Bounty

now browsing by tag

 
 

#hacking | Bug Bounty Radar // The latest bug bounty programs for February 2020

Source: National Cyber Security – Produced By Gregory Evans

New web targets for the discerning hacker

Global awareness of hackers continued to ramp up throughout the month of February, with the launch of new and improved bug bounty programs and the realization that some heroes wear… black hoodies.

That was the feeling, at least, in the French city of Lille, which hosted a two-day live hacking event as part of the 2020 Forum International de la Cybersécurité, an annual security conference and trade show.

The event saw 100 hackers finding bugs in the systems of The Red Cross, Oui SNCF, secure messaging provider Olvid, and Cybermalveillance.gouv.fr, a cybersecurity division of the French government.

“Bug bounties are not only for Uber or Deezer, it’s for any organization inspired by cybersecurity and willing to address the bugs in its systems,” Rodolphe Harand, manager of YesWeHack, the bug bounty platform that hosted the live hacking competition, told The Daily Swig.

Not long after the event, French cyber awareness site Cybermalveillance.gouv.fr announced that it was going public with its bug bounty program, one that it had been running privately on the YesWeHack platform since December 2019.

Bounties awarded for high risk and critical flaws are also set to double under the program’s public scope, The Daily Swig reported this month, alongside an interview with the Belgium-based platform intigriti, which has its sights set on global expansion.

If you’re interested in bug bounty market news, February was full of statistics related to payouts and hacker insights, as Facebook highlighted the $2 million it paid out to security researchers through its bug bounty program in 2019.

Dropbox also patted itself on the back, having doled out $1 million in cash to security researchers since its vulnerability rewards program began in 2014.

In related news, HackerOne published its 2020 Hacker Report, which found that although bug bounty payouts across the platform continue to rise, nearly two-thirds of security researchers (63%) have withheld the disclosure of security vulnerabilities on at least one occasion.

The reasons behind this were multifaceted, but the factors that stood out were fear of reprimand, lack of a clear reporting channel, and organizations being unresponsive to previous bug reports.

“I think we really need to disambiguate what people mean by the term ‘bug bounty’,” Casey Ellis, founder of Bugcrowd, told The Daily Swig in a recent chat about the uptake of IoT bug bounty programs.

“They are usually thinking about a public bug bounty, which definitely is the last line of defense.”

Read the full interview with Bugcrowd founder Casey Ellis.

The latest bug bounty programs for February 2020

February saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

Celo

Program provider: HackerOne

Program type: Private bug bounty

Max reward: $15,000

Outline: Celo, an open banking platform, puts forward a private bug bounty program, with four of its domains in scope.

Notes: Quick responses to bug submissions and rewards based on the Common Vulnerability Scoring Standard are among Celo’s promises.

Visit the Celo bug bounty page at HackerOne for more info

Evernote

Program provider: HackerOne

Program type: Private bug bounty

Max reward: Undisclosed

Outline: The task management app has launched a private bug bounty program with few details aside from an expanded list of vulnerabilities it considers out of scope.

Notes: Evernote pitches itself as uber responsive, with plans to triage bugs within 10 business days of a successful report submission.

Visit the Evernote bug bounty page at HackerOne for more info

Google API Security Rewards Program

Program provider: HackerOne

Program type: Public bug bounty

Minimum reward: $50

Outline: Google has added another bug bounty program to its repertoire. Security researchers can now report vulnerabilities found in third-party applications accessing OAuth Restricted Scope.

Notes: “Developers of OAuth apps using restricted scopes, with more than 50,000 users, are automatically enrolled into the program after they have passed the security assessment requirement,” outlines the program. Theft of insecure private data through unauthorized access reaps a $1,000 reward. Vulnerabilities must be reported to the relevant app developer first.

Visit the Google API Security Rewards Program at Hackerone for more info

Kindred Group

Program provider: HackerOne

Program type: Public bug bounty

Max reward: $2,500

Outline: Online gambling operator Kindred Group has entered the bug bounty scene with HackerOne, putting its two platforms, which host brands like Unibet, bingo.com, iGame, and MariaCasino, in scope.

