New web targets for the discerning hacker

Earlier this month, the Swiss government announced it was inviting hackers to test its electronic voting system for vulnerabilities, in a move aimed at improving the security and integrity of the country’s electoral process.

The initiative was unveiled by Swiss Post – Switzerland’s national postal service and the organization tasked with deploying and managing the country’s e-voting platform.

Ahead of the system’s planned nationwide rollout, a “public intrusion test” is taking place between February 25 and March 24. A range of cash prizes are on offer for successful pen testers.

While the move marks another development for government-led bug bounties in Europe, some security experts have criticized the program, telling Motherboard the system is a “poorly constructed and convoluted maze” that would prove extremely difficult to audit effectively.

Across the Atlantic, the US Census Bureau will join the growing number of agencies that offer a bug bounty program, as it looks to ramp up security ahead of the 2020 population count.

According to Federal News Network, DHS will coordinate with the intelligence community to launch census-specific threat support.

In payout news, Google has published a review of its vulnerability reward program (VDP) in 2018. The tech giant awarded a total of $3.4 million to 317 researchers last year.

Ezequiel Pereira, the 18-year-old researcher from Uruguay who discovered a critical bug in the Google App Engine, received a special mention.

And from one young researcher to another, the 14-year-old boy who disclosed a glitch in Apple’s FaceTime video calling platform may be in line for a bug bounty.

According to CNBC, a high-level Apple executive flew out to the boy’s home in Tucson, Arizona, to thank the youngster in person.

February saw the arrival of several new bug bounty programs. Here’s a roundup of the latest targets:

Alliance of American Football

Program provider:

HackerOne

Program type:

Public bug bounty

Max reward:

$3,000

Outline:

The Alliance of American Football (AAF) is a professional American football league that began play on February 9, 2019. Fuelled by a “dynamic alliance between players, fans, and the game”, fans can live stream football games via a free app while accessing fantasy sports betting options.

This new sports platform has partnered with HackerOne to offer a bug bounty program covering all of AAF’s web-facing properties.

Notes:

Denial of service attacks are in scope, but researchers have been warned that any attacks that result in a disruption of production services are strictly out of bounds. “If possible, test denial of service attacks on hackerone.aaf.com subdomains instead,” the organization said.

Visit the AAF bug bounty page at HackerOne for more info

Deezer

Program provider:

Yes We Hack

Program type:

Public bug bounty

Max reward:

€1,000

Outline:

Deezer is an online music streaming service. The company’s new bug bounty program through Yes We Hack is currently limited in scope, although qualifying vulnerabilities in deezer.com, api.deezer.com, and others, include RCE, SQLi, CSRF, stored XSS, and privilege escalation.

Visit the Deezer bug bounty page at Yes We Hack for more info

GitHub (enhanced)

Program provider:

HackerOne

Program type:

Public bug bounty

Max reward:

$30,000+

Outline:

GitHub has made significant amendments to its bug bounty program, which celebrates its fifth anniversary in 2019.

Payouts have been increased at all levels (low, medium, high, and critical), and the bounty scope has been expanded to reward vulnerabilities discovered in all web-facing properties under the github.com, githubapp.com, and github.net domains.

The Git repo manager has also added a new set of legal safe harbor terms to its site policy.

Notes:

Commenting on the expanded rewards program, GitHub spokesperson Philip Turnbull said: “Over the past five years, we have been continuously impressed by the hard work and ingenuity of our researchers. Last year was no different and we were glad to pay out $165,000 to researchers from our public bug bounty program in 2018.”

Although $30,000 has been listed as maximum guideline amount for critical vulnerabilities, the company said it is reserving the right to reward “significantly more” for “truly cutting-edge research”.

GitHub was acquired by Microsoft in June 2018.

Visit the GitHub bug bounty page at HackerOne for more info

Kuna Crypto Exchange

Program provider:

Hacken Proof

Program type:

Public bug bounty

Max reward:

$5,000

Outline:

Kuna Crypto Exchange is a Ukrainian cryptocurrency exchange. Targets under the organization’s new bug bounty program include the main kuna.io site and api.kuna.io.

Notes:

“In some cases, we may reward other best practice or defense in depth reports at our own discretion,” the company said. “All services provided by Kuna Exchange are eligible for our bug bounty program, including the API and exchange. In general, anything which has the potential for financial loss or data breach is of sufficient severity.”

Visit the Kuna Crypto Exchange bug bounty page at Hacken Proof for more info

Magento (enhanced)

Program provider:

HackerOne

Program type:

Public bug bounty

Max reward:

$10,000

Outline:

Adobe-owned Magento is a cloud-based e-commerce platform with an open source ecosystem. New changes are coming for vulnerability reporters, as the company shifts its bug bounty program to HackerOne with “faster payments… quicker reviews and responses… and alignment with Adobe for future endeavors”.

Notes:

Magento’s enhanced bug bounty program offers a wealth of targets under a tiered payout structure. Top of the list is the prospect of $10,000 for critical vulnerabilities discovered in the Magento 2 Commerce, Commerce B2B, and open source platforms.

Visit the Magento bug bounty page at HackerOne for more info

Postmates

Program provider:

HackerOne

Program type:

Public bug bounty

Max reward:

$1,500

Outline:

Postmates is an on-demand delivery platform that connects customers with local couriers.

The San Francisco-based company’s new public bug bounty program is rewarding researchers for discovering flaws across numerous domains, along with its Android and iOS apps.

Notes:

In less than a month since Postmates launched its bug bounty program, the organization has paid out nearly $30,000.

Visit the Postmates bug bounty page at HackerOne for more info

Semmle

Program provider:

HackerOne

Program type:

Public bug bounty

Max reward:

$2,000

Outline:

Semmle is a software engineering analytics business whose two core products – LGTM and QL – enable organizations to identify vulnerabilities in their code.

Through its public bug bounty program, Semmle is now inviting hackers to find security flaws in its own domains. The program includes a test instance of the LGTM web console.

Notes:

Commenting on its new bug bounty program, the company said: “Semmle is committed to working with the open source community and we believe in a transparent policy. As such, we strive to disclose reports once they are resolved.”

Visit the Semmle bug bounty page at HackerOne for more info

Seek

Program provider:

Bugcrowd

Program type:

Managed bug bounty

Max reward:

$10,000

Outline:

Seek is an employment and online education platform whose operations span Australia, New Zealand, China, Southeast Asia, Brazil, Mexico, Africa, and Bangladesh. Through the company’s new Bugcrowd program, researchers can net up to $10,000 for critical flaws discovered across multiple domains, including seek.com.au, along with the Seek iOS and Android apps.

Notes:

“For this program, we’re inviting researchers to test Seek’s web applications and services – with a focus of identifying security weaknesses that might lead to the compromise of our customer data (mainly, job seekers profiles and resumes),” the company said.

Visit the Seek bug bounty page at Bugcrowd for more info

Zilliqa

Program provider:

Bugcrowd

Program type:

Public bug bounty

Max reward:

$5,000

Outline:

Zilliqa markets itself as a “scalable and secure blockchain platform” for hosting decentralized applications. The company is now inviting researchers to test its primary public-facing assets. Rewards categories include RCE of Zilliqa node and cryptography-related security bugs.

Notes:

Discussing its new bug bounty program, the company said: “We appreciate your efforts and hard work in making the internet (and Zilliqa) more secure, and look forward to working with the researcher community to create a meaningful and successful bug bounty program.”

Visit the Zilliqa bug bounty page at Bugcrowd for more info

Other Bug Bounty and VDP news:

Bugcrowd is seeking specialist security researchers to join its private bug bounty team .



. Daniel Card, owner of UK-based IT consultancy Xservus, has launched an informal Capture the Flag challenge for researchers to find targets online using Shodan . More challenges may follow if the first CTF is successful, he said.

. More challenges may follow if the first CTF is successful, he said. Chinese e-commerce giant Alibaba and video game developer InnoGames have partnered with HackerOne to implement new VDPs.

and video game developer have partnered with HackerOne to implement new VDPs. February 1 marked the launch of Google’s Confidential Computing Challenge , a new contest that aims to foster new ideas for the future of computing. A cash prize of $15,000 is available to one lucky researcher.

, a new contest that aims to foster new ideas for the future of computing. A cash prize of $15,000 is available to one lucky researcher. Telefónica Germany and Zynga Whitehat have implemented points-only VDPs on the Bugcrowd platform.

and have implemented points-only VDPs on the Bugcrowd platform. And finally, researchers will be watching this year’s Pwn2Own live hacking event with interest. While much of the attention this year has focused on the new automotive category, the organizers have ramped up web browser exploit payouts in 2019. Check out our recent preview of the event, which runs from March 20-22.

To be featured in this list next month, email dailyswig@portswigger.net with ‘Bug Bounty Radar’ in the subject line

RELATED Bug Bounty Radar // Jan 2019