Bug Bounty Radar // The latest bug bounty programs for October 2021

0

New web targets for the sophisticated hacker

AppleThe bug bounty program has been the subject of pretty damning criticism this month, after the Washington Post interviewed two dozen security researchers on their experiences probing its applications for vulnerabilities.

They claimed that Apple was slower to pay than most organizations, had poor communication, and was slow to fix bugs once they were reported.

The world’s most valuable tech company also paid significantly less than other tech giants, they said. Luta Security CEO Katie Moussouris described Apple’s crowdfunding security offering as “a bug bounty program where the house always wins.”

VMware has also come under criticism in recent weeks, with accusations he disclosed an exploit for a critical vulnerability in Atlassian’s Confluence that was identical to the one previously submitted by the accuser. The company said it investigated the allegations and found no supporting evidence.

It was a better month for OWASP, which celebrated its 20th anniversary by announcing the top 10 web security vulnerabilities for 2021. He cited flawed access control as the biggest threat, followed by cryptographic failures, injection and insecure design.

In browser security news, Opera’s chief product safety officer Cezary Cerekwicki highlighted the benefits of its private and public bug bounty programs when asked by The daily sip on its confidentiality and security functions.

We spoke to Cerekwicki as part of an overview of the privacy and security features of major web browsers. New features are expected in Chrome, Firefox, Opera and DuckDuckGo.

In other Opera news, the browser fixed a My Flow vulnerability that allowed bug bounty hunter ‘Renwa’ to switch from XSS to full RCE – and earn an $ 8,000 bounty for their aches and pains.

And finally, a new Chrome browser extension has been released to help bounty hunters find secret keys in JavaScript code. The open source of Truffle Security TrufflePork extension has previously unearthed an AWS key that was buried in the code on the homepage of weather.com, a domain that has received more than 740 million visitors in the past six months.


The latest bug bounty programs for October 2021

The past month has seen the arrival of several new bug bounty programs. Here is a list of the latest entries:

Consensys

Program provider:
Hackerone

Type of program:
Public

Maximum reward:
$ 3,000

Contour:
The Ethereum software company Consensys has a scope of seven assets and offers $ 3,000 for critical bugs and $ 1,000 for high severity vulnerabilities.

Remarks:
Consensys says, “Our suite of products, consisting of Infura, Quorum, Truffle, Codefi, MetaMask and Diligence, serves millions of users, supports billions of blockchain-based queries for our customers and has managed billions dollars of digital assets.

Check Consensys bug bounty page at HackerOne for more details

EazyBI

Program provider:
Crowd

Type of program:
Public

Maximum reward:
$ 1,500

Contour:
EazyBI is an application for Jira and Confluence, available on Server, Data Center and Cloud. eazyBI makes it easy to drag-and-drop custom reports, charts and dashboard gadgets.

Remarks:
The new bug bounty program EazyBI, which is part of the larger Atlassian Marketplace Bounty Program, offers rewards of up to $ 1,500 for discovering a range of vulnerabilities, including performing code removal, server-side request forgery, XSS, cross-site request forgery, SQL injection , HTML injection, and path traversal issues.

Visit the EazyBI bug bounty page at Bugcrowd for more information

Finnish Ministry of Foreign Affairs

Program provider:
Hackrfi

Type of program:
Public

Maximum reward:
€ 5,000 ($ 5,800)

Contour:
The Finnish Foreign Ministry has invited ethical hackers to search for security holes in government online services.

Remarks:
The rewards vary between € 100 and € 5,000.

Check Hackrfi bug bounty page at Hackrfi for more details

Liechtenstein Crypto-Asset Exchange (LCX)

Program provider:
HackenProof

Type of program:
Public

Maximum reward:
$ 3,000

Contour:
Within the scope of critical bounties of between $ 1,500 and $ 3,000 and high severity breaches of $ 900 to $ 1,200, there are two domains: .LCX.com and LCX Exchange API.

Remarks:
LCX has obtained eight crypto-related registrations from the Liechtenstein Financial Markets Authority and has introduced a comprehensive crypto compliance suite.

Check LCX bug bounty page at HackenProof for more details

Nimbus

Program provider:
HackenProof

Type of program:
Public

Maximum reward:
$ 10,000

Contour:
Decentralized Funding (DeFi) Platform Nimbus Pays $ 5,000-10,000 For Critical Defects In This Smart contract, while high severity bugs will net researchers between $ 2,000 and $ 5,000.

Remarks:
Nimbus describes itself as “a DAO-driven platform offering users 16 income strategies based on lending and borrowing, classic IPO participation, seed funding, staking, etc.”

