Bug Bounty Radar // The latest bug bounty programs for August 2020

4 years ago 209
BOOK THIS SPACE FOR AD
ARTICLE AD

New web targets for the discerning hacker

Bug Bounty Radar - the latest security bug bounty programs for August 2020

While August was a quiet month for many in lockdown, the number of new bug bounty programs launching certainly didn’t slow down.

Among more than a dozen new or enhanced programs to land last month was a vulnerability disclosure policy (PDF) from the largest election software vendor in the US, ES&S.

With the 2016 US presidential election dogged by accusations of Russian interference and the next election coming into view, the news was announced at Black Hat USA.

Likely no doubt to widespread surprise: the infosec community has been unimpressed by the sector’s unwillingness to crowdsource the security of voting systems.

The Zero-Day Initiative (ZDI), meanwhile, marked its 15th anniversary with the news that it has awarded more than $25 million in bug bounties to more than 10,000 security researchers since its foundation.

It’s been a bounteous year on Microsoft’s program too, with the software giant announcing that it’s handed out a whacking $13.7 million in bug bounties over the last 12 months.

That's more than three times the $4.4 million awarded over the previous year, with the loot split between 327 researchers. The big pot reflects the fact that the company’s launched six new bug bounty programs over the last year, attracting more than 1,000 eligible reports.

And there were big payouts from Google last month for the discovery of a root privilege escalation and persistence flaw in ChromeOS – netting the researcher $45000 – and for a bug that impacted mobile applications developed on Google’s Firebase platform, which earned the researcher more than $30,000.

Last month, we interviewed Vladimir Dubrovin, information security technical advisor at Mail.ru Group, who gave us the lowdown on its various HackerOne bug bounty programs.

And finally, news emerged that Joseph Sullivan, former CSO at Uber, was facing charges related to accusations that he tried to cover up the 2016 hack that exposed millions of users’ personal data by “funneling the payoff through a bug bounty program”.

The Department of Justice also said that “Uber paid the hackers $100,000 in bitcoin in December 2016, despite the fact that the hackers refused to provide their true names”. Sullivan faces a maximum five years’ imprisonment.


The latest bug bounty programs for August 2020

August saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

US Department of State

Program provider:
Independent

Program type:
Public

Max reward:
$10 million

Outline:
Not technically a bug bounty program, but it’s close enough given the phenomenal rewards on offer. The US government has pledged up to $10 million for information related to foreign agents looking to disrupt elections through cyber-attacks, as reported by The Daily Swig.

Notes:
The US Department of State announced that it is seeking the identification or location of any foreign adversary looking to interfere with federal, state, or local elections by aiding or abetting a violation of computer fraud and abuse laws.

Read the US DoJ statement for more info

Solana BBP

Program provider:
HackerOne

Program type:
Public

Max reward:
$20,000

Outline:
The Solana blockchain protocol aims to help developers produce “real-world, mission-critical applications in a censorship-resistant, open web”.

It is encouraging bug bounty hunters to seek out vulnerabilities in its GitHub repos.

Notes:
Solana is offering rewards – $20k is not necessarily the upper limit – on receipt of being able to crash the runtime or cripple the network, breach the virtual machine sandbox, exploit accounts, tweak or break global inflation, change inflation reward distribution, and steal inflation rewards, among other capabilities.

Visit the Solana BBP bug bounty page at HackerOne for more info

Mozilla – enhanced

Program provider:
Independent

Program type:
Public

Max reward:
$10,000

Outline:
Mozilla is now offering rewards for the discovery of flaws in its exploit mitigation technology, as previously reported by The Daily Swig.

Payouts of up to $10,000 are available to ethical hackers who devise mechanisms to defeat the exploit mitigation and defense-in-depth measures that are built into the Firefox web browser.

Notes:
Post-authorization exploit mitigation bugs now qualify for bounties too. Exploit mitigation bugs that don’t rely on privileged access will be eligible for a 50% bonus. A policy to pay out on security bugs discovered by external researchers in the pre-release Nightly versions of Firefox, after a four-day grace period, has also been introduced.

Visit the Mozilla bug bounty page for more info

Rebellion Defense

Program provider:
HackerOne

Program type:
Public

Max reward:
Undisclosed

Outline:
Rebellion Defense builds “modern, scalable products that use artificial intelligence to analyze, secure, and transport national security and defense data. It claims its products “quickly deliver vital information for national security missions that defend democracy, humanitarian values, and the rule of law”.

Notes:
In scope are all systems created or operated by Rebellion Defense on the internet, including not only public-facing websites but also their development, staging, and production environments.

Visit the Rebellion Defense bug bounty page at HackerOne for more info

Sophos – enhanced

Program provider:
Bugcrowd

Program type:
Public

Max reward:
$10,000

Outline:
Sophos has launched time-limited rewards for XG Firewall, raising payouts for specific P1 findings up to $10,000 until further notice.

Notes:
Eligible findings are reproducible on fully patched v17.5 or v18.0 installations of XG Firewall – find out more.

Visit the Sophos bug bounty page at Bugcrowd for more info

FireEye – enhanced

Program provider:
Bugcrowd

Program type:
Public

Max reward:
$2,500

Outline:
FireEye’s bug bounty program is now public, as covered by The Daily Swig. The California-based security software provider will pay out between £1,500 and $2,500 for critical flaws and between $50 and $150 for low-severity vulnerabilities.

Notes:
The program is focused on the company’s core infrastructure, with third-party products out of scope, along with social engineering attacks, physical security attacks, and denial-of-service attacks. However, Steven Booth, vice president and CSO, says FireEye intends to expand the program’s scope “in the coming months”.

Visit the FireEye bug bounty page at Bugcrowd for more info

BugPoC

Program provider:
HackerOne

Program type:
Public

Max reward:
$4,000

Outline:
BugPoC is a platform for building and sharing proof-of-concepts for bug bounty submissions, pen test deliverables, and red team reports.

Notes:
BugPoC has included notes by a fellow hacker about probing the BugPoC attack surface – including the front-end, HTTP, and Python PoC generators, as well as the ExploitDB importer, and Burp Suite Extension.

Visit the BugPoC bug bounty page at HackerOne for more info

WestJet

Program provider:
Bugcrowd

Program type:
Public

Max reward:
Undisclosed

Outline:
The Canadian airline has invited researchers to probe its westjet.com and flyswoop.com domains.

Notes:
The company will initially rate and prioritize bugs according to the Bugcrowd Vulnerability Rating Taxonomy, potentially reprioritizing depending on a flaw’s likelihood or impact.

Visit the WestJet bug bounty page at Bugcrowd for more info

Aiven

Program provider:
HackerOne

Program type:
Public/private

Max reward:
$3,000

Outline:
Aiven provides fully managed, immediately deployable, open source data infrastructure in public clouds, including Amazon Web Services, Google Cloud Platform, and Microsoft Azure.

Notes:
In scope are Apache Kafka, Apache Kafka Connect, Apache Cassandra, Elasticsearch, PostgreSQL, MySQL, Redis, InfluxDB, and Grafana.

Visit the Aiven bug bounty page at HackerOne for more info

Acronis

Program provider:
HackerOne

Program type:
Public

Max reward:
$3,000

Outline:
Acronis, which provides backup, anti-ransomware services, and cyber infrastructure, has launched a wide-ranging program.

Notes:
Tier one rewards – the most lucrative bounties – are accessed on the Acronis Cyber Cloud platform through Acronis’ beta environment; tier two involves Acronis Cyber Backup, an on-premises backup solution designed for the business environment; tier three covers the main domain hosting user-facing Acronis services; and the lowest tier involves all other Acronis domains and domains belonging to Acronis-owned companies.

Visit the Acronis bug bounty page at HackerOne for more info

Other bug bounty and VDP news:

August also saw the launch of bug bounty programs from US loan provider Affirm, bitcoin gaming brand Coingaming, Slack polling app SimplePoll, real estate company Engel & Völkers, and B2B email finder Dropcontact. New targets were added to programs from Cloudinary, Binance, and Centrify.The Australian federal government said it has never considered launching a bug bounty program to protect its assets, despite the method’s worldwide popularity with other nations.The US government announced it is considering a “hybrid model” allowing access to classified source code for bug bounty hunters. It comes after Def Con attendees were encouraged to hack satellites during this year’s virtual conference.The deadline to enter Google’s Capture the Flag competition ended in late August. Those who have qualified will have the chance to play for a cash prize in October.One bug bounty hunter earned $6,000 from Facebook’s program after discovering that Instagram kept photos and direct messages for months after they were deleted.In other news, six months after the launch of the US Defense Department’s hardware bug bounty program, no one has managed to crack its systems.

To have your program featured in this list next month, email dailyswig@portswigger.net with ‘Bug Bounty Radar’ in the subject line.

Introduction by Emma Woollacott. Additional reporting by Jessica Haworth

RELATED Bug Bounty Radar // The latest bug bounty programs for July 2020

Read Entire Article