Home Cyber Crime Bug Bounty Radar // The latest bug bounty programs for March 2021

Bug Bounty Radar // The latest bug bounty programs for March 2021

4
0


New net targets for the discerning hacker

The latest bug bounty news and programs for March 2021

Welcome to the primary Bug Bounty Radar of 2021, again with a bang after a brief hiatus. As you’ll see, we’ve launched a sensible new design – however relaxation assured, you’ll nonetheless discover the identical mixture of the most recent bug bounty information, packages, and vulnerability write-ups.

We kicked off the yr with an interview with Swiss bounty hunter ‘Xel’ – AKA Raphaël Arrouas – who shared the secrets and techniques of his success, together with suggestions for these simply beginning out.

“Specializing in affect slightly than amount permits me to dedicate extra time to researching vulnerabilities in depth and study one thing within the course of,” he says. “And it’s worthwhile contemplating the payout scales, which normally vastly favor excessive and significant affect vulnerabilities.”

Elsewhere, bug hunter Alex Birsan netted $130,000 by exhibiting how a novel supply chain attack allowed him to hack into programs belonging to Apple, Microsoft, PayPal, and different main tech firms.

By exploiting a vulnerability dubbed ‘dependency confusion’, he was capable of execute malware inside the firms’ networks by overriding privately-used dependency packages with malicious, public packages with the identical title.

And exactly this provide chain assault has already been seen in the wild. A developer at automated software program testing specialist Qentinel reported the failure of a construct pipeline when fetching inside libraries and traced the issue to suspicious packages within the Python Package deal Index repository. The issue was fastened a day later.

You’ll discover extra info on provide chain assaults in our newest deep dive on the difficulty, together with prevention and mitigation recommendation.

In army information, the German armed forces – or ‘Bundeswehr’ – says it’s acquired greater than 60 legitimate reviews because the begin of its vulnerability disclosure program (VDP) three months in the past. They included cross-site scripting (XSS), SQL injection, misconfiguration, information leakage, and open redirect bugs.

In the meantime, DARPA – the US army’s know-how R&D company – has given an update by itself bug bounty program. The company says it’s uncovered 10 vulnerabilities, seven crucial and three excessive, with 4 already patched and the others quickly to be resolved.

And eventually, for many who missed it, HTTP/2 (H2C) cleartext smuggling has been voted the best web hacking technique of 2020.

“Conceptually comparable” to final yr’s WebSocket smuggling, “request tunnelling exploitation is an rising artwork so this one could also be a gradual burn, however we anticipate some severe carnage in future”, stated James Kettle, head of analysis at PortSwigger Net Safety.

It’ll be fascinating to see which of those strategies turns into the bug hunters’ favourite in 2021.


The most recent bug bounty packages for March 2021

The previous month noticed the arrival of a number of new bug bounty packages. Right here’s an inventory of the most recent entries:

Aruba Networks

Program supplier: Bugcrowd

Program sort: Public bug bounty

Max reward: $5,000

Define: Aruba Networks, the wi-fi networking subsidiary of Hewlett Packard Enterprise, has launched a brand new bug bounty program to assist shore up the safety of varied services, together with ArubaOS Controllers and Entry Factors, Aruba Immediate, Aruba InstantOn, Aruba ClearPass Coverage Supervisor, ArubaOS-CX, and extra.

Notes: As a way to exploit most of the in-scope flaws, researchers have to be in possession of Aruba Entry Level hardware. Whereas these gadgets is not going to be provided, the corporate stated it can pay as much as $5,000 for the disclosure of unauthenticated vulnerabilities impacting its know-how.

Go to the Aruba Networks bug bounty page at Bugcrowd for more information

Chime Monetary, Inc.

Program supplier: HackerOne

Program sort: Public

Max reward: $10,000

Define: Chime Monetary is on the lookout for safety vulnerabilities in its checking account and cash administration app Chime.

Notes: There’s a slightly in depth record of out-of-scope vulnerabilities, so it’s value checking these out earlier than diving in. This consists of denial-of-service assaults and vulnerabilities in third-party companies that aren’t owned by Chime.

Go to the Chime Financial bug bounty page at HackerOne for more information

FetLife

Program supplier: HackerOne

Program sort: Public bug bounty

Max reward: $5,000

Define: FetLife, a “social community for the BDSM, fetish, and kinky group”, is asking the safety group to check its programs for vulnerabilities, with a specific concentrate on web-based exploits together with SQL injection, XSS, cross-site request forgery (CSRF), and extra.

Notes: “No know-how is ideal, and FetLife believes that working with expert safety researchers throughout the globe is essential in figuring out weaknesses in any know-how,” the corporate stated.

Go to the FetLife bug bounty page at HackerOne for more information

FTX.US

Program supplier: Hacken Proof

Program sort: Public bug bounty

Max reward: $2,500

Define: Safety researchers can now strive their hand at attacking FTX.US, a model new, US-regulated cryptocurrency trade. The corporate is paying as much as $2,500 for vulnerabilities impacting its net and cellular apps.

Notes: “Our mission is for FTX.US to develop the digital forex ecosystem, provide US merchants a platform that conjures up their loyalty, and turn out to be a market main US cryptocurrency trade over the following two years,” the corporate stated.

