Bug Bounty Radar // The latest bug bounty programs for August 2022

0

New web targets for savvy hackers

Summer has arrived in the northern hemisphere, but that hasn’t halted the steady stream of new bug bounty programs hitting the market.

During the teaser for her new lockdown mode this month, Apple said vulnerabilities in new anti-spyware technology can be disclosed through its Safety bonus program. Rewards of up to $2 million are on offer.

Lockdown Mode, which will ship with iOS 16, iPadOS 16, and macOS Ventura, is described as “extreme, optional protection for the very small number of users facing serious targeted threats to their digital security.”

australia Monash University has also introduced a new bug bounty program, which aims to strengthen its defenses against a series of cyberattacks affecting the education sector.

This month, two new rewards programs for the growing digital identity market are added to the offer, such as Onfido partners with YesWeHack and India’s Adhar dips its toes in the water with a program of its own.

Aadhaar is the world’s largest digital identity program providing services to over 1.3 billion Indian residents. To participate in this new private bug bounty, hackers must apply via the UIDAI website.

The bar for entry is also high, as Aadhaar states that “applicants must be listed in the top 100 bug bounty rankings such as HackerOne, Bugcrowd, or listed in bounty programs run by reputable companies such as Microsoft , Google, Facebook, [or] Apple”.


The Latest Bug Bounty Programs for August 2022

Last month saw the arrival of several new bug bounty programs. Here is a list of recent entries:

Adhar

Program provider:
Independent

Type of program:
Private

Maximum reward:
To be determined

To present:
In an effort to secure Aadhaar data hosted in the UIDAI Central Identity Data Repository (CIDR), the UIDAI plans to launch a new bug bounty program.

Remarks:
Full application details can be found on the UIDAI website. The number of participants is limited to 20, all of whom must be Indian residents.

Check UIDAI Bug Bounty Bulletin (PDF) for more details

Apple – Lock Mode

Program provider:
Independent

Type of program:
Audience

Maximum reward:
$2 million

To present:
Apple has created a new category within the Apple Security Bounty Program to reward researchers who find workarounds to Lockdown Mode and help improve its protections.

Remarks:
Bounties have been doubled for eligible finds in lockdown mode, up to a maximum of $2 million – one of the highest maximum payouts in the industry.

See our previous coverage for more details

BKEX

Program provider:
HackenEvidence

Type of program:
Audience

Maximum reward:
$10,000

To present:
BKEX is a global digital asset trading platform, including over 1,200 cryptocurrencies.

Remarks:
The financial services company’s new bug bounty program is packed with a range of web attack vectors in scope, including remote code execution (RCE), SQL injection vulnerabilities , file inclusion and access control issues, server-side request forgery (SSRF), – site request forgery (CSRF), cross-site scripting (XSS), and directory traversal.

Check BKEX bug bounty page for more details

ClickHouse

Program provider:
Crowd of insects

Type of program:
Audience

Maximum reward:
$2,500

To present:
ClickHouse is an open-source, column-oriented OLAP database management system that allows users to generate analytical reports using real-time SQL queries. The main objective of the public program is the open source version of the ClickHouse platform.

Remarks:
“No technology is perfect, and ClickHouse believes that working with qualified security researchers around the world is crucial in identifying weaknesses in any technology,” the company said. “We are delighted that you are participating as a security researcher to help us identify vulnerabilities in our open source assets.”

Check ClickHouse bug bounty page for more details

Monash University

Program provider:
Crowd of insects

Type of program:
Audience

Maximum reward:
$2,500

To present:
Monash University in Melbourne, Australia, has launched a public bug bounty program to help keep its digital platforms secure.

Remarks:
The targeted targets include the main Monash University Web Domain and mobile applications, as well as various technologies used by the institution, including its VPN and FileShare instances.

See our previous coverage for more details

Onfido

Program provider:
YesWeHack

Type of program:
Private

Maximum reward:
To be determined

To present:
Digital identity verification company Onfido has launched a new bug bounty program, in partnership with European vulnerability disclosure platform YesWeHack.

Remarks:
Commenting on the partnership, Alex Valle, Chief Product Officer at Onfido, said, “Security and compliance are critical to our mission to create a more open world, where identity is key to online access, and we We are always looking for ways to strengthen this.”

See our previous coverage for more details

SideFX

Program provider:
HackerOne

Type of program:
Audience

Maximum reward:
$3,000

To present:
Canada-based SideFX is the developer of Houdini, a 3D animation software application used in film, television, advertising and video games.

Remarks:
Only vulnerabilities discovered in the company’s primary web domain, sidefx.com, are applicable under this new bug bounty program.

Check SideFX bug bounty page for more details

ZB Web

Program provider:
HackenEvidence

Type of program:
Audience

Maximum reward:
$5,000

To present:
Founded in 2013, ZB.com is a global digital trading platform, facilitating the exchange and management of digital assets from all corners of the globe.

Remarks:
Affected web vulnerabilities include business logic issues, payment manipulation, RCE, SQL injection, access control issues, SSRF, CSRF, XSS and other vulnerabilities with “obvious potential loss”.

Check ZBWeb bug bounty page for more details


Other bug bounty and VDP news this month

  • HackerOne revealed details of an incident involving a former employee accused of accessing internal data for personal financial gain.
  • come on daddy, Trellisand loyalty launched Vulnerability Disclosure Programs (VDP) (unpaid).
  • Advertising platform developer and social media company Meta released its first ‘bug report‘, which includes details of some of the notable discoveries identified in its own code and in third-party code.

PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for July 2022

Share.

Comments are closed.