Bug Bounty Radar // The latest bug bounty programs for March 2022

0

New web targets for savvy hackers

google gave vendors a pat on the back this month, with news that security vulnerabilities reported by its Project Zero in 2021 were patched 28 days faster on average than in 2019.

Only one bug exceeded its 90-day fix deadline, with hardware and software vendors taking an average of 52 days to patch security flaws. The company believes we have responsible disclosure policies to thank.

In payment news this month, security researcher Sriram Kesavan of TG Cyberlabs netted $3,133 for his discovery that Google Groups’ unsubscribe feature could be misused to kick members without their knowledge or consent. “I could have literally deleted Google employees on several official groups, even though I don’t have access to them,” he said. The daily sip.

And there was a whopping $250,000 bounty for pseudonymous “Tree of Alpha” security engineer, who found a vulnerability in Coinbase which allow users to “sell” currencies they do not own.

A missing logic validation check in a Retail Brokerage API endpoint allowed a user to submit trades to a specific order book using an incompatible source account, potentially allowing an attacker to steal unlimited cryptocurrency.

During this time at New Zealand, the Government Communications Security Bureau (GCSB) called on government agencies to introduce vulnerability disclosure policies (VDP). Researchers can report bugs without blame, although unfortunately no bug bounty is offered.

And finally, PortSwigger Web Security released its annual report Top 10 Web Hacking Techniques. Dependency confusion attacks topped the list, with researcher Alex Birsan using the technique to gain access to Apple, Microsoft and other high-profile companies.

Then, research by PortSwigger’s James Kettle showed that many sites upgraded to HTTP/2 were still vulnerable to smuggling attacks because they were rewriting requests in order to talk to the backend server.


The Latest Bug Bounty Programs for March 2022

Last month saw the arrival of several new bug bounty programs. Here is a list of recent entries:

Cardano – improved

Program provider:
HackerOne

Type of program:
Public bug bounty

Maximum reward:
$20,000

To present:
Cardano is a public blockchain platform, founded in 2015. As part of a six-week promotion, the Cardano Foundation is offering to double its bug bounty payments to researchers.

Remarks:
Bug bounty hunters who discover critical vulnerabilities in the Cardano Node can earn rewards of up to $20,000, starting February 14. Critical vulnerabilities involving the Cardano wallet could yield up to $15,000.

Discover the Cardan bug bounty page to HackerOne for more details

Cloudflare – improved

Program provider:
HackerOne

Type of program:
Public bug bounty

Maximum reward:
$3,000

To present:
CloudFlare, the content delivery network and DDoS mitigation technology provider, has released its invite-only bug bounty program as previously reported.

Remarks:
Prior to going public, Cloudflare and its bug bounty provider refined documentation and guidance to improve reporting quality and minimize false alarms — a particular issue in the early stages of Cloudflare’s invite-only program.

Discover Cloudflare bug bounty page on HackerOne for more details

Coinstore

Program provider:
HackenEvidence

Type of program:
Public bug bounty

Maximum reward:
$10,000

To present:
Coinstore describes itself as a “financial arcade” for cryptocurrency. Vulnerabilities in its website, API, and mobile apps are all within reach of its recently introduced bug bounty program.

Remarks:
Payment manipulation, business logic issues, and a wide range of web security issues are also affected.

Discover the coinstore bug bounty page to HackenProof for details

Databrick

Program provider:
HackerOne

Type of program:
Public bug bounty

Maximum reward:
$5,000

To present:
Databricks markets a cloud-based data warehousing platform for enterprise customers. Vendor rewards are based on severity as assessed by CVSS.

As a remote code execution environment, RCE vulnerabilities are generally beyond the scope of the program, except in cases where they violate the security guarantees offered by the platform.

Remarks:
Databricks wants information on many other common classes of web security vulnerabilities, including privilege escalation and insecure direct object reference (IDOR) bugs, and access control issues.

