber’s only embarrassment this month, as its former security head Joe Sullivan stood trial in the US.

Former Uber engineers testified about their concerns over Sullivan’s decision to treat a 2016 hack as a white hat bounty and pay the hackers $100,000 – thus avoiding scrutiny from the Federal Trade Commission.

In bug bounty news, Immunefi says it has paid out $60 million in bounties and helped to avoid $25 billion worth of losses from web3 hacks averted.

The company connects web3 projects that need their code checked and secured with whitehat hackers, offering rewards that can reach as much as $10 million.

Meanwhile, NFT marketplace OpenSea says it has paid out $200,000 to two ethical hackers for finding vulnerabilities, at least one of which was rated critical. The details of the flaws weren’t revealed, but the company says it has moved fast to fix them.

Finally, bounty hunter Sam Curry of Yuga Labs was baffled to receive a $250,000 bounty from Google this month. The only problem? He hadn't submitted any bug report.

According to a company spokesperson – and no doubt disappointingly for Curry – the payment was made in error, and Google planned to ask for it back.

And finally, a survey conducted by SANS Institute and cybersecurity firm Bishop Fox found that the typical ethical hacker can uncover a vulnerability that offers a route beyond the network perimeter in less than 10 hours.

Moreover, 58% can hack into an environment in under five hours once a security flaw has been identified.


The latest bug bounty programs for October 2022

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

ALSCO

Program provider:
HackerOne

Program type:
Public

Max reward:
$1,500

Outline:
Network security provider ALSCO is asking ethical hackers to look for vulnerabilities in its domain.

Notes:
All rewards are based on the CVSS standard. However, ALSCO says that these are general guidelines and payouts are decided at its discretion.

Check out the ALSCO bug bounty page for more details

Aptos Petra Wallet

Program provider:
Immunefi

Program type:
Public

Max reward:
$100,000

Outline:
Aptos Petra Wallet is offering a bumper bounty of $100,000 for the most critical vulnerabilities in its websites and applications.

Notes:
It’s worth checking out the list of top targets on the bug bounty page that could earn the hunter the top prize.

Check out the Aptos Petra Wallet’s bug bounty page for more details

Bing Xchange

Program provider:
HackenProof

Program type:
Public

Max reward:
$4,000

Outline:
Bing Xchange, a crypto social trading exchange that offers spot, derivatives, and copy trading services to more than 100 countries worldwide, is asking for vulnerability reports on two domains, two apps, and its web API.

Notes:
There is an extensive list of out-of-scope targets, so these should be consulted before trying your hand at any targets.

Check out Bing Xchange’s bug bounty page for more details

Caisse d'Epargne Normandie

Program provider:
YesWeHack

Program type:
Public

Max reward:
€2,000

Outline:
The European bank has a number of web applications and APIs to target, and is offering up to €2,000 for the most critical bugs.

Notes:
The bank has noted that any issue in Yousign or mangopay is not in scope, and therefore should not be targeted.

Check out the Caisse d'Epargne Normandie bug bounty page for more details

LinkTree

Program provider:
HackerOne

Program type:
Public

Max reward:
$6,000

Outline:
Social media link sharing tool LinkTree is opening multiple domains and two of its mobile apps to bug bounty hunters looking for security flaws.

Notes:
There are 14 different domains to target and two mobile apps, offering plenty of chances to partake.

Check out the LinkTree bug bounty page for more details

MongoDB

Program provider:
HackerOne

Program type:
Public

Max reward:
$5,000

Outline:
MongoDB is asking for reports on security vulnerabilities in two of its domains and its GitHub repositories.

Notes:
There are detailed instructions for bug bounty hunters on how to submit reports, so make sure to read these beforehand.

Check out the MongoDB bug bounty page for more details

Poloniex

Program provider:
HackerOne

Program type: Public

Max reward:
$5,000

Outline:
Cryptocurrency exchange Poloniex is asking researchers to look for issues in five of its web domains.

Notes:
The most critical bugs can potentially net bug bounty hunters £5,000.

Check out the Poloniex bug bounty page for more details

Stader for NEAR

Program provider:
Immunefi

Program type:
Public

Max reward:
$1 million

Outline:
Ethical hackers are being offered the chance to bag an eye-watering one million dollars for vulnerabilities in Stader, a “non-custodial smart contract-based staking platform that helps you conveniently discover and access staking solutions”.

Notes:
Bug severities – and therefore payouts – are classified according to Immunefi’s own scoring system.

Check out the Stader for NEAR bug bounty page for more details


Curated by Jessica Haworth. Additional reporting by Emma Woollacott.


PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for September 2022