Notes: Remote code execution, SQL injection, and other critical bugs pay $2,500. Less severe vulnerabilities, such as Flash-based reflective XSS or captcha bypass, generate a $150 reward.

Visit the Kindred Group bug bounty page at HackerOne for full program details

Microsoft Azure – enhanced

Program provider: Independent

Program type: Public bug bounty

Max reward: $40,000

Outline: Microsoft’s established Azure Bounty Program has expanded its scope to include Azure Sphere to run alongside the general release of the IoT security platform.

Notes: “The goal of the Microsoft Bug Bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of our customers,” Microsoft says. Many low-severity issues are out of scope.

Visit the latest Microsoft blog post for full program details

Microsoft Xbox

Program provider: Independent

Program type: Public bug bounty

Max reward: $20,000

Outline: Awards range from $500 to $20,000 for vulnerabilities found in the Xbox Live network and services, although Redmond says higher payouts are possible.

Notes: In-scope vulnerabilities include all the regular suspects with full PoC exploit: cross-site scripting, cross-site request forgery, insecure direct object references, insecure deserialization, code injection flaws, server-side code execution, significant security misconfiguration (when not caused by user), and exploits in third-party components.

Visit the Xbox bug bounty page for full program details

Monolith

Program provider: HackerOne

Program type: Public bug bounty

Max reward: $10,000

Outline: Ethereum-based banking alternative Monolith has linked with HackerOne to let hackers find bugs in its smart contract wallet and the internet-facing Monolith platform.

Notes: “The most important class of bugs we’re looking for are ones that would cause our users to lose their funds or have them rendered frozen and unusable within their Smart Contract Wallet,” Monolith says.

Visit the Monolith bug bounty page at HackerOne for full program details

TokenCoreX

Program provider: Independent

Program type: Public bug bounty

Max reward: $10,000

Outline: Developers at imToken, a popular cryptocurrency wallet, have launched a new bug bounty program covering the TokenCoreX library that underpins the application.

Notes: The program is a partnership with blockchain security specialists SlowMist, and covers defects in the implementation of the core encryption algorithm, along with vulnerabilities in chain-related logic code or the wallet application layer. Rewards are paid in Tether cryptocurrency, with critical vulnerabilities amounting to issues that result in an attacker stealing crypto-assets.

Visit the latest imToken blog post for more info

Visma

Program provider: HackerOne

Program type: Public bug bounty

Max reward: $2,500

Outline: Business software provider Visma wants security researchers to break their domains, with payouts ranging from $100 for low impact bugs to $2,500 for those defined as critical.

Notes: Critical exploits include RCE and SQL injection. Low-rated vulnerabilities such as open redirect or application level denial-of-service also warrant payouts. “Any reports outside these categories will be triaged on a case by case basis by Security Analysts from Visma,” the company adds.

Visit the Visma bug bounty page at HackerOne for more info

Other bug bounty and VDP news

  • Katie Moussouris, quite possible the Queen of the bug bounty, spoke on the Threatpost podcast about the challenges in implementing successful programs
  • The Hacker News ran an interview with the Open Bug Bounty project, a non-profit that’s demonstrated significant growth over the past year.
  • Bug hunter Alex Chapman published a blog post on his transition from pen tester to full-time bounty hunter.
  • Hyatt expanded its public bug bounty program on its one-year anniversary last month with HackerOne, widening its scope with  higher bounties.
  • Marriott is running a vulnerability disclosure program (unpaid) with HackerOne, as are mobile banking providers bunq, Canadian banking provider Koho, photo video editing app PicsArt, and Belgium-based REM-B Hydraulics.
  • Bugcrowd also saw the SoundCloud bug bounty program increase its rewards last month, now offering a maximum $4,500 for high priority bugs.

To have your program featured in this list next month, email dailyswig@portswigger.net with ‘Bug Bounty Radar’ in the subject line. Read more bug bounty news from The Daily Swig.

RELATED Bug Bounty Radar // January 2020

Source link

The post #hacking | Bug Bounty Radar // The latest bug bounty programs for February 2020 appeared first on National Cyber Security.

