WebProNews

Tag: Bug Bounty

  • Google Is Raising Its Bug Bounty Payouts

    Google Is Raising Its Bug Bounty Payouts

    Google is raising its bug bounty program for fuzz testing, with the maximum payout now $30,000.

    Fuzzing is an automated code-testing process that inserts random data into an application to see how it responds and surface any bugs that may exist. Until now, Google’s maximum payout for fuzz testing bugs was $20,000, but the company is significantly increasing it.

    We’ve operated this successfully for the past 5 years, and to date, the OSS-Fuzz Reward Program has awarded over $600,000 to over 65 different contributors for their help integrating new projects into OSS-Fuzz.

    These changes boost the total rewards possible per project integration from a maximum of 20,000 to 30,000 (depending on the criticality of the project). In addition, we’ve also established two new reward categories that reward wider improvements across all OSS-Fuzz projects, with up to $11,337 available per category.

    The increase is good news for security researchers and bug testers, many of whom rely on bug bounties for their income.

  • The Pentagon Has a Bug Bounty Problem

    The Pentagon Has a Bug Bounty Problem

    The Pentagon has a bug bounty problem that can best be summed up with: the Pentagon is cheap.

    Bug bounties are monetary incentives companies and organizations pay out to ethical hackers that discover and report vulnerabilities before they can be exploited. The Pentagon has its own bug bounty program, but it doesn’t pay out very much.

    According to The Register, at its recent Hack US program, conducted in conjunction with HackerOne, the Pentagon only paid out $75,000 in bounties and an additional $35,000 in bonuses and awards. The Pentagon committed to paying $1,000 for critical bugs, with $5,000 being the highest possible reward.

    Compared to the bounties tech companies pay, the Pentagon’s bug bounty budget is downright anemic. As The Register points out, Microsoft has paid out as much as $200,000 for a single bounty.

    Given the sensitive nature of the information the Pentagon protects, not to mention how much it can afford to pay on physical equipment, one would think it would loosen the purse strings a bit.

  • Google Tackles Supply Chain Attacks With New Bug Bounty

    Google Tackles Supply Chain Attacks With New Bug Bounty

    Google is tackling supply chain cybersecurity attacks with a new bug bounty program.

    Supply chain attacks involve hackers compromising the source code or service used by a range of industries and companies rather than targeting each individual organization. As a result, a single successful supply chain attack can compromise hundreds or even thousands of organizations using the service or product.

    WIih supply chain attacks growing in popularity, Google is looking to address the problem with a bug bounty program. Bug bounties refer to the payouts paid to professional hackers and security experts, also known as “white hats,” who find bugs and report them to companies so they can fix them before bad actors exploit them.

    Google posted the new bug bounty program in a blog post:

    Today, we are launching Google’s Open Source Software Vulnerability Rewards Program (OSS VRP) to reward discoveries of vulnerabilities in Google’s open source projects. As the maintainer of major projects such as Golang, Angular, and Fuchsia, Google is among the largest contributors and users of open source in the world.

    Google made it clear that the goal of the new program was to help secure open source software supply chains.

    The addition of this new program addresses the ever more prevalent reality of rising supply chain compromises. Last year saw a 650% year-over-year increase in attacks targeting the open source supply chain, including headliner incidents like Codecov and the Log4j vulnerability that showed the destructive potential of a single open source vulnerability. Google’s OSS VRP is part of our $10B commitment to improving cybersecurity, including securing the supply chain against these types of attacks for both Google’s users and open source consumers worldwide.

    Google says payouts will range from $100 to $31,337, depending on the severity and importance of the bug, as well as whether it is particularly interesting or unusual.

  • ExpressVPN Offering One-Time $100,000 Bug Bounty

    ExpressVPN Offering One-Time $100,000 Bug Bounty

    ExpressVPN is offering a one-time, $100,000 reward to anyone who can hack its servers.

    ExpressVPN is one of the leading VPN services on the market, and is consistently recommended by many reviewers. Like a lot of companies in the tech industry, ExpressVPN offers bug bounties as a way of encouraging white hat hackers and security researchers to find bugs and report them, before they can be exploited by bad actors.

    The company is now offering a major incentive, in the form of $100,000, specifically for proof of “unauthorized access to a VPN server or remote code execution,” or vulnerabilities “that result in leaking the real IP addresses of clients or the ability to monitor user traffic.”

    Obviously, the company will require proof of the exploit, in order to pay the bounty.

    In order to qualify to claim this bounty, we will require proof of impact to our user’s privacy. This will require demonstration of unauthorized access, remote code execution, IP address leakage, or the ability to monitor unencrypted (non-VPN encrypted) user traffic.

    It’s a safe bet security researchers will be eager to take a shot at ExpressVPN’s services, with that much money at stake.

  • Reddit Launches Public Bug Bounty Program

    Reddit Launches Public Bug Bounty Program

    Reddit has launched a public bug bounty program, an acknowledgment of its increased growth and visibility.

    Bug bounty programs are a popular method of tackling cybersecurity issues. Many of the world’s largest companies rely on the programs to find and address bugs and security vulnerabilities before bad actors can exploit them.

    Reddit has maintained a private program with HackerOne for the last three years, but the company is taking the next step and making it public.

    With our continued growth and visibility, we’re now ready to make the program public and expand the participation to anyone wanting to make a meaningful security impact on Reddit. As we scale the program, our priority will remain focused on protecting the privacy of our user data and identities. We know each security researcher has their own skills and perspective that they bring to the program, and we encourage anyone to submit a report that shows security impact. We’re super excited to hit this milestone and have prepared our team for what’s to come.

    Interested parties can find more information at redditinc.com or HackerOne, and submissions can be sent to whitehats@reddit.com.

