New web targets for the discerning hacker

Bug Bounty Radar - the latest security bug bounty programs for July 2020

All good things must come to an end, and that applies to the EU-FOSSA 2 bug bounty program too, as those behind the initiative toasted its success this month.

Announcing that it had met its objectives, the EU-funded project included open source bug bounty programs, hackathons, conferences, and engagement with developer communities.

Set up in the aftermath of the 2014 Heartbleed bug, EU-FOSSA facilitated the identification of more than 200 security vulnerabilities and has paid out more than €200,000 ($227,000) in rewards.

“I would be really glad to be part of any future project at least half as successful as this one,” commented member of European Parliament Marcel Kolaja.

As one door closes, another opens, with European crowdsourced security platform YesWeHack launching a Docker-based bug bounty environment for researchers.

The Pwning Machine is equipped with an “all-in-one, customizable, and extensible suite of tools” including a DNS server, HTTP router, web server, and pipeline runner. The idea is to simplify and accelerate the process of discovering security vulnerabilities.

This month we interviewed French-Senegalese bug bounty hunter Clément Domingo, who discussed how the French have very different attitudes to reporting vulnerabilities.

“When you say, ‘I’m a hacker’, they think you want to steal their data,” he commented.

Meanwhile, Africa, he says, is at an even earlier stage of the game. “It’s quite a new topic that needs to be discussed,” Domingo said.

In payout news, Sony has awarded information security engineer Andy Nguyen $10,000 for unearthing a critical bug in the PlayStation 4 console that takes advantage of shortcomings in the WebKit browser engine.

And there was $2,500 for a duo of Iranian researchers who exploited a server-side request forgery vulnerability in the Cafe Bazaar app.

Elsewhere, researcher Kevin McSheehan netted a $1,500 bug bounty payout after disclosing a remote code execution vulnerability in popular messaging tool Slack, while Facebook has boosted its bug bounty program to offer up to $40,000 for critical vulnerabilities in its open source JavaScript engine (see below).

Finally, as this week’s Bug Bounty Radar hit the CMS, hardware wallet Ledger was warning millions of users to be wary about phishing emails, after their contact details were exposed.

The company said a researcher taking part in its bug bounty program had flagged a data breach, after which it discovered that an unauthorized third party had access to part of its e-commerce and marketing database through an exposed API key.

Ledger was adamant that the funds in users’ wallets was safe, but the incident has become another interesting example of how bug bounty programs are helping to protect end users.


The latest bug bounty programs for July 2020

July saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

AS Watson Group

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$2,500

Outline:
AS Watson Group, one of the world’s biggest health and beauty retailers, has launched the first stage of a phased bug bounty program designed to test its various e-commerce platforms for security vulnerabilities.

Notes:
The company is starting out by putting one of its most popular retail sites, Superdrug, under the spotlight. Social engineering and clickjacking attacks are out of scope for this program.

Visit the AS Watson Group bug bounty page at HackerOne for more info

Clario

Program provider:
HackerOne

Program type:
Public Bug Bounty

Max reward:
$2,000

Outline:
Clario offers a subscription-based security and privacy app that offers a bundled data breach notification, malware detection, VPN services.

Notes:
The company is offering a tiered payout structure, with critical impact vulnerabilities including exploits that result in full account takeover, remote code execution (RCE) in services with personally identifiable information, or SQL injection.

Visit the Clario bug bounty page at HackerOne for more info

Codefi

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$8,000

Outline: 
Codefi is a blockchain application suite designed to power the e-commerce and finance sectors. Through its newly launched bug bounty program via HackerOne, the organization will pay out up to $8,000 for vulnerabilities that are discovered in the platform.

Notes:
This bug bounty program comes complete with safe harbor for researchers. “Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you,” Codefi said.

Visit the Codefi bug bounty page at HackerOne for more info

CoinGecko

Program provider:
HackenProof

Program type:
Public bug bounty

Max reward:
$1,500

Outline:
CoinGecko is a cryptocurrency market analysis platform. In addition to tracking price, volume and market capitalization, the app allows users to track community growth, open source code development, major events, and on-chain metrics.

Notes: Through its new bug bounty program hosted on the HackenProof platform, CoinGecko will pay up to $1,500 for vulnerabilities discovered across the coingecko.com domain and Chrome extension, along with the accompanying iOS and Android apps.

Visit the CoinGecko bug bounty page at HackenProof for more info

Costa Coffee

Program provider:
HackerOne

Program type:
Private bug bounty

Max reward:
Undisclosed

Outline:
Popular UK coffeeshop chain Costa Coffee has launched a private bug bounty program through HackerOne.

Notes:
Details are scant for this invite-only bug bounty program, but according to Costa Coffee’s Matt Adams, the launch is part of a “multi-year security transformation” initiative.

