New web targets for the discerning hacker

US federal agencies were told this month that they will soon have to implement a vulnerability disclosure policy (VDP) – a move that will enable security researchers to report vulnerabilities without fear of legal reprimand.

The Department of Homeland Security says most executive branch agencies will be expected to comply with the new directive. Each VDP should explain where to send a vulnerability report, what types of testing are authorized for which systems, and what communication to expect in response.

The move was welcomed by Alex Rice, CTO and co-founder of HackerOne, who called it “a pivotal milestone in the mission to restore trust in digital democracy and protect the integrity of federal information systems”.

Elsewhere, what this month lacked in new bug bounty programs was made up for in payouts – including a $25,000 bug bounty for one on-the-ball 14-year-old. Andres Alonso spotted a critical XSS vulnerability in Instagram’s Spark AR Studio while making Instagram filters for his own app.

Rather less lucrative was Mohammad-Ali Bandzar’s discovery of a business logic vulnerability in Medium’s Partner Program. He received $250 for his report that the platform accepted any userID cookie value given, allowing cybercriminals to divert and steal writers’ article engagement earnings.

Meanwhile, a critical vulnerability was discovered in business communications app Slack that could have given an attacker access to users’ private conversations and passwords.

And a flaw in a JavaScript library used by HackerOne prompts the question “Quis custodiet ipsos custodes?” (who guards the guards?). A prototype pollution vulnerability discovered by researcher William Bowling could have allowed phishing attacks to be staged on unsuspecting users.

Prototype pollution continues to hit the security headlines. Find out more about this dangerous web vulnerability in The Daily Swig's recent in-depth feature.

In community news, we sat down with YouTube cybersecurity educator Katie Paxton-Fear, who discussed machine learning and AI. She got into security almost by mistake, she says, but hopes to make even more contributions to the field by augmenting established research approaches with more data science elements.

We also caught up with Argentinian hacker Santiago Lopez, who gave us the lowdown on how he became the world’s first bug bounty millionaire.


The latest bug bounty programs for September 2020

September saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

CS Money

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$2,000

Outline: CS Money, the trading platform for popular video game Counter-Strike: Global Offensive (CS:GO), has established a bug bounty program to tap the efforts of ethical hackers in routing out flaws in its systems. Particular emphasis is being placed on web security flaws that might result in site balance manipulations or trading in the absence of a balance.

Notes: CS Money is offering rewards – and $2,000 is not necessarily the maximum possible payout – for security bugs that result in unauthorized access to project servers; cross-site-scripting (XSS) vulnerabilities on the assets with critical functionality; and server-side vulnerabilities that lead to information disclosure.

Visit the CS Money bug bounty page at HackerOne for more info

MainWP

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
Discretionary

Outline: MainWP, a WordPress manager for sysadmins that need to manage multiple websites, has set up a bug bounty program geared at finding security vulnerabilities in its MainWP Dashboard plugin or the MainWP Child plugin.

Notes: A wide range of web security vulnerabilities in the MainWP Dashboard and MainWP Child plugins are covered by the program, but issues with the mainWP or hosting are specifically excluded.

Visit the MainWP bug bounty page at HackerOne for more info


Faraday

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$1,500

Outline: The program covers the web app and cloud-based infrastructure of the Faraday CRM platform.

Notes: Malicious action by authenticated users and web-based security vulnerabilities are among the main classes of vulnerabilities in scope.

Visit the Faraday bug bounty page at HackerOne for more info


Okta – enhanced

Program provider:
Bugcrowd

Program type:
Public bug bounty

Max reward:
$25,000

Outline: Cloud identity technology provider Okta has increased its maximum reward from $15,000 to $25,000.

Visit the Okta bug bounty page at Bugcrowd for more info


National Australian Bank (NAB)

Program provider:
Bugcrowd

Program type:
Private

Max reward:
Undisclosed

Outline: The Australian financial institution will reward “vetted security researchers who uncover previously undisclosed vulnerabilities in NAB’s environment”.

Notes: While researchers will work in live environments, they will not have access to any customer information, according to a statement by NAB on the program.

Visit the NAB bug bounty page at Bugcrowd for more info


Other bug bounty and VDP news:

  • The first Inter-University bug bounty challenge came to a close on September 2, with students from two Singaporean universities discovering 33 vulnerabilities over the three-week-long tournament. Singapore Business Review has more details.

  • Google has announced new reward amounts for security researchers who discover product abuse risks. “Based on the great submissions that we received in the past… we increased the highest reward by 166% from $5,000 to $13,337,” the company said.

  • The second annual Capture the Flag for Girls event takes place on December 12, with prizes being awarded to the top five winners. The event was announced by security practitioner Magda Chelly, and full details can be found on her LinkedIn page.


To have your program featured in this list next month, email dailyswig@portswigger.net with ‘Bug Bounty Radar’ in the subject line.

Introduction by Emma Woollacott. Additional reporting by James Walker.


READ MORE Bug Bounty Radar // The latest bug bounty programs for August 2020