  • Instagram Wasn’t Deleting User Data From Servers

    Instagram Wasn’t Deleting User Data From Servers

    A security researcher has been awarded a bug bounty after discovering Instagram was retaining data long after he had deleted it.

    According to TechCrunch, security researcher Saugat Pokharel discovered that Instagram’s Download Your Information tool included data he had deleted over a year ago. With any online platform, deleting data on the user’s end doesn’t immediately delete it on the company’s. The information must be deleted from the entire network, including any backups, a process that usually takes a couple of months.

    In Pokharel’s case, however, when he downloaded his data, it included private direct messages and photos he had deleted over a year ago, well past any reasonable time it should have taken. He submitted the bug via Instagram’s bug bounty program and the company fixed the issue.

    An Instagram spokesperson told TechCrunch: “The researcher reported an issue where someone’s deleted Instagram images and messages would be included in a copy of their information if they used our Download Your Information tool on Instagram. We’ve fixed the issue and have seen no evidence of abuse. We thank the researcher for reporting this issue to us.”

  • Sony Announces $50,000 PlayStation Bug Bounty

    Sony Announces $50,000 PlayStation Bug Bounty

    Sony has announced it will pay significant bug bounties for PlayStation 4 bugs.

    Bug bounties are an important part of the cybersecurity and software development scene. Companies pay hackers and researchers bounties to encourage them to find and report bugs and security vulnerabilities. Bounties are often high enough to provide full-time income for dedicated security researchers and hackers.

    In a blog post Sony announced they are taking their program public.

    To date, we have been running our bug bounty program privately with some researchers. We recognize the valuable role that the research community plays in enhancing security, so we’re excited to announce our program for the broader community.

    According to the payout breakdown, PlayStation 4 bugs can pay as much as $50,000. With that kind of money on the line, it’s a safe bet Sony will have no trouble attracting help.

  • Facebook Awards Biggest Bug Bounty Payout Yet

    Back in 2011, Facebook launched its bug bounty program, in which it would pay users disclosing security bugs that have previously gone undiscovered.

    The company kindly reminded people that it wouldn’t sue them if they gave it a reasonable amount of time to respond to the report before making any information public.

    This week, the company announced that it awarded its biggest bug bounty payout ever – $33,550, which went to Reginaldo Silva.

    “In November, we were reading through incoming bug reports and came across a claim we wanted to investigate right away: arbitrary file reads,” the company said in an update on the Facebook Bug Bounty Page. “The report was well written and included proof of concept code, so we were able to reproduce the issue easily. After running the proof of concept to verify the issue, we filed an urgent task—triggering notifications to our on-call employees.”

    The issue was an XML external entities vulnerability, which could have allowed someone to read arbitrary files on the webserver.

    Facebook said it immediately implemented a fix by flipping a flag to cause its XML parsing library to disallow the resolution of external entities.

    The company said, “This initial fix was simple enough to fit on one line: libxml_disable_entity_loader(true);.”

    You can read Facebook’s full explanation in the post below. A link to Silva’s writeup is within.

    Post by Facebook Bug Bounty.

    Image via Facebook

  • Yahoo Responds To ‘T-Shirt-Gate,’ Decides To Actually Reward Security Researchers

    Yahoo Responds To ‘T-Shirt-Gate,’ Decides To Actually Reward Security Researchers

    Earlier this week, Yahoo was making some headlines for giving security researchers credit for its online corporate store as reward for finding security vulnerabilities in Yahoo products.

    Researchers at High-Tech Bridge put out a press release calling attention to this, when they were “awarded” $12.50 in store credit per vulnerability, amounting to enough to get a Yahoo-branded t-shirt or a few pairs of socks featuring Yahoo’s old, outdated logo.

    Apparently the attention did some good, as Yahoo is now offering anywhere from $150 to $15,000 for rewards. This was announced in a blog post by Yahoo’s Ramses Martinez, titled, “So I’m the guy who sent the t-shirt out as a thank you.”

    He says that when he took over the team that works with the security community on issues and vulnerabilities, they didn’t have a formal process, so he wanted to give people t-shirts just to say “thank you,” thinking this would be more courteous than just an email.

    “I even bought the shirts with my own money,” he writes. “It wasn’t about the money, just a personal gesture on my behalf. At some point, a few people mentioned they already had a t-shirt from me, so I started buying a gift certificate so they could get another gift of their choice. The other thing people wanted was a letter they could show their boss or client. I write these letters myself.”

    He goes on to say that Yahoo was actually putting a new program into place, which would reward researchers for finding vulnerabilities, and that they were just “putting the finishing touches on the revised program, and then…’t-shirt-gate’ hit.”

    You can see his general outline of the program in the post, but essentially, the company will pay out cash rewards in the range mentioned above with the amount being determined by a “clear system based on a set of defined elements that capture the severity of the issue.”

    This should put an end to “t-shirt-gate” (I still prefer the socks angle).

    Internet security vet Graham Cluley, who earlier slammed the t-shirt practice, got a statement from High-Tech Bridge in response to Yahoo’s announcement:

    We were not doing our research for money, as we clearly said to Yahoo. However, we are glad that Yahoo is introducing new Bug Bounty Program that will facilitate their relations with security researchers and help them improving their corporate security.

    The only unclear point I have right now is comment from their CSO who says that he paid researchers from his own pockets. Such action definitely deserves respect, but does he get his salary by Yahoo vouchers as well?

    Either way, Yahoo’s new program should sit a lot better with security researchers, and perhaps win the company a little more respect in the field. As Cluely notes, however, there is still that matter of the recycled email addresses.

    Image: Yahoo Company Store