View full post on National Cyber Security

#hacking | HackerOne awards $20,000 bug bounty after leaking session cookie to hacker

Source: National Cyber Security – Produced By Gregory Evans

Account takeover issue flagged through bug bounty platform’s own bug bounty program

Bug bounty platform HackerOne this week paid out a $20,000 bounty after a researcher was able to access other users’ vulnerability reports.

Haxta4ok00, a HackerOne community member who apparently has a track record of discovering vulnerabilities in the bug bounty platform, was engaged in a conversation with one of HackerOne’s security analysts.

In one message, the analyst copied a cURL command from a browser console and sent it to the hacker.

The analyst accidentally included a valid session cookie that gave the ability to read the data that they had access to. This included report titles, a certain amount of metadata, and some report contents.

HackerOne paid out a $20,000 bounty after leaking a session cookie to hacker

“Less than five per cent of HackerOne programs were impacted, and within two hours of receiving the vulnerability report, the risk was eliminated and additional preventative measures were deployed shortly after,” a HackerOne spokesperson tells The Daily Swig.

“All customers impacted were notified the same day.”

However, it took HackerOne two hours to read the report, thanks to lower staffing levels over the weekend.

The $20,000 cookie

Haxta4ok00 reported the vulnerability, which was treated as ‘critical’, on November 24. The bounty was awarded three days later.

“The team looked into the amount of sensitive information that could have been accessed by the account and took that under advisement when deciding on the bounty amount,” HackerOne explains in its incident report.

“This led to the decision to treat the submission as a critical vulnerability and award a $20,000 bounty.”

HackerOne says it’s carried out an audit, and that this is the first time that session cookies have been leaked.

It’s also released an update that limits HackerOne employees and HackerOne security analyst sessions to the IP address that they started the session with – a move that should prevent similar incidents in future.

Read more of the latest bug bounty news from The Daily Swig

“We’re also planning to roll out a number of smaller changes, such as warning the user when a comment seems to contain sensitive information and clarification in our policy about what to do when someone gains access to other people their account,” explains HackerOne co-founder Jobert Abma.

Craig Young, senior security researcher at Tripwire, was one of those to be informed that their reports had been disclosed.

“While I commend HackerOne for their response, this incident is yet another reminder of a distinct risk organizations take by using managed vulnerability reporting services like Bugcrowd or HackerOne,” he says.

“The consolidation of valuable data by such vendors creates a hugely attractive attack target for intelligence agencies – or even criminal actors – to fill their arsenal.”

Though perhaps better known for facilitating bug bounty payouts on behalf of other organizations, HackerOne is no stranger to the vulnerability disclosure process.

Since going live in November 2013, the organization has awarded more than $330,000 in bounties through its own bug bounty program.

READ MORE Bug Bounty Radar // November 2019

Source link

The post #hacking | HackerOne awards $20,000 bug bounty after leaking session cookie to hacker appeared first on National Cyber Security.

View full post on National Cyber Security

Cyber #hacks driving ‘bug bounty’ #jobs and #programs in #corporate #America

Source: National Cyber Security News

If you have the skills to stop a cyber hacker in their tracks, you may soon be getting calls from recruiters trying to fill a new crop of jobs throughout corporate America.

Criminal data breaches are predicted to cost businesses a total of $8 trillion over the next four years, outstripping worldwide IT security spending, which is expected to be upwards of $120 billion by 2021, according to Gartner. Meanwhile, there is a shortage of talent, and an anticipated 1.8 million cybersecurity jobs will be unfilled by 2022, with millennials likely playing a big role as cited in a report from the Center for Cyber Education and Safety. These jobs will be in demand as the the number of reported cybersecurity incidents (which doubled between 2016 and 2017) continues to rise. Even with expert cybersecurity firms on retainer to improve overall cyber resilience, companies are struggling to stay ahead in the battle against malicious hackers.

To help close the gap, more businesses are turning to another kind of hacker: the ‘white hats’. Through carefully implemented bug bounty programs, organizations can crowdsource the expertise of security researchers to help identify vulnerabilities in exchange for money and recognition, and fix vulnerabilities before they can be exploited.

