Last month two Italian security researchers revealed they had netted more than $46,000 in bug bounties after discovering a misconfiguration vulnerability in Akamai – despite receiving nothing from Akamai itself.
The exploit, which leveraged HTTP smuggling and hop-by-hop header abuse techniques, instead achieved payouts from several of the company’s customers. These included $25,200 from PayPal and rewards from Airbnb, Hyatt Hotels, Valve, Zomato, and Goldman Sachs.
In other payout news, researcher Saajan Bhujel bagged a $10,000 bounty from GitHub after finding a way to spoof the platform’s login interface. Bypassing HTML filtering in the MathJax display engine allowed him to inject form elements and change the website’s CSS, potentially fooling users into entering credentials into a fake login page.
Apple, meanwhile, has invited researchers to apply for the Apple Security Research Device Program, with applications open until the end of November.
Successful applications will receive a Security Research Device (SRD) – a specially-fused iPhone that allows iOS security research to be carried out without having to bypass its security features. Shell access is available, and researchers can run any tools, choose their own entitlements, and customize the kernel.
Apple has also revamped its ‘Apple Security Research’ website, with researchers now able to track bug reports via real-time status updates. The program has paid out nearly $20 million in bounties since launching 2.5 years ago.
Meanwhile, the Swiss National Cyber Security Centre (NCSC) has launched a private bug bounty program that involves probing the federal government’s web applications, APIs, and critical infrastructure.
Amazon’s new hardware-focused program, managed by HackerOne, is offering rewards ranging up to $25,00 for bugs in Fire, Echo, FireTV, Halo, Luna Controller, and Kindle devices, along with corresponding applications and firmware.
And finally, the US Department of Defense said it paid out a total of $75,000 in bounties for 648 bug reports submitted by 267 researchers during a hackathon that took place in July.
The latest bug bounty programs for November 2022
The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:
Apple Security Research Device Program
Program provider:
Independent
Program type:
Private
Max reward:
$1 million
Outline:
Apple will send selected security researchers a Security Research Device (SRD), a specially fused iPhone that allows shell access, kernel customization, and iOS security research without the need to bypass security features.
Notes:
Applications can be submitted until November 30, 2022, with successful candidates receiving an SRD for 12-month renewable periods, and reports potentially eligible for rewards through the upgraded Apple Security Bounty.
Check out the Apple SRD bug bounty page for more details
Amazon
Program provider:
HackerOne
Program type:
Public
Max reward:
$25,000
Outline:
Fire, Echo, FireTV, Halo, Luna Controller, and Kindle devices, along with corresponding applications and firmware, make up the 36 assets in scope under the Amazon Vulnerability Research Program.
Notes:
Rewards for bugs in services and apps range up to $20,000, while bounties for devices rise higher still to $25,000.
Check out the Amazon bug bounty page for more details
Beanstalk
Program provider:
Immunefi
Program type:
Public
Max reward:
$1.1 million
Outline:
The bug bounty program for Beanstalk – a permissionless fiat stablecoin protocol built on Ethereum – centers on smart contracts and preventing the loss of user funds.
Notes:
Beanstalk describes itself as forming “the monetary basis of an Ethereum-native, rent-free economy facilitated by the positive carry of its native fiat currency, a stablecoin called Bean”.
Check out the Beanstalk bug bounty page for more details
BigCommerce
Program provider:
Bugcrowd
Program type:
Public
Max reward:
$2,500
Outline:
A NASDAQ-listed provider of Software-as-a-Service (SaaS) ecommerce services to retailers.
Notes:
Valid targets include bigcommerce.net, bigcommerce.com, and related iOS and Android apps.
Check out the BigCommerce bug bounty page for more details
Blend Labs
Program provider:
HackerOne
Program type:
Public
Max reward:
$5,000
Outline:
Blend Labs is a provider of cloud-based software for financial services firms in the US.
Notes:
Just one target is in scope – knox.beta.blendlabs.com – with blend.com not a viable target.
Check out the Blend Labs bug bounty page for more details
Deribit
Program provider:
HackerOne
Program type:
Public
Max reward:
$6,000
Outline:
The Amsterdam-based cryptocurrency option exchange is offering between $2,500 and $6,000 for critical vulnerabilities.
