Published on June 23rd, 2019 📆 | 4094 Views ⚑
0Bug Bounty Radar // Feb 2019
New web targets for the discerning hacker
Earlier this month, the Swiss government announced it was inviting hackers to test its electronic voting system for vulnerabilities, in a move aimed at improving the security and integrity of the countryâs electoral process.
The initiative was unveiled by Swiss Post â Switzerlandâs national postal service and the organization tasked with deploying and managing the countryâs e-voting platform.
Ahead of the systemâs planned nationwide rollout, a âpublic intrusion testâ is taking place between February 25 and March 24. A range of cash prizes are on offer for successful pen testers.
While the move marks another development for government-led bug bounties in Europe, some security experts have criticized the program, telling Motherboard the system is a âpoorly constructed and convoluted mazeâ that would prove extremely difficult to audit effectively.
Across the Atlantic, the US Census Bureau will join the growing number of agencies that offer a bug bounty program, as it looks to ramp up security ahead of the 2020 population count.
According to Federal News Network, DHS will coordinate with the intelligence community to launch census-specific threat support.
In payout news, Google has published a review of its vulnerability reward program (VDP) in 2018. The tech giant awarded a total of $3.4 million to 317 researchers last year.
Ezequiel Pereira, the 18-year-old researcher from Uruguay who discovered a critical bug in the Google App Engine, received a special mention.
And from one young researcher to another, the 14-year-old boy who disclosed a glitch in Appleâs FaceTime video calling platform may be in line for a bug bounty.
According to CNBC, a high-level Apple executive flew out to the boyâs home in Tucson, Arizona, to thank the youngster in person.
February saw the arrival of several new bug bounty programs. Hereâs a roundup of the latest targets:
Alliance of American Football
Program provider:
HackerOne
Program type:
Public bug bounty
Max reward:
$3,000
Outline:
The Alliance of American Football (AAF) is a professional American football league that began play on February 9, 2019. Fuelled by a âdynamic alliance between players, fans, and the gameâ, fans can live stream football games via a free app while accessing fantasy sports betting options.
This new sports platform has partnered with HackerOne to offer a bug bounty program covering all of AAFâs web-facing properties.
Notes:
Denial of service attacks are in scope, but researchers have been warned that any attacks that result in a disruption of production services are strictly out of bounds. âIf possible, test denial of service attacks on hackerone.aaf.com subdomains instead,â the organization said.
Visit the AAF bug bounty page at HackerOne for more info
Deezer
Program provider:
Yes We Hack
Program type:
Public bug bounty
Max reward:
âŹ1,000
Outline:
Deezer is an online music streaming service. The companyâs new bug bounty program through Yes We Hack is currently limited in scope, although qualifying vulnerabilities in deezer.com, api.deezer.com, and others, include RCE, SQLi, CSRF, stored XSS, and privilege escalation.
Visit the Deezer bug bounty page at Yes We Hack for more info
GitHub (enhanced)
Program provider:
HackerOne
Program type:
Public bug bounty
Max reward:
$30,000+
Outline:
GitHub has made significant amendments to its bug bounty program, which celebrates its fifth anniversary in 2019.
Payouts have been increased at all levels (low, medium, high, and critical), and the bounty scope has been expanded to reward vulnerabilities discovered in all web-facing properties under the github.com, githubapp.com, and github.net domains.
The Git repo manager has also added a new set of legal safe harbor terms to its site policy.
Notes:
Commenting on the expanded rewards program, GitHub spokesperson Philip Turnbull said: âOver the past five years, we have been continuously impressed by the hard work and ingenuity of our researchers. Last year was no different and we were glad to pay out $165,000 to researchers from our public bug bounty program in 2018.â
Although $30,000 has been listed as maximum guideline amount for critical vulnerabilities, the company said it is reserving the right to reward âsignificantly moreâ for âtruly cutting-edge researchâ.
GitHub was acquired by Microsoft in June 2018.
Visit the GitHub bug bounty page at HackerOne for more info
Kuna Crypto Exchange
Program provider:
Hacken Proof
Program type:
Public bug bounty
Max reward:
$5,000
Outline:
Kuna Crypto Exchange is a Ukrainian cryptocurrency exchange. Targets under the organizationâs new bug bounty program include the main kuna.io site and api.kuna.io.
