Connect with us
X
Categories:

Technology

Bug Bounty Radar: September 2022’s newest bug bounty programs

Published

on

Bug Bounty Radar: August 2022's newest bug bounty programs
Share this post:

New web targets for the discerning hacker

The otherwise typically low-key month of August also brings infosec’s most renowned conference: Black Hat USA, which this year brought a word of warning for bug bounty hunters.

Dylan Ayrey, CEO of Truffle Security, cited a number of cases in which poor research and shoddy data governance has led to the leak of users’ personally identifiable information. In some cases, the data is still available long after the corresponding ticket has been closed, he warned.

“These privacy leaks in bug bounties are really common, and for every example that we can share publicly there are 100 examples that can’t be shared publicly,” said Ayrey.

In another, alleged example of suboptimal bug bounty practices CrowdStrike came under fire recently over its vulnerability disclosure process.

Pascal Zenker, a partner of Swiss security analyst service Modzero AG, claimed the Texas-based cybersecurity firm’s bug bounty program, run through HackerOne, is “NDA-ridden”, while the disclosure process “turned unprofessional in the end”.

CrowdStrike, however, defended its actions and countered that Modzero had not responded to attempts to “continue the dialogue” until six weeks had elapsed.

Among the most notable new bug bounty programs this month is Google’s latest VRP, this time focused on its open source projects, such as Golang, Angular, and Fuchsia.

Announced on August 30, the Open Source Software Vulnerability Rewards Program (OSS VRP) is designed to stem the rising tide of attacks against the software supply chain.

There were several notable payouts on existing Google VRPs, most notably when Alesandro Ortiz netted $20,000 from the tech giant – giving $4,000 to a collaborator – for unearthing a bug in the Chromium project. This allowed attackers to bypass site isolation protection through iFrames and popup windows to steal private information, read and modify cookies, and gain access to microphone and camera feeds, among other exploits.

Meanwhile, researcher ‘NDevT’ discovered two XSS vulnerabilities in Google Cloud, DevSite, and Google Play that could lead to account hijacks. They won $3,000 and $5,000 in bug bounties for their pains.

And there was a $5,000 payout for a third Google issue, with Adi Cohen discovering an XSS in AMP for Email that involved tricking Gmail’s dynamic email feature into a rendering context that the browser would not use to render a given piece of code.

Finally, in non-Google payout news, there were $4,000 and $5,000 rewards respectively for serious GitHub Pages and Reddit issues, while a Yahoo hackathon paid out $218,121 for 218 bug submissions related to its text search engine tool Vespa.

The latest bug bounty programs for September 2022

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

Abraxas VOTING

Program provider:
Bug Bounty Switzerland

Program type:
Semi-public

Max reward:
$10,000

Outline:
VOTING will be used to manage ballots and aggregate tallied votes in Swiss elections.

Notes:
The maximum reward is around 10,000 Swiss francs, which equates to roughly the same amount in US dollars.

Apply to hack on the program via Bug Bounty Switzerland (applications may or may not be accepted)

Airlock

Program provider:
Bug Bounty Switzerland

Program type:
Semi-public

Max reward:
Undisclosed

Outline:
Airlock’s Secure Access Hub, a web application firewall (WAF), protects more than 30,000 web applications worldwide.

Notes:
“This program is built in the style of a CTF competition,” said the company.

Apply to hack on the program via Bug Bounty Switzerland (applications may or may not be accepted)

Cornershop by Uber

Program provider:
HackerOne

Program type:
Public

Max reward:
$2,500

Outline:
Uber’s on-demand grocery delivery service is offering $2,500 for critical vulnerabilities and $1,000 for high severity flaws.

Notes:
Seven assets in scope: the .cornershopapp.com website, iOS and Android apps, source code, two domains containing internal assets, and QA environment.

Ethereum – Enhanced

Program provider:
Independent

Program type:
Public

Max reward:
$1m

Outline:
Bug bounty rewards for the Ethereum blockchain have quadrupled for a two-week period – ending September 8 – when related to the network’s transition to proof-of-stake.

Notes:
The application of a fourfold multiplier to payouts means ethical hackers could earn up to $1 million for the submission of valid critical vulnerabilities.

Google OSS VRP

Program provider:
Independent

Program type:
Public

Max reward:
$31,337

Outline:
Google’s Open Source Software Vulnerability Rewards Program (OSS VRP) focuses on the public repositories of Google-owned GitHub organizations such as GoogleAPIs and GoogleCloudPlatform, as well as their third-party dependencies.

Notes:
Ranging from $100 to $31,337, rewards will typically be higher for particularly sensitive projects – such as Bazel, Angular, Golang, Protocol buffers, and Fuchsia – and vulnerabilities that can lead to supply chain compromise.