Check Nimbus bug bounty page at HackenProof for more details

Polkalokr

Program provider:
HackenProof

Type of program:
Public

Maximum reward:
$ 5,000

Contour:
Polkalokr, a multi-chain token escrow platform, urged bug hunters to probe bridgr-testnet.polkalokr.com for business logic flaws, payment manipulation, RCE, SQLi, file inclusions , access control issues, sensitive information leaks, SSRF and others. vulnerabilities with obvious potential for loss.

Remarks:
Critical vulnerabilities attract bounties of between $ 3,000 and $ 5,000, while high severity bugs will see rewards in the range of $ 1,500 to $ 3,000.

Check Polkalokr bug bounty page at HackenProof for more details.

Singapore Government Technology Agency (GovTech)

Program provider:
Hackerone

Type of program:
Private

Maximum reward:
$ 150,000

Contour:
The Singapore government’s digital arm is offering up to $ 5,000 – excluding “vulnerabilities that could have an exceptional impact,” where the cap is $ 150,000.

Remarks:
Eligible White Hats – those with “HackerOne Clear” status – can request an invite through HackerOne. The Singapore government launched its first bug bounty program in 2018, also with HackerOne, focusing on securing public government websites.

See our previous coverage for more details

SnapNames

Program provider:
Crowd

Type of program:
Public

Maximum reward:
$ 2,500

Contour:
Domain name auction site SnapNames has launched a new bug bounty program that offers rewards of up to $ 2,500 for critical vulnerabilities.

Remarks:
In a note to bug hunters, SnapNames reiterated that testing is only allowed on targets listed as in scope. The company also released an HTTP test header so that researchers can prevent their IP address from being blocked.

Visit the SnapNames bug bounty page at Bugcrowd for more information

Tinder

Program provider:
Hackerone

Type of program:
Public

Maximum reward:
$ 10,000

Contour:
The world’s most popular dating app and the pioneer of the “swipe right” offers $ 10,000 for critical vulnerabilities, $ 4,000 for high severity vulnerabilities and $ 1,000 for medium risk vulnerabilities.

Remarks:
Four assets are in scope: Tinder for iOS and Android, .gotinder.com, and .tinder.com (except when they are explicitly listed out of scope).

Check Tinder bug bounty page at HackerOne for more details

United States General Service Administration (GSA)

Program provider:
Hackerone

Type of program:
Public

Maximum reward:
$ 3,000

Contour:
47 gigantic assets are under consideration at GSA, a U.S. government agency that supports other federal agencies by constructing and managing government buildings, purchasing products and services, and developing government-wide policies .

Remarks:
The GSA says it “expects to evolve its structure over time and to welcome[s] feedback on areas for improvement ”. Critical Bugs clean up $ 3,000 Bug Hunters, while High Severity Defects will receive $ 1,000 rewards.

Check GSA bug bounty page at HackerOne for more details

ZeroHybrid Network

Program provider:
Independent

Type of program:
Public

Maximum reward:
500 ZHT (cryptocurrency)

Contour:
Blockchain company ZeroHybrid Network, which will end the program when 200,000 ZHT rewards have been paid, urged bug hunters to find bugs in the ZeroHybrid app.

Remarks:
ZeroHybrid Network, a decentralized, trusted ARM-based computing network that uses mobile devices to provide computing power, said a critical bug would “crash the ZerpHybrid application” and affect functionality.

Discover the ZeroHybrid network blog post for more details


Other news regarding bug bounty and VDP this month

  • Google has launched a new vulnerability disclosure program (VDP) for its Tsunami Safety Scanner.
  • Raider is a new frame designed to test authentication protocols and fill in the gaps left by popular vulnerability scanning tools. The tool is the result of a start-up DigeeX Security.
  • HackerOne has announcement the next evolution of the Internet bug bounty (IBB). The updated program provides a new pooled funding model so that more organizations can leverage BWI to secure open source dependencies within their software supply chains.
  • French multinational Atos has partnered with the European bug bounty platform Intigriti to release a “end-to-end bug bounty offerFor organizations.
  • Crowd To appealed security researchers who have the specialized skills or experience necessary to participate in some of the company’s private bug bounty programs.
  • Russian web hosting company Timeweb wrote an interesting opinion piece (in Russian) which details the potential pros and cons of running a bug bounty program.

Introduction by Emma Woollacott. Additional words by Adam Bannister and James Walker.

PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for September 2021



Source link

Leave A Reply

Your email address will not be published.