Go to the FTX.US bug bounty page at Hacken Proof for more information

LaunchDarkly

Program supplier: HackerOne

Program sort: Public

Max reward: $4,500

Define: Growth administration instrument LaunchDarkly is on the lookout for researchers to assessments its packages utilized by companies worldwide to deploy code.

Notes: LaunchDarkly is asking for reviews that embody reproducible steps – any submitted with out these is not going to be eligible for a reward. Payout figures are pointers, and any reward is on the discretion of the corporate.

Go to the LaunchDarkly bug bounty page at HackerOne for more information

Matrix.org Basis

Program supplier: Intigriti

Program sort: Public

Max reward: €5,000 ($6,000)

Define: Intigriti has launched an EU-backed program for safe communications instrument Matrix below a drive from the European Fee, the manager department of the European Union, to safe crucial open source software tasks.

Notes: Safety researchers are supplied as much as $6,000 for flaws, and may earn a further 20% of their rewards if a viable patch is supplied with the report.

Go to the Matrix.org Foundation bug bounty page at Intigriti for more information

O1 Labs

Program supplier: HackerOne

Program sort: Public

Max reward: $10,000

Define: O1 Labs is a software program improvement firm specializing in cryptography and cryptocurrency. It’s on the lookout for any vulnerabilities that will endanger the safety of its companies and prospects.

Notes: Various recognized vulnerabilities are already listed so it’s value having a look to keep away from reporting any duplicates. These embody a DDoS vulnerability and distant persistent throwout. Additionally, O1 Labs has offered an inventory of doable bugs to be explored.

Go to the O1 bug bounty page at HackerOne for more information

Panther Labs

Program supplier: HackerOne

Program sort: Public

Max reward: $1,337

Define: Panther Labs, a platform for log evaluation, cloud security, and information analytics, is on the lookout for vulnerabilities from consumer information publicity to distant code execution (RCE).

Notes: Chances are you’ll discover that Panther Labs has had a bit enjoyable with its max payout determine, which is rewarded for crucial points together with RCE and SQL/NSQL injection.

Go to the Panther Labs bug bounty page at HackerOne for more information

Sixt

Program supplier: HackerOne

Program sort: Public

Max reward: $3,000-$4,000

Define: Worldwide automobile rental and trip hailing platform Sixt is asking bug hunters to seek for vulnerabilities in each its net platform and mobile purposes.

Notes: There are two most payouts on this program, $3,000 for net vulnerabilities and $4,000 for safety points within the Sixt Android and iOS purposes. Additionally, Sixt has listed quite a lot of in-scope targets below its bug bounty program, nonetheless out-of-scope targets could also be eligible for its vulnerability disclosure program, which might earn researchers Sixt swag.

Go to the Sixt bug bounty page at HackerOne for more information

Step

Program supplier: Bugcrowd

Program sort: Public bug bounty

Max reward: $4,500

Define: Step is a monetary companies firm that goals to offer youthful generations with the instruments to make budgeting, saving, and managing cash simple. The corporate’s new bug bounty program is concentrated on securing the Step Android and iOS apps.

Notes: No take a look at account has been offered, and so bug hunters have been requested to enroll and create a free Step account utilizing their very own particulars.

Go to the Step bug bounty page at Bugcrowd for more information

Unistake Sensible Contracts

Program supplier: Hacken Proof

Program sort: Public bug bounty

Max reward: $5,000

Define: Unistake is a decentralized token protocol constructed “to empower DeFi tasks and incentivize liquidity suppliers”. The builders are on the lookout for safety shortcomings which may result in incorrect habits of the sensible contract that might trigger unintended performance, resembling lack of funds, unauthorized transactions, or reordering.

Notes: In particular circumstances, the scale of the bug bounty award might be elevated if the researchers display how the vulnerability can be utilized to inflict most hurt.

Go to the Unistake bug bounty page at Hacken Proof for more information


Different bug bounty and VDP information this month

  • The Hilton resort group, Ohio Secretary of State, Hud App, the World Well being Group’s Covid-19 mobile app, and Checkout have all launched (unpaid) VDPs by means of HackerOne.
  • Google has launched OSV, a new service that goals to enhance the corporate’s vulnerability triage for builders and shoppers of open supply software program.
  • French bug bounty platform Yogosha is internet hosting a 24-hour capture-the-flag competitors in partnership with Kaspersky, on March 13. Try the Yogosha blog for full particulars.
  • Infosecurity Journal’s Phil Muncaster just lately pulled concentrate on the rising scourge of ‘beg bounties’, which come within the type of unsolicited security vulnerability reports which might be normally despatched out to small companies with no bug bounty program in place.
  • OrderBox, Host Gator, and Web.com have launched points-only VDPs on Bugcrowd.
  • As reported by Darkish Studying, safety researchers are pushing for a ‘bug bounty program of final resort’ to assist defend the world’s most important digital infrastructure.
  • In case you missed it, we just lately profiled Malvuln.com, the primary web site “solely devoted” to revealing safety vulnerabilities in malware.

Further reporting by Jessica Haworth and James Walker.

YOU MIGHT ALSO LIKE Cybersecurity conferences 2021: A schedule of virtual and potentially in-person events



Source link