Visit the HackerOne blog for more info

ExpressVPN – enhanced

Program provider:
Bugcrowd

Program type:
Public bug bounty

Max reward:
$2,500

Outline:
ExpressVPN has expanded its four-year-old bug bounty program to include internal employee systems and its .onion domain. The company has also included specifications of other domains, including test domains.

Notes:
Discussing the expanded program, an ExpressVPN spokesperson told The Daily Swig that the company was currently particularly interested in vulnerabilities impacting client applications, unauthorized access on its VPN servers, and vulnerabilities that may weaken or break communications in a way that exposes traffic to other users.

Visit the ExpressVPN bug bounty page at Bugcrowd for more info

Facebook – enhanced

Program provider:
Independent

Program type:
Public bug bounty

Max reward:
$40,000

Outline:
Facebook has increased its bug bounty rewards for critical vulnerabilities impacting the Hermes JavaScript engine and Spark AR platform.

Notes:
“Native bug submissions have always been eligible under our bug bounty program, and to encourage further research into this area, we’ve decided to increase the payout amounts we award for verified bugs identified in Hermes,” Facebook said.

Check out our previous coverage for further details

Gate.io

Program provider:
HackenProof

Program type:
Public bug bounty

Max reward:
$3,000

Outline:
Chinese cryptocurrency exchange Gate.io is running a bug bounty program in order to identify flaws in its web infrastructure, API, desktop, and mobile apps. Qualified vulnerabilities earn payouts of between $50-$3,000.

Notes:
There are restrictions to this program, including a rule against using web application scanners for automatic vulnerability searching.

Visit the Gate.io bug bounty page at HackenProof for more info

Microsoft Windows Insider Preview – enhanced

Program provider:
Independent

Program type:
Public bug bounty

Max reward:
$100,000

Outline:
Microsoft has enhanced its Windows Insider Preview bug bounty program to offer higher rewards. Five new scenario-based awards for “vulnerabilities that could put customer privacy and security at risk of exploitation” have been added to the Windows Insider Preview bounty.

Notes:
Additional changes made by Microsoft promise faster Windows bounty awards for eligible research, faster triage, and a revamp of the MSRC Researcher Portal.

Visit the Microsoft security blog for more info

Ozon

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$1,337

Outline:
Russian e-commerce platform Ozon has set up a bug bounty program in order to root out server-side application security flaws in its web infrastructure.

Notes:
Reports on issues including broken authentication, sensitive data exposure, broken access control, and other classes of flaw from the OWASP Top 10 are welcomed.

Visit the Ozon bug bounty page at HackerOne for more info.

PrestaShop

Program provider:
YesWeHack

Program type:
Public bug bounty

Max reward:
$1,000

Outline:
Open source e-commerce software provider PrestaShop has launched a bug bounty program through YesWeHack. The program targets PrestaShop’s core and proprietary modules.

Notes:
Qualifying flaws include unprotected APIs, remote code execution exploits, and cross-site scripting vulnerabilities with a demonstrable business impact.

Visit the PrestaShop bug bounty page at YesWeHack for more info

Tencent – temporary enhancement

Program provider:
HackerOne

Program type:
Public bug bounty

Max reward:
$140,000

Outline:
Chinese internet giant Tencent has launched a limited time bug bounty program focused on identifying flaws in its own server and IoT operating system.

Notes:
The scheme, run through HackerOne, started in June and ends in late December 2020.

Visit the Tencent bug bounty page at HackerOne for more info


Other bug bounty news this month:

  • GitHub has posted details of its latest ‘CodeQL and Chill’ capture the flag (CTF) event. Indian researcher Kanav Gupta came out on top of this hackathon, which focused on Java-based code execution exploits.
  • Apple has announced it will start to loan out “hacker-friendly” iPhones under the new Security Research Device Program. “The SRD is intended for use in a controlled setting for security research only,” the company said. “Shell access is available, and you’ll be able to run any tools and choose your entitlements.”
  • As part of its “ongoing commitment to information security community projects”, Offensive Security has acquired VulnHub, a provider of offline virtual machines that allows hackers to refine their skills.
  • Crowdsourced pen testing platform Synack has announced the launch of Synack Acropolis, a new program that recognizes researchers who have produced “sustained exceptional quality work”.
  • Nintendo appears to have dropped the 3DS from its HackerOne bug bounty program.
  • Rockset, FINRA, Gener8, and SMTP2GO have all launched (unpaid) vulnerability disclosure programs through HackerOne.
  • Pwn2Own Toyko 2020 will be held virtually, Trend Micro’s Zero Day Initiative has confirmed. The event is slated to take place on November 3-5.
  • French CTF teams AperiKube and SentryWhale won YesWeHack’s 2020 ESAIP Hack Challenge.
  • And finally, in case you missed it, check out The Daily Swig’s guide to the latest web hacking tools that were launched in the second quarter of the year.