Notes:
âIn some cases, we may reward other best practice or defense in depth reports at our own discretion,â the company said. âAll services provided by Kuna Exchange are eligible for our bug bounty program, including the API and exchange. In general, anything which has the potential for financial loss or data breach is of sufficient severity.â
Visit the Kuna Crypto Exchange bug bounty page at Hacken Proof for more info
Magento (enhanced)
Program provider:
HackerOne
Program type:
Public bug bounty
Max reward:
$10,000
Outline:
Adobe-owned Magento is a cloud-based e-commerce platform with an open source ecosystem. New changes are coming for vulnerability reporters, as the company shifts its bug bounty program to HackerOne with âfaster payments⌠quicker reviews and responses⌠and alignment with Adobe for future endeavorsâ.
Notes:
Magentoâs enhanced bug bounty program offers a wealth of targets under a tiered payout structure. Top of the list is the prospect of $10,000 for critical vulnerabilities discovered in the Magento 2 Commerce, Commerce B2B, and open source platforms.
Visit the Magento bug bounty page at HackerOne for more info
Postmates
Program provider:
HackerOne
Program type:
Public bug bounty
Max reward:
$1,500
Outline:
Postmates is an on-demand delivery platform that connects customers with local couriers.
The San Francisco-based companyâs new public bug bounty program is rewarding researchers for discovering flaws across numerous domains, along with its Android and iOS apps.
Notes:
In less than a month since Postmates launched its bug bounty program, the organization has paid out nearly $30,000.
Visit the Postmates bug bounty page at HackerOne for more info
Semmle
Program provider:
HackerOne
Program type:
Public bug bounty
Max reward:
$2,000
Outline:
Semmle is a software engineering analytics business whose two core products â LGTM and QL â enable organizations to identify vulnerabilities in their code.
Through its public bug bounty program, Semmle is now inviting hackers to find security flaws in its own domains. The program includes a test instance of the LGTM web console.
Notes:
Commenting on its new bug bounty program, the company said: âSemmle is committed to working with the open source community and we believe in a transparent policy. As such, we strive to disclose reports once they are resolved.â
Visit the Semmle bug bounty page at HackerOne for more info
Seek
Program provider:
Bugcrowd
Program type:
Managed bug bounty
Max reward:
$10,000
Outline:
Seek is an employment and online education platform whose operations span Australia, New Zealand, China, Southeast Asia, Brazil, Mexico, Africa, and Bangladesh. Through the companyâs new Bugcrowd program, researchers can net up to $10,000 for critical flaws discovered across multiple domains, including seek.com.au, along with the Seek iOS and Android apps.
Notes:
âFor this program, weâre inviting researchers to test Seekâs web applications and services â with a focus of identifying security weaknesses that might lead to the compromise of our customer data (mainly, job seekers profiles and resumes),â the company said.
Visit the Seek bug bounty page at Bugcrowd for more info
Zilliqa
Program provider:
Bugcrowd
Program type:
Public bug bounty
Max reward:
$5,000
Outline:
Zilliqa markets itself as a âscalable and secure blockchain platformâ for hosting decentralized applications. The company is now inviting researchers to test its primary public-facing assets. Rewards categories include RCE of Zilliqa node and cryptography-related security bugs.
Notes:
Discussing its new bug bounty program, the company said: âWe appreciate your efforts and hard work in making the internet (and Zilliqa) more secure, and look forward to working with the researcher community to create a meaningful and successful bug bounty program.â
Visit the Zilliqa bug bounty page at Bugcrowd for more info
Other Bug Bounty and VDP news:
- Bugcrowd is seeking specialist security researchers to join its private bug bounty team.
- Daniel Card, owner of UK-based IT consultancy Xservus, has launched an informal Capture the Flag challenge for researchers to find targets online using Shodan. More challenges may follow if the first CTF is successful, he said.
- Chinese e-commerce giant Alibaba and video game developer InnoGames have partnered with HackerOne to implement new VDPs.
- February 1 marked the launch of Googleâs Confidential Computing Challenge, a new contest that aims to foster new ideas for the future of computing. A cash prize of $15,000 is available to one lucky researcher.
- TelefĂłnica Germany and Zynga Whitehat have implemented points-only VDPs on the Bugcrowd platform.
- And finally, researchers will be watching this yearâs Pwn2Own live hacking event with interest. While much of the attention this year has focused on the new automotive category, the organizers have ramped up web browser exploit payouts in 2019. Check out our recent preview of the event, which runs from March 20-22.
To be featured in this list next month, email dailyswig@portswigger.net with âBug Bounty Radarâ in the subject line
RELATED Bug Bounty Radar // Jan 2019
Gloss