Read More….

advertisement:

View full post on National Cyber Security Ventures

Hackers will continue to crack Switch despite Nintendo’s Bounty Program

Source: National Cyber Security – Produced By Gregory Evans

Since last year Nintendo has implemented a device protection program called HackerOne, which seeks to reward those who find vulnerabilities in the company;s consoles and pass the information before they are exploited by hacking communities. At first HackerOne covered the …

The post Hackers will continue to crack Switch despite Nintendo’s Bounty Program appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Bounty platforms use ‘white hat’ hackers to prevent China’s cyber attacks

More than 800 Chinese “white hat” hackers gathered in Shenzhen, South China’s Guangdong province, on Thursday, to attend the China White Hat Conference held by 360 Business Security Group’s Butian Vulnerability Response Platform (Butian). Unlike movie-fueled myths, most of them … View full post on National Cyber Security Ventures

Facebook Pays Indian Hackers The Most For Its Bug Bounty Program

http-%2f%2fo-aolcdn-com%2fhss%2fstorage%2fmidas%2fece705e808bb3a50412a07933dedcc1d%2f200976646%2f168145139

Source: National Cyber Security – Produced By Gregory Evans

Facebook Pays Indian Hackers The Most For Its Bug Bounty Program

In a post yesterday, Facebook revealed that Indian cyber security pros are at the top of the list for rewards distributed under the company’s bug bounty program.
Launched in 2011, the program was created to report security flaws and bugs

The post Facebook Pays Indian Hackers The Most For Its Bug Bounty Program appeared first on National Cyber Security.

View full post on National Cyber Security

Hacker publication issues $10K bounty for Donald Trump’s tax returns

campaign_2016_trump_protest-jpeg-00a42_c0-244-5144-3243_s885x516

Source: National Cyber Security – Produced By Gregory Evans

Hacker publication issues $10K bounty for Donald Trump’s tax returns

Donald Trump’s recent claim that a 400-pound hacker may have been responsible for breaching the Democratic National Committee has caused a bounty to be issued for the businessman’s tax returns.
The people behind an eminent hacker publication, titled 2600, announced

The post Hacker publication issues $10K bounty for Donald Trump’s tax returns appeared first on National Cyber Security.

View full post on National Cyber Security

Hackers Steal $2 Million From Bitcoin Exchange In Hong Kong, Bounty Offered To Recover Funds

ComputerYour ads will be inserted here byEasy Plugin for AdSense.Please go to the plugin admin page toPaste your ad code OR Suppress this ad slot. For cryptocurrency enthusiasts seeking mainstream adoption, events like this are so unhelpful. Hackers appear to have made off with the equivalent of $2 million in digital currencies from Gatecoin, according […] View full post on AmIHackerProof.com | Can You Be Hacked?

US Offers Highest-Ever Cybercrime Bounty for Russian Hacker

hackers_at_work_reuters_credit

Source: National Cyber Security – Produced By Gregory Evans

The U.S. State Department and FBI on Tuesday announced a $3 million (roughly Rs. 18 crores) reward for information leading to the arrest or conviction of Russian national Evgeniy Bogachev, the highest bounty U.S. authorities have ever offered in a cyber case. The Federal Bureau of Investigation also issued a “Wanted” poster for Bogachev, who is charged in the United States with running a computer attack network called GameOver Zeus that allegedly stole more than $100 million (roughly Rs. 620 crores) from online bank accounts. Bogachev has been charged by federal authorities in Pittsburgh, Pennsylvania, with conspiracy, computer hacking, wire fraud, bank fraud and money laundering in connection with his alleged role as administrator of GameOver Zeus. He also faces federal bank fraud conspiracy charges in Omaha, Nebraska related to his alleged involvement in an earlier variant of Zeus malware known as “Jabber Zeus.” Bureau officials said they believed Bogachev was still in Russia. He could not immediately be reached for comment. Joseph Demarest, head of the FBI’s cyber crime division, said the agency is aware of 60 different cyber threat groups linked to nation-states. He did not identify which countries were believer to be behind these groups. Demarest said […]

For more information go to http://www.NationalCyberSecurity.com, http://www. GregoryDEvans.com, http://www.LocatePC.net or http://AmIHackerProof.com

The post US Offers Highest-Ever Cybercrime Bounty for Russian Hacker appeared first on National Cyber Security.

View full post on National Cyber Security