Advertisement
WordPress

Bug Bounty Radar // The Latest Bug Bounty Programs For December 2021

New net targets for the discerning hacker

The latest bug bounty programs for December 2021

Greatest (and worst) practices for vulnerability disclosure had been beneath the highlight this month by way of an occasion held by Microsoft and a damning new report exploring the patron IoT ecosystem.

Throughout a digital panel debate, safety specialists provided reward, recommendation, and constructive criticism round how the Microsoft Safety Response Middle (MSRC) and safety researchers deal with vulnerability studies.

Advertisement

Dr Nestori Syynimaa, senior principal safety researcher at Secureworks, suggested his friends that persistence typically pays off, recalling one occasion the place an initially rejected report finally netted him $20,000 after he persuaded MSRC to take a re-evaluation into the difficulty.

And Prevailion CTO Nate Warfield, an ex-MSRC staffer, solid Microsoft’s typically unhurried patching course of in a sympathetic gentle: “You’re speaking about an ecosystem that’s measured in billions of desktops and servers, so if one thing goes flawed, your entire world is impacted,” he mentioned.

Pwn2Own Austin 2021 yielded a number of profitable “CVSS 10-level bugs” (vital vulnerabilities) in response to Brian Gorenc, who heads up Development Micro’s Zero Day Initiative (ZDI), organizer of the annual hacking contest.

This yr’s Masters of Pwn crown went to French outfit Synacktiv, who pwned the Sonos One sensible speaker and a network-attached storage (NAS) system from Western Digital, amongst different {hardware}.

Advertisement

Complete payouts exceeded $1 million for bugs that included 61 distinctive zero-days.

Alongside TVs, routers, and residential automation gadgets the 2021 version additionally noticed the debut of a shopper printer class.

Transferring onto typical bug bounty payouts, a URL parsing bug that earned safety researcher David Schütz greater than $10,000 in bug bounty rewards left an inside Google Cloud undertaking open to server-side request forgery (SSRF) assaults.

“This situation appears like an industry-wide downside since totally different purposes are parsing URLs based mostly on totally different specs,” Schütz instructed The Day by day Swig, including that he’d “seen this getting mounted in merchandise from totally different corporations as nicely.”

Advertisement

Schütz earned three separate bounties after bypassing the unique repair after which discovering that earlier variations of a proxy software containing an entry token required for exploitation had been nonetheless up and working.

An alarming vulnerability in Google’s GSuite courting again to 2018 made the information after the safety researcher who discovered the flaw launched particulars as a part of a wider undertaking to revisit his earlier Google and Microsoft bug-hunting exploits.

The long-since patched vulnerability, which allowed attackers so as to add themselves as tremendous admins on any group’s account, earned Cameron Vincent a bounty beneath Google’s Vulnerability Reward Program.

In the meantime, researcher Ashish Dhone earned a $1,000 bounty reward for the invention of a cross-site scripting (XSS) vulnerability that allowed attackers to run arbitrary JavaScript code on Chrome’s ‘New Tab’ web page.

The attacker may apparently exploit the bug by sending a HTML file to the sufferer that incorporates a cross-site request forgery (CSRF), which sends a malicious JavaScript code snippet as a search question to Google.

When the consumer opens the file, the CSRF script runs, and the question is saved within the browser’s search historical past. On the level when the consumer opens a New Tab Web page and clicks on the Google search bar, the malicious code is triggered.

Lastly, IoT analysis from UK safety agency Copper Horse, has revealed that just about 4 out of 5 IoT shopper distributors nonetheless seem to lack a vulnerability disclosure program (VDP).

Revealed by the IoT Safety Basis, the report additionally discovered that one in three VDPs fail to supply coordinated vulnerability disclosure, the place researchers are publicly credited, concerned in patching bugs, and permitted to reveal flaws post-remediation.

The latest bug bounty programs for December 2021

The previous month noticed the arrival of a number of new bug bounty programs. Right here’s a listing of the latest entries:

Agoric

Program supplier:
HackerOne

Program sort:
Public

Max reward:
$5,000

Define:
Agoric is a JavaScript-based sensible contract platform constructed on the Cosmos SDK.

Notes:

Agoric is including a $250 Mainnet 1 bonus to every legitimate bug whereas it really works on the following section of the general public mainnet rollout.

Try the Agoric bug bounty page at HackerOne for extra particulars

Bitrue

Program supplier:
HackenProof

Program sort:
Public

Max reward:
$1,500

Define:
Bitrue is a cryptocurrency alternate whose purported mission is to make use of the blockchain and new applied sciences to assist customers worldwide entry cutting-edge monetary companies.

Notes:
4 property are in scope, together with bitrue.com, the Bitrue API, and the Android and iOS apps.

Try the Bitrue bug bounty page at HackenProof for extra particulars

Bluehost

Program supplier:
Bugcrowd

Program sort:
Public

Max reward:
$2,500

Define:
Powering hundreds of thousands of internet sites, Bluehost is among the largest suppliers of hosting for WordPress.

Notes:
4 net domains are in scope and demanding bugs will entice rewards within the vary of $2,100 to $2,500.

