New net targets for the discerning hacker
Welcome to the primary Bug Bounty Radar of 2021, again with a bang after a brief hiatus. As you’ll see, we’ve launched a wise new design – however relaxation assured, you’ll nonetheless discover the identical mixture of the newest bug bounty information, packages, and vulnerability write-ups.
We kicked off the yr with an interview with Swiss bounty hunter ‘Xel’ – AKA Raphaël Arrouas – who shared the secrets and techniques of his success, together with suggestions for these simply beginning out.
“Specializing in affect fairly than amount permits me to dedicate extra time to researching vulnerabilities in depth and study one thing within the course of,” he says. “And it’s worthwhile contemplating the payout scales, which often vastly favor excessive and important affect vulnerabilities.”
Elsewhere, bug hunter Alex Birsan netted $130,000 by exhibiting how a novel supply chain attack allowed him to hack into techniques belonging to Apple, Microsoft, PayPal, and different main tech firms.
By exploiting a vulnerability dubbed ‘dependency confusion’, he was capable of execute malware inside the firms’ networks by overriding privately-used dependency packages with malicious, public packages with the identical title.
And exactly this provide chain assault has already been seen in the wild. A developer at automated software program testing specialist Qentinel reported the failure of a construct pipeline when fetching inside libraries and traced the issue to suspicious packages within the Python Bundle Index repository. The issue was mounted a day later.
You’ll discover extra info on provide chain assaults in our newest deep dive on the difficulty, together with prevention and mitigation recommendation.
In army information, the German armed forces – or ‘Bundeswehr’ – says it’s acquired greater than 60 legitimate reviews for the reason that begin of its vulnerability disclosure program (VDP) three months in the past. They included cross-site scripting (XSS), SQL injection, misconfiguration, knowledge leakage, and open redirect bugs.
In the meantime, DARPA – the US army’s know-how R&D company – has given an update by itself bug bounty program. The company says it’s uncovered 10 vulnerabilities, seven important and three excessive, with 4 already patched and the others quickly to be resolved.
And at last, for many who missed it, HTTP/2 (H2C) cleartext smuggling has been voted the best web hacking technique of 2020.
“Conceptually comparable” to final yr’s WebSocket smuggling, “request tunnelling exploitation is an rising artwork so this one could also be a sluggish burn, however we anticipate some severe carnage in future”, mentioned James Kettle, head of analysis at PortSwigger Net Safety.
It’ll be fascinating to see which of those methods turns into the bug hunters’ favourite in 2021.
The most recent bug bounty packages for March 2021
The previous month noticed the arrival of a number of new bug bounty packages. Right here’s an inventory of the newest entries:
Aruba Networks
Program supplier: Bugcrowd
Program kind: Public bug bounty
Max reward: $5,000
Define: Aruba Networks, the wi-fi networking subsidiary of Hewlett Packard Enterprise, has launched a brand new bug bounty program to assist shore up the safety of assorted services and products, together with ArubaOS Controllers and Entry Factors, Aruba Prompt, Aruba InstantOn, Aruba ClearPass Coverage Supervisor, ArubaOS-CX, and extra.
Notes: So as to exploit lots of the in-scope flaws, researchers should be in possession of Aruba Entry Level hardware. Whereas these gadgets is not going to be provided, the corporate mentioned it’ll pay as much as $5,000 for the disclosure of unauthenticated vulnerabilities impacting its know-how.
Go to the Aruba Networks bug bounty page at Bugcrowd for more information
Chime Monetary, Inc.
Program supplier: HackerOne
Program kind: Public
Max reward: $10,000
Define: Chime Monetary is searching for safety vulnerabilities in its checking account and cash administration app Chime.
Notes: There’s a fairly in depth listing of out-of-scope vulnerabilities, so it’s value checking these out earlier than diving in. This contains denial-of-service assaults and vulnerabilities in third-party companies that aren’t owned by Chime.
Go to the Chime Financial bug bounty page at HackerOne for more information
FetLife
Program supplier: HackerOne
Program kind: Public bug bounty
Max reward: $5,000
Define: FetLife, a “social community for the BDSM, fetish, and kinky group”, is asking the safety group to check its techniques for vulnerabilities, with a specific concentrate on web-based exploits together with SQL injection, XSS, cross-site request forgery (CSRF), and extra.
Notes: “No know-how is ideal, and FetLife believes that working with expert safety researchers throughout the globe is essential in figuring out weaknesses in any know-how,” the corporate mentioned.
Go to the FetLife bug bounty page at HackerOne for more information
FTX.US
Program supplier: Hacken Proof
Program kind: Public bug bounty
Max reward: $2,500
Define: Safety researchers can now attempt their hand at attacking FTX.US, a model new, US-regulated cryptocurrency trade. The corporate is paying as much as $2,500 for vulnerabilities impacting its net and cellular apps.
Notes: “Our mission is for FTX.US to develop the digital foreign money ecosystem, provide US merchants a platform that conjures up their loyalty, and grow to be a market main US cryptocurrency trade over the following two years,” the corporate mentioned.
