Home Cyber Crime Bug Bounty Radar // The latest bug bounty programs for September 2021

Bug Bounty Radar // The latest bug bounty programs for September 2021

10
0


New internet targets for the discerning hacker

Bug Bounty Radar - The latest bug bounty programs for September 2021

In bug bounty program information this previous month, a researcher has earned $15,000 for reporting a bug in Chromium that allowed code to be injected in embedded web site pages, even when the goal and locations existed on separate domains.

Two courting apps additionally displayed their vulnerabilities. Yan Zhu, safety engineer at privacy-focused browser Courageous, discovered, a vulnerability in OKCupid allowed attackers to trick customers into ‘liking’ or messaging to different profiles – doubtlessly gaming the system.

In the meantime, Robert Heaton, software program engineer at funds processor Stripe, developed an automatic script that might have uncovered Bumble app customers’ dwelling addresses or, to some extent tracked their actions.

True to kind, Black Hat USA noticed the arrival of recent instruments for safety researchers and bug bounty hunters.

Of word was the open supply WARCannon device that enables researchers and bug bounty hunters to find novel flaws in internet purposes, internet frameworks, and parts by non-invasively testing regex patterns throughout the whole web for corresponding vulnerability indicators.

Additionally in focus on the safety convention this yr was an often-overlooked facet of vulnerability searching and bug disclosure: the report writing process.

Lastly, we spoke with Aaron Portnoy, principal scientist at assault floor administration specialist Randori, about bug bounties, provide chain assaults, and vulnerability disclosure.

“I believe bug bounty is a superb alternative for individuals in international locations the place it’s harder to get into the tech house,” Portnoy mentioned. “I’ve seen individuals exterior of the US and Europe make some huge cash doing this, and that’s nice.

“The one warning I’d give [to organizations] is that it must be a bit of what you’re doing, nevertheless it shouldn’t be your total defensive technique.”

Learn the complete interview here.


The most recent bug bounty packages for September 2021

The previous month noticed the arrival of a number of new bug bounty packages. Right here’s an inventory of the most recent entries:

Audiomack

Program supplier:
Bugcrowd

Program sort: Public

Max reward:
TBC

Define:
The self-described “artist-first” music streaming platform has partnered with Bugcrowd for its first public bug bounty program, having beforehand managed its vulnerability disclosure program (VDP) on the platform.

Notes:
No most bounty has been introduced, nonetheless Audiomack mentioned it should function a “pay-for-results mannequin that pulls a greater diversity of testing expertise and area of interest experiences”.

Try our previous coverage for additional particulars

Cardano Basis

Program supplier:
HackerOne

Program sort:
Public

Max reward:
$10,000

Define:
Swiss non-profit Cardano Basis, which oversees the Cardano blockchain, is providing good-looking rewards for vulnerabilities affecting Cardano-Node and Cardano-Pockets.

Notes:
The best rewards are for important bugs, together with remote code execution, delicate data leakage, and transaction tampering. Common performance or UI bugs usually are not in scope.

Go to the Cardano Foundation bug bounty page at HackerOne for more information

Elastic

Program supplier:
HackerOne

Program sort:
Public

Max reward:
$7,000

Define:
Elastic, the corporate behind the favored ‘ELK Stack’ suite of applied sciences, is on the lookout for safety flaws in its merchandise together with the supply code for Kibana, Beats, and Logstash.

Notes:
Along with payouts for particular person bugs, Elastic additionally gives financial rewards for finishing varied ‘challenges’, reminiscent of reporting seven bugs in a row.

Try the Elastic bug bounty page at HackerOne for more information

The Graph Basis

Program supplier:
Immunefi

Program sort:
Public

Max reward:
$2.5 million

Define:
The Graph, an indexing protocol for querying networks reminiscent of Ethereum and IPFS, is providing big rewards for vulnerabilities that may have an effect on the whole ecosystem.

Notes:
Rewards fluctuate enormously, so it’s price checking the in depth checklist of targets for those who’re on the lookout for a giant payout.

Go to the Graph Foundation bug bounty page at Immunefi for more information

UAE Nationwide Cyber Safety Council (NCSC)

Program supplier:
Impartial

Program sort:
Public

Max reward:
TBC

Define:
The United Arab Emirates’ federal cybersecurity council is asking skilled safety researchers to search for vulnerabilities in its national infrastructure and each personal and public sectors.

Notes:
This system will initially concentrate on the telecommunications trade, partnering with Etisalat and Emirates Built-in Telecommunications Firm, in coordination with the Telecommunications and Digital Authorities Regulatory Authority (TDRA).

Go to the UAE National Cyber Security Council website for more information

UK Ministry of Defence

Program supplier:
HackerOne

Program sort:
Non-public

Max reward:
TBC

Define:
The UK Ministry of Defence (MoD) invited moral hackers to check for flaws in its networks and 750,000 units.

Notes:
This system was held over 30 days and was “a part of wider plans to make sure transparency and collaborate with companions to enhance nationwide safety”, says the MoD. Researchers hoping to participate in future packages ought to keep watch over HackerOne’s web site.

Go to the Ministry of Defence website for more information

Xvideos

Program supplier:
HackerOne

Program sort:
Public

Max reward:
$5,000

Define:
Xvideos, a free internet hosting web site for pornographic movies, is asking safety researchers to “maintain its enterprise and prospects protected” by a brand new bug bounty program. Scope is proscribed to safety vulnerabilities discovered on the Xvideos, Xvideos Crimson, Xnxx, and Xnxx Gold, in addition to within the Xvideos and Xnxx Cell software.

Notes:
Important bugs embody zero-to-one click on consumer account takeover, backend interface takeover, and server takeover, or potential takeover. A number of different vulnerabilities usually are not in-scope and won’t be eligible for reward, reminiscent of denial-of-service, brute-force, and social engineering assaults.

Go to the Xvideos bug bounty page at HackerOne for more information


Different bug bounty and VDP information this month

  • As a part of this yr’s DEF CON AI Village, Twitter launched the trade’s first algorithmic bias bounty competition.
  • Google has introduced the launch of a brand new platform for safety researchers to report bugs to the corporate in a extra environment friendly approach. The channel, bughunters.google.com, brings collectively the corporate’s varied rewards packages.
  • In a weird twist to one among this yr’s greatest infosec information tales, Poly Community has rewarded the hacker who took and subsequently returned $610 million in cryptocurrency with a $500,000 bug bounty.
  • John Deere and ChargePoint have launched unpaid vulnerability disclosure packages (VDPs) on HackerOne.
  • Google has introduced that it’ll sponsor as much as 52 capture-the-flag (CTF) competitions over the approaching yr. Fill in this online form for those who’d like your occasion to be thought-about.

Introduction by Emma Woollacott. Further phrases by James Walker.

PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for August 2021





Source link