Notes:
Testing is only allowed within Deribit’s test environment.
Check out the Deribit bug bounty page for more details
Jungle Smart Contract
Program provider:
HackenProof
Program type:
Private
Max reward:
$1 million
Outline:
A peer-to-peer NFT marketplace for digital goods, art, collectibles, and other virtual assets backed by the blockchain.
Notes:
Some 14 protocols are in scope.
Check out the Jungle Smart Contract bug bounty page for more details
Lido on Polkadot and Kusama
Program provider:
Immunefi
Program type:
Public
Max reward:
$2 million
Outline:
Lido, a liquid staking solution for Ethereum, has launched bug bounty programs focused on DOT (Polkadot) and KSM (Kusama).
Notes:
Smart contract bugs could command rewards of up to $2 million, while flaws in websites and applications max out at $40,000.
Check out the Lido on Polkadot and Kusama bug bounty pages for more details
Private Internet Access (PIA)
Program provider:
Bugcrowd
Program type:
Public
Max reward:
$1,250
Outline:
PIA, which already had a vulnerability disclosure program, is now incentivizing researchers to probe its technologies with rewards ranging up to $1,250.
Notes:
Priority bugs are those enabling remote code execution, unlicensed access to VPN servers, or third-party monitoring or leaking of user data.
Check out the PIA bug bounty page for more details
Rec Room
Program provider:
Bugcrowd
Program type:
Public
Max reward:
$2,500
Outline:
A video game and video game creation platform available on Windows, Xbox, PlayStation, Oculus Quest, Apple devices, and Android.
Notes:
Rec Room web application and API are in scope, but the free, cross-platform Rec Room game is the “primary target”.
Check out the Rec Room bug bounty page for more details
Redox
Program provider:
Bugcrowd
Program type:
Public
Max reward:
$5,000
Outline:
Redox technology facilitates the transferring of electronic healthcare records between organizations.
Notes:
Critical bugs ordinarily fetch rewards of between $3,000-$4500, but submissions that “reflect an understanding of the platform and can describe the vulnerability and its impact and how to resolve it clearly and concisely” could net bounties of $5,000.
Check out the Redox bug bounty page for more details
Stravito
Program provider:
Intigriti
Program type:
Public
Max reward:
Undisclosed
Outline:
The market research platform claims McDonalds, Electrolux, Comcast, and Carlsberg among its customers.
Notes:
Said Stravito founder and CEO Thor Olof Philogène: “Partnering with Intigriti, the leaders in this space, allows us to add an additional layer of stress testing to ensure we continue delivering the most robust and secure platform in our space.”
Check out the Stravito bug bounty page for more details
Swiss National Cybersecurity Centre
Program provider:
Bug Bounty Switzerland
Program type:
Private
Max reward:
Undisclosed
Outline:
The Swiss National Cybersecurity Centre (NCSC) is seeking submissions for bugs in the federal government’s web applications, APIs, and critical infrastructure.
Notes:
As previously reported by The Daily Swig, the program follows a pilot project conducted in 2021 where ethical hackers probed IT systems of the Swiss parliament and Federal Department of Foreign Affairs for security vulnerabilities.
Check out the Swiss NCSC bug bounty page for more details
Other bug bounty and VDP news this month
- HackerOne is expanding numbers of its ‘Hacker Success Managers’ to assist bug hunters, and has launched a new attack surface management platform, HackerOne Assets
- Bugcrowd is now a CVE numbering authority, and has also launched a program management platform to help customers coordinate pen test, bug bounty, VDP, and ASM assets
- European platform Intigriti has launched Hybrid Pentesting, which purports to combine the ‘pay-for-impact’ bug bounty model with the dedicated resourcing strategy of penetration testing
- YesWeHack has launched MyOpenVDP, a turnkey vulnerability disclosure program-hosting solution
- Open Bug Bounty has surpassed the milestone of notching one million web security vulnerabilities (PDF) reported and patched eight years after the platform’s launch
Copyright 2021 Associated Press. All rights reserved.
Source: https://portswigger.net/daily-swig/bug-bounty-radar-the-latest-bug-bounty-programs-for-november-2022