Pogo

Program provider:
HackerOne

Program type:
Public

Max reward:
$2,000

Outline:
Pogo is a mobile app that offers users a way to leverage their personal data online in order to access earn credits and discounts for shopping, finances, and more.

Notes:
In scope are the platform’s production Android and iOS apps and API endpoint used by the mobile apps.

Proton

Program provider:
Bug Bounty Switzerland

Program type:
Semi-public

Max reward:
$30,000

Outline:
If you are accepted onto the program, privacy-preserving email service Proton “will give you early and exclusive access to not published versions of the applications and their source code”.

Notes:
Swiss platform also promises attractive bounties, “a constructive dialogue, fair rules and a legal safe harbor”.

Apply to hack on the program via Bug Bounty Switzerland (applications may or may not be accepted)

Secure Open Source Rewards

Program provider:
Independent

Program type:
Public

Max reward:
$10,000

Outline:
Developers and security researchers have been invited to suggest ways to “harden critical open source projects” by the Linux Foundation, with Google’s open source security team providing initial sponsorship.

Notes:
Rewards range from $505 for minor improvements up to $10,000 or more for “complicated, high-impact, and lasting improvements that almost certainly prevent major vulnerabilities”.

Check out our earlier coverage for more details

Starbucks – Enhanced

Program provider:
HackerOne

Program type:
Public

Max reward:
$6,000

Outline:
Bug reports that include a unique Nuclei Template to validate the finding will now earn researchers a $250 bonus.

Notes:
Launched in 2016, the Starbucks program has 36 assets in scope, approaching 1,500 resolved reports, and average payouts of $250-$500 at the time of writing.

Trendyol

Program provider:
HackerOne

Program type:
Public

Max reward:
$3,000

Outline:
Trendyol Group, Turkey’s largest ecommerce platform, has launched an ongoing bug bounty program after what it said was a successful, time-limited HackerOne Challenge.

Notes:
Critical bugs will command rewards ranging between $2,000-$3,000, while high severity issues will net bug hunters between $750-$1,250.

Other bug bounty and VDP news this month

  • Switzerland’s National Cyber Security Centre has announced the launch, later this year, of a new bug bounty program for the Swiss federal government following a 2021 pilot
  • Staying in Switzerland, federal postal service Swiss Post offered rewards up to 30,000 francs ($30,530) during a four-week bug bounty program that concludes today (September 2)
  • New or improved bug bounty or penetration testing tools showcased at Black Hat USA 2022 included pen test management platform AttackForge, open source recon framework ReNgine, and pen testing tools AWSGoat and AzureGoat

Get More Stories Like This On: Facebook: @AllNaijaEntertainment, Twitter: @AllNaijaEntertainment
Chief Oyerigha Echo Toikumoh - The Earlier The Better
Music1 month ago

[Music] Chief Oyerigha Echo Toikumoh – The Earlier The Better

Enzo Maresca and Mikel Arteta stated they will not take Pep Guardiola's place at Manchester City
Sports1 month ago

Enzo Maresca and Mikel Arteta stated they will not take Pep Guardiola’s place at Manchester City

Alan Shearer reckons Liverpool star is ‘not going to get better’
Sports1 month ago

Alan Shearer reckons Liverpool star is ‘not going to get better’

NECO examiners threaten nationwide protest over unpaid entitlements
News1 month ago

NECO examiners threaten nationwide protest over unpaid entitlements

Jonathan congratulates Trump on historic election win
News1 month ago

Jonathan congratulates Trump on historic election win

Peter Obi can become president in 2027 — Yunusa Tanko
News1 month ago

Peter Obi can become president in 2027 — Yunusa Tanko

Dua Lipa forced to cancel show after ‘unforeseen safety issues’
Entertainment1 month ago

Dua Lipa forced to cancel show after ‘unforeseen safety issues’

Uzoamaka Onuoha wins Best Female Performance in a feature at AFRIFF 2024
Entertainment1 month ago

Uzoamaka Onuoha wins Best Female Performance in a feature at AFRIFF 2024

'Phoenix Fury' bags Best Film award at the 13th edition of AFRIFF
Entertainment1 month ago

‘Phoenix Fury’ bags Best Film award at the 13th edition of AFRIFF

Vivo begins teasing new Dimensity 9400 flagships internationally
Technology1 month ago

Vivo begins teasing new Dimensity 9400 flagships internationally

Google Pixel 11 and Pixel 11 Pro may trade performance gains for longer battery life
Technology1 month ago

Google Pixel 11 and Pixel 11 Pro may trade performance gains for longer battery life

Manchester United players warned ‘only one is safe’ under Ruben Amorim
Sports1 month ago

Manchester United players warned ‘only one is safe’ under Ruben Amorim

Austin DeAnda given impromptu makeover after he is forced to have haircut in the middle of fight
Sports1 month ago

Austin DeAnda given impromptu makeover after he is forced to have haircut in the middle of fight

IG orders punishment for errant