Discover the Databricks bug bounty page to HackerOne for more details

ExpressVPN – improved

Program provider:
Crowd of insects

Type of program:
Public bug bounty

Maximum reward:
$10,000

To present:
Virtual private network (VPN) technology provider ExpressVPN has increased its incentives for security researchers. Rewards are offered to security researchers who can demonstrate “unauthorized access, remote code execution, IP address leak, or the ability to monitor unencrypted (non-VPN-encrypted) user traffic.”

Remarks:
Payments per proposed validated vulnerability range from $150 to $2,500 per bug, depending on the severity of the vulnerability demonstrated. The first person to demonstrate a valid vulnerability will be eligible to claim a $100,000 bonus.

Discover ExpressVPN bug bounty page on Bugcrowd for more information

Intel – improved

Program provider:
intriguing

Type of program:
Public bug bounty

Maximum reward:
$100,000

To present:
Intel has enhanced its established bug bounty program with “Project Circuit Breaker”.

Remarks:
Vulnerabilities in “firmware, hypervisors, GPUs, chipsets, etc.” are within the scope.

Discover the Intel bug bounty page to intigriti for more information

Kiteworks

Program provider:
Crowd of insects

Type of program:
Public bug bounty

Maximum reward:
$50,000

Remarks:
Kiteworks – the enterprise technology provider formerly known as Accellion – offers file sharing and collaboration technology for businesses.

The highest payouts under the company’s new bug bounty program will go to researchers who discover remote code execution and privilege escalation to root/admin vulnerabilities. However, lesser vulnerabilities will be eligible for lower payouts on a sliding scale up to $250.

Discover the Kiteworks bug bounty page on Bugcrowd for more information

Lachain.io

Program provider:
HackenEvidence

Type of program:
Public bug bounty

Maximum reward:
$1,500

To present:
Decentralized financial technology provider Lachain.io has opened a new bug bounty program. Vulnerabilities affected include payment manipulation, business logic issues, and a wide range of web security vulnerabilities.

Remarks:
Rewards are offered for discovered SQL injection, remote code execution, or server-side request forgery (SSRF) flaws, among others.

Discover the Lachain.io bug bounty page on HackenProof for more information

MakerDAO – improved

Program provider:
Immune

Type of program:
Public bug bounty

Maximum reward:
$10,000,000

To present:
Cryptocurrency firm MakerDAO has launched a bug bounty program that offers maximum payouts of $10 million, as previously reported by The daily sip.

Remarks:
Vulnerabilities in its smart contract technology are likely to earn the biggest reward, but bugs in Maker DAO’s website and apps are also affected.

Discover the MakerDAO bug bounty page at Immunefi for more information

Pandora (smart contract and web)

Program provider:
HackenEvidence

Type of program:
Public bug bounty

Maximum reward:
$50,000 (smart contract), $8,000 (web)

To present:
Decentralized financial technology provider Pandora has launched two related bug bounty programs that cover its web infrastructure and smart contract technology respectively.

Remarks:
Pandora Web is considered a “next generation decentralized ecosystem that aims to redefine and disrupt decentralized finance through AMM, NFT and GameFi”.

Check Pandora’s Web and Pandora Smart Contracts bug bounty pages on HackenProof for more information


Other bug bounty and VDP news this month

  • Intigrity will host a free virtual bug bounty conference on March 12. conference will feature 10 speakers and a 24-hour capture the flag contest.
  • European bug bounty platform YesWeHack continues its strong growth trajectory, with annual revenues more than doubled globally over the past 12 months. More than 35,000 hackers now operate on the platform.
  • UPS, Alohiand Defensible launched unpaid vulnerability disclosure programs (VDP) on HackerOne.
  • the Microsoft Security Response Center expands its researcher recognition program, with the company making improvements to its Researcher Ranking and Program Guidelines for Hackers.
  • HackenEvidence threw ‘Hacken Cyber ​​Army‘, which aims to help the citizens of Ukraine during the conflict taking place on its soil.

Additional reporting by Emma Woollacott and James Walker.

PREVIOUS EDITION Radar Bug Bounty // February 2022

Share.

Comments are closed.