Try the Bluehost bug bounty page at Bugcrowd for extra particulars

Boson

Program supplier:
Impartial

Program sort:
Public

Max reward:
Undisclosed

Define:
Boson Protocol, a decentralized infrastructure for enabling autonomous industrial exchanges of anyThing, is most inquisitive about vulnerability studies regarding its contracts repo and consumer interface that would imply customers lose entry to their funds.

Notes:
“On this planet of DeFi the place hundreds of thousands are at stake, accountable initiatives put themselves up for scrutiny by way of their bug programs,” says Boson.

Learn Boson Protocol’s Medium blog post for extra particulars

Bullish Change

Program supplier:
Bugcrowd

Program sort:
Public

Max reward:
$25,000

Define:
Bullish Change claims to be “a strong new alternate for digital property that provides deep liquidity, automated market making, and industry-leading safety”.

Notes:
Two domains are in scope: bugbounty.bullish.com and api.bugbounty.bullish.com.

Try the Bullish Change bug bounty page at Bugcrowd for extra particulars

Clubhouse

Program supplier:
HackerOne

Program sort:
Public

Max reward:
$3,000

Define:
Clubhouse, the audio-based chatroom software, is especially eager on hardening its purposes towards safety flaws resulting in entry management bypasses, escalation of permissions, and disclosure of delicate consumer info.

Notes:
Clubhouse mentioned: “Whereas many bug bounty programs promise excessive rewards for catastrophic-level discoveries, our method retains the scope broad so we are able to handle as many bugs as potential.”

See our earlier protection for additional particulars.

CoinDCX

Program supplier:
Bugcrowd

Program sort:
Public

Max reward:
$2,500

Define:
CoinDCX, India’s largest cryptocurrency alternate, has invited bug hunters to probe its manufacturing techniques for safety flaws.

Notes:
The largest rewards will likely be earned for flaws that allow attackers to compromise wallets, entry different customers’ private or monetary knowledge, or withdraw funds as a sub account.

Try the CoinDCX bug bounty page at Bugcrowd for extra particulars

Horizen

Program supplier:
HackerOne

Program sort:
Public

Max reward:
$10,000

Define:
Horizen is described as “the zero-knowledge-enabled community of blockchains”, supported by its Zendoo sidechain know-how that allows companies and

builders to construct their very own public or personal blockchains.

Notes:
The Zen Blockchain Basis, which manages the Horizen ecosystem, is providing $1,000 for ‘medium’ severity bugs, $3,000 for ‘excessive’ severity points, and $10,000 for ‘vital’ vulnerabilities.

Try the Horizen bug bounty page at HackerOne for extra particulars

Kubernetes – momentary program

Program supplier:
Google

Program sort:
Public

Max reward:
$50,337 (or $250,000 for exploits that work on Android)

Define:
For a three-month interval concluding on the finish of January 2022, Google is tripling payouts for its kCTF VRP, a CTF infrastructure written on high of Kubernetes.

Notes:
Google can pay $31,337 to safety researchers who exploit privilege escalation in its lab atmosphere with a patched vulnerability, and $50,337 to those that leverage a beforehand unpatched vulnerability or novel exploit method.

Learn the blog post asserting the information on the Google Safety Weblog for extra particulars 

Openware

Program supplier:
HackenProof

Program sort:
Public

Max reward:
$5,000

Define:
Openware, a San Francisco-based developer of blockchain infrastructures and fintech initiatives, is providing between $3,000 and $5000 for vulnerabilities that it deems vital.

Notes:
A single asset is in scope: yellow.com, a digital asset alternate platform.

Try the Openware bug bounty page at HackenProof for extra particulars

Vend by Lightspeed

Program supplier:
HackerOne

Program sort:
Public

Max reward:
$6,250

Define:
Vend by Lightspeed, a point-of-sale, stock administration, and ecommerce platform geared toward retailers, has 5 property in scope.

Notes:
The vendor is paying between $2,500 and $6,250 for vital bugs, and $750 and $2,000 for ‘excessive’ severity flaws.

Try the Vend by Lightspeed bug bounty page at HackerOne for extra particulars

Different bug bounty and VDP information this month

  • Hackers have only a few days left to participate in GitLab’s three-year bug bounty anniversary contest. Till December 3, the highest contributors to the group’s bug bounty program will likely be greeted with extra swag and fame factors. Payouts have additionally been elevated throughout the board.
  • Sega, Auvik, and Snowplow have launched points-only vulnerability disclosure programs (VDPs) on the HackerOne platform.
  • For anybody in want of a community forensics refresher, RoseSecurity has created a capture-the-flag challenge that encourages hackers to suppose exterior of the field whereas digging by means of obfuscated malware.
  • Increase, a decentralized social media and non-fungible token (NFT) platform, road-tested its beta version by paying out rewards of both 50 or 100 USDT (Tether) to customers who discovered system bugs, errors, or UX/UI points, or made compelling app design and performance recommendations, between November 17-24

Further reporting by James Walker.

PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for November 2021

Travel Guides

Travel Guides Buzz has breaking travel news, travel hotels, America travel guides, travel photos, latest travel news, Asia travel guides, Europe travel guides, Australia travel guides and all the trending buzz you’ll want to share with your friends. Copyright Travel Guides Buzz.

Related Articles

Back to top button