New web targets for the discerning hacker

Bug Bounty Radar - The latest bug bounty programs for September 2021

In bug bounty program news this past month, a researcher has earned $15,000 for reporting a bug in Chromium that allowed code to be injected in embedded site pages, even if the target and destinations existed on separate domains.

Two dating apps also displayed their vulnerabilities. Yan Zhu, security engineer at privacy-focused browser Brave, found, a vulnerability in OKCupid allowed attackers to trick users into ‘liking’ or messaging to other profiles – potentially gaming the system.

Meanwhile, Robert Heaton, software engineer at payments processor Stripe, developed an automated script that could have exposed Bumble app users’ home addresses or, to some extent tracked their movements.

True to form, Black Hat USA saw the arrival of new tools for security researchers and bug bounty hunters.

Of note was the open source WARCannon tool that allows researchers and bug bounty hunters to discover novel flaws in web applications, web frameworks, and components by non-invasively testing regex patterns across the entire internet for corresponding vulnerability indicators.

Also in focus at the security conference this year was an often-overlooked aspect of vulnerability hunting and bug disclosure: the report writing process.

Finally, we spoke with Aaron Portnoy, principal scientist at attack surface management specialist Randori, about bug bounties, supply chain attacks, and vulnerability disclosure.

“I think bug bounty is a great opportunity for people in countries where it’s more difficult to get into the tech space,” Portnoy said. “I’ve seen people outside of the US and Europe make a lot of money doing this, and that’s great.

“The only warning I would give [to organizations] is that it should be a piece of what you are doing, but it shouldn’t be your entire defensive strategy.”

Read the full interview here.


The latest bug bounty programs for September 2021

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

Audiomack

Program provider:
Bugcrowd

Program type: Public

Max reward:
TBC

Outline:
The self-described “artist-first” music streaming platform has partnered with Bugcrowd for its first public bug bounty program, having previously managed its vulnerability disclosure program (VDP) on the platform.

Notes:
No maximum bounty has been announced, however Audiomack said it will operate a “pay-for-results model that attracts a wider variety of testing skills and niche experiences”.

Check out our previous coverage for further details

Cardano Foundation

Program provider:
HackerOne

Program type:
Public

Max reward:
$10,000

Outline:
Swiss non-profit Cardano Foundation, which oversees the Cardano blockchain, is offering handsome rewards for vulnerabilities affecting Cardano-Node and Cardano-Wallet.

Notes:
The greatest rewards are for critical bugs, including remote code execution, sensitive information leakage, and transaction tampering. General functionality or UI bugs are not in scope.

Visit the Cardano Foundation bug bounty page at HackerOne for more info

Elastic

Program provider:
HackerOne

Program type:
Public

Max reward:
$7,000

Outline:
Elastic, the company behind the popular ‘ELK Stack’ suite of technologies, is looking for security flaws in its products including the source code for Kibana, Beats, and Logstash.

Notes:
In addition to payouts for individual bugs, Elastic also offers monetary rewards for completing various ‘challenges’, such as reporting seven bugs in a row.

Check out the Elastic bug bounty page at HackerOne for more info

The Graph Foundation

Program provider:
Immunefi

Program type:
Public

Max reward:
$2.5 million

Outline:
The Graph, an indexing protocol for querying networks such as Ethereum and IPFS, is offering huge rewards for vulnerabilities that can affect the entire ecosystem.

Notes:
Rewards vary greatly, so it’s worth checking the extensive list of targets if you’re looking for a big payout.

Visit the Graph Foundation bug bounty page at Immunefi for more info

UAE National Cyber Security Council (NCSC)

Program provider:
Independent

Program type:
Public

Max reward:
TBC

Outline:
The United Arab Emirates’ federal cybersecurity council is asking experienced security researchers to look for vulnerabilities in its national infrastructure and both private and public sectors.

Notes:
The program will initially focus on the telecommunications industry, partnering with Etisalat and Emirates Integrated Telecommunications Company, in coordination with the Telecommunications and Digital Government Regulatory Authority (TDRA).

Visit the UAE National Cyber Security Council website for more info

UK Ministry of Defence

Program provider:
HackerOne

Program type:
Private

Max reward:
TBC

Outline:
The UK Ministry of Defence (MoD) invited ethical hackers to test for flaws in its networks and 750,000 devices.

Notes:
The program was held over 30 days and was “part of wider plans to ensure transparency and collaborate with partners to improve national security”, says the MoD. Researchers hoping to take part in future programs should keep an eye on HackerOne’s website.

Visit the Ministry of Defence website for more info

Xvideos

Program provider:
HackerOne

Program type:
Public

Max reward:
$5,000

Outline:
Xvideos, a free hosting website for pornographic videos, is asking security researchers to “keep its business and customers safe” through a new bug bounty program. Scope is limited to security vulnerabilities found on the Xvideos, Xvideos Red, Xnxx, and Xnxx Gold, as well as in the Xvideos and Xnxx Mobile application.

Notes:
Critical bugs include zero-to-one click user account takeover, backend interface takeover, and server takeover, or potential takeover. Several other vulnerabilities are not in-scope and will not be eligible for reward, such as denial-of-service, brute-force, and social engineering attacks.

Visit the Xvideos bug bounty page at HackerOne for more info


Other bug bounty and VDP news this month

  • As part of this year’s DEF CON AI Village, Twitter introduced the industry’s first algorithmic bias bounty competition.
  • Google has announced the launch of a new platform for security researchers to report bugs to the company in a more efficient way. The channel, bughunters.google.com, brings together the company’s various rewards programs.
  • In a bizarre twist to one of this year’s biggest infosec news stories, Poly Network has rewarded the hacker who took and subsequently returned $610 million in cryptocurrency with a $500,000 bug bounty.
  • John Deere and ChargePoint have launched unpaid vulnerability disclosure programs (VDPs) on HackerOne.
  • Google has announced that it will sponsor up to 52 capture-the-flag (CTF) competitions over the coming year. Fill in this online form if you’d like your event to be considered.

Introduction by Emma Woollacott. Additional words by James Walker.


PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for August 2021