Go to the FTX.US bug bounty page at Hacken Proof for more information
LaunchDarkly
Program supplier: HackerOne
Program kind: Public
Max reward: $4,500
Define: Growth administration device LaunchDarkly is searching for researchers to checks its packages utilized by companies worldwide to deploy code.
Notes: LaunchDarkly is asking for reviews that embody reproducible steps – any submitted with out these is not going to be eligible for a reward. Payout figures are tips, and any reward is on the discretion of the corporate.
Go to the LaunchDarkly bug bounty page at HackerOne for more information
Matrix.org Basis
Program supplier: Intigriti
Program kind: Public
Max reward: €5,000 ($6,000)
Define: Intigriti has launched an EU-backed program for safe communications device Matrix underneath a drive from the European Fee, the chief department of the European Union, to safe important open source software tasks.
Notes: Safety researchers are provided as much as $6,000 for flaws, and might earn a further 20% of their rewards if a viable patch is supplied with the report.
Go to the Matrix.org Foundation bug bounty page at Intigriti for more information
O1 Labs
Program supplier: HackerOne
Program kind: Public
Max reward: $10,000
Define: O1 Labs is a software program improvement firm specializing in cryptography and cryptocurrency. It’s searching for any vulnerabilities which will endanger the safety of its companies and clients.
Notes: A lot of recognized vulnerabilities are already listed so it’s value looking to keep away from reporting any duplicates. These embody a DDoS vulnerability and distant persistent throwout. Additionally, O1 Labs has offered an inventory of attainable bugs to be explored.
Go to the O1 bug bounty page at HackerOne for more information
Panther Labs
Program supplier: HackerOne
Program kind: Public
Max reward: $1,337
Define: Panther Labs, a platform for log evaluation, cloud security, and knowledge analytics, is searching for vulnerabilities from person knowledge publicity to remote code execution (RCE).
Notes: You might discover that Panther Labs has had a little bit enjoyable with its max payout determine, which is rewarded for important points together with RCE and SQL/NSQL injection.
Go to the Panther Labs bug bounty page at HackerOne for more information
Sixt
Program supplier: HackerOne
Program kind: Public
Max reward: $3,000-$4,000
Define: Worldwide automobile rental and trip hailing platform Sixt is asking bug hunters to seek for vulnerabilities in each its net platform and mobile purposes.
Notes: There are two most payouts on this program, $3,000 for net vulnerabilities and $4,000 for safety points within the Sixt Android and iOS purposes. Additionally, Sixt has listed quite a few in-scope targets underneath its bug bounty program, nevertheless out-of-scope targets could also be eligible for its vulnerability disclosure program, which may earn researchers Sixt swag.
Go to the Sixt bug bounty page at HackerOne for more information
Step
Program supplier: Bugcrowd
Program kind: Public bug bounty
Max reward: $4,500
Define: Step is a monetary companies firm that goals to offer youthful generations with the instruments to make budgeting, saving, and managing cash straightforward. The corporate’s new bug bounty program is concentrated on securing the Step Android and iOS apps.
Notes: No take a look at account has been offered, and so bug hunters have been requested to enroll and create a free Step account utilizing their very own particulars.
Go to the Step bug bounty page at Bugcrowd for more information
Unistake Sensible Contracts
Program supplier: Hacken Proof
Program kind: Public bug bounty
Max reward: $5,000
Define: Unistake is a decentralized token protocol constructed “to empower DeFi tasks and incentivize liquidity suppliers”. The builders are searching for safety shortcomings which may result in incorrect habits of the good contract that might trigger unintended performance, akin to lack of funds, unauthorized transactions, or reordering.
Notes: In particular circumstances, the scale of the bug bounty award could be elevated if the researchers reveal how the vulnerability can be utilized to inflict most hurt.
Go to the Unistake bug bounty page at Hacken Proof for more information
Different bug bounty and VDP information this month
- The Hilton resort group, Ohio Secretary of State, Hud App, the World Well being Group’s Covid-19 mobile app, and Checkout have all launched (unpaid) VDPs by HackerOne.
- Google has launched OSV, a new service that goals to enhance the corporate’s vulnerability triage for builders and customers of open supply software program.
- French bug bounty platform Yogosha is internet hosting a 24-hour capture-the-flag competitors in partnership with Kaspersky, on March 13. Try the Yogosha blog for full particulars.
- Infosecurity Journal’s Phil Muncaster lately pulled concentrate on the rising scourge of ‘beg bounties’, which come within the type of unsolicited security vulnerability reports which are often despatched out to small companies with no bug bounty program in place.
- OrderBox, Host Gator, and Web.com have launched points-only VDPs on Bugcrowd.
- As reported by Darkish Studying, safety researchers are pushing for a ‘bug bounty program of final resort’ to assist defend the world’s most crucial digital infrastructure.
- In case you missed it, we lately profiled Malvuln.com, the primary web site “completely devoted” to revealing safety vulnerabilities in malware.
Further reporting by Jessica Haworth and James Walker.
YOU MIGHT ALSO LIKE Cybersecurity conferences 2021: A schedule of virtual and potentially in-person events
