New web targets for the discerning hacker

Google has ramped up the bug bounties on offer for flaws impacting Chromium and Google Play.

This month, the tech giant announced it was doubling payouts for “high-quality” reports from $15,000 to $30,000 and tripling baseline rewards for Chrome security bugs to $15,000.

There’s also now a whopping $150,000 on offer for those who can demonstrate a full chain Chrome OS exploit, up from $100,000.

A high-quality report, Google says, should include a proof-of-concept exploit, analysis that helps determine the root cause, and a suggested patch.

Meanwhile, over at Microsoft there’s a new bug bounty program for the Dynamics 365 enterprise resource planning (ERP) and customer relationship management (CRM) applications.

Rewards range between $500 and $20,000 – or even more, depending on the impact and severity of the bug, along with the quality of the vulnerability report.

Elsewhere, Uber has been handing out bounties – $375,000 in total – at a live hacking event held in London, in partnership with HackerOne.

Individual amounts ranged from $500 to $50,000, with British hacker @TomNomNom picking up the ‘Most Valuable Hacker’ award.

More recently, Bugcrowd and Atlassian hosted a Bug Bash in San Francisco over the weekend.

More than $224,000 in rewards were paid out during the live hacking event. Check out the leaderboard for more details.

In other payout news this month, we’ve seen security researcher Sam Curry discovering a blind cross site-scripting (XSS) vulnerability on Tesla’s website, and a new CAPTCHA attack that earned its discoverer a $1,000 bounty bonus for creativity.

Meanwhile, Chennai-based security researcher Laxman Muthiyah has netted $30,000 for spotting a flaw in photo-sharing app Instagram that he says allowed him to pwn any account without permission.

July saw the arrival of several new bug bounty programs. Here’s a roundup of the latest targets:

Arkose Labs

Program provider:

Bugcrowd

Program type:

Private bug bounty

Max reward:

$5,600

Outline:

Fraud prevention technology firm Arkose Labs has launched a new private bug bounty program through Bugcrowd. As expected for a private program, few details have been released to the public.

Notes:

This new initiative joins Arkose’s existing public rewards program, which was rolled out last year. Through the new private bug bounty program, the company said it will “gain access to Bugcrowd’s Elite Crowd, and is able to tailor its testing pool… to help eliminate account takeover attacks, fake user registrations, and other types of fraud and application abuse.”

Visit the Arkose Labs bug bounty page at Bugcrowd for more info on the existing public program

AT&T

Program provider:

HackerOne

Program type:

Public bug bounty

Max reward:

$2,000

Outline:

US tech conglomerate AT&T has launched a new, public bug bounty program through HackerOne. The program applies to security vulnerabilities found in the organization’s website, exposed APIs, and mobile applications.

Notes:

According to AT&T, rewards will be considered for any vulnerability that could “realistically” place the security of the company, its customers, or the public at large at risk.

Visit the AT&T bug bounty page at HackerOne for more info

GovTech/CSA – Singapore (temporary program)

Program provider:

HackerOne

Program type:

Public bug bounty

Max reward:

$10,000

Outline:

Following successful prior programs with Government Technology Agency of Singapore (GovTech) and MINDEF Singapore, the Singapore government has announced its third bug bounty program, launched in partnership with HackerOne. This latest program will see GovTech and the Cyber Security Agency of Singapore (CSA) work with hackers from around the world to help protect the nation’s citizens by testing public-facing government systems.

Notes:

This temporary bug bounty program runs through August 31. “GovTech and the Singapore government are among the world’s leaders in cybersecurity,” said Paul Griffin, director of program management at HackerOne.

“Tapping the skilled and global hacker community is the most efficient way to approach security testing. The latest bug bounty program continues to signal momentum in the constant battle against malicious actors on the internet.”

Check out the GovTech press release at HackerOne for more info

Maker Ecosystem Growth Holdings

Program provider:

HackerOne

Program type:

Public bug bounty

Max reward:

$50,000+

Outline:

Maker Ecosystem Growth Holdings is the company behind Dai, a digital currency based on the Ethereum blockchain. The company is promising bumper rewards for any critical vulnerability that could allow an attacker to steal collateral tokens.

Notes:

Exploits must be accompanied by a working proof of concept, the company said.

Visit the Maker Ecoystem bug bounty page at HackerOne for more info

Refereum

Program provider:

HackerOne

Program type:

Public bug bounty

Max reward:

$2,000

Outline:

Gaming rewards platform Refereum has launched a public bug bounty program through HackerOne. Payouts range from $150 for low-impact bugs, up to $2,000 for those rated as ‘critical’. Vulnerability rankings are based on CVSS scores.

Notes:

Clickjacking, content spoofing, denial-of-service, and man-in-the-middle attacks are strictly out of scope.

Visit the Refereum bug bounty page at HackerOne for more info

Tlon Corporation

Program provider:

HackerOne

Program type:

Public bug bounty

Max reward:

$10,000

Outline:

Tlon Corp is the team behind the Urbit project, a privacy-focused personal cloud server that’s said to act as a digital passport, digital vault, and digital assistant.

Notes:

The program is currently focused on Azimuth vulnerabilities.

Visit the Tlon bug bounty page at HackerOne for more info

Other bug bounty and VDP news:

Equifax and Kartpay have launched points-only vulnerability disclosure programs (VDPs) through HackerOne.

Synack Red Team member @seanmeals won the recent Synack Tesla Challenge, scooping a $50,000 reward.

Bug hunters in search of some fresh projects need look no further than researcher Ivan Rodriguez’ curated of mobile bug bounty targets.

To be featured in this list next month, email dailyswig@portswigger.net with ‘Bug Bounty Radar’ in the subject line

Additional reporting by Emma Woollacott

RELATED Bug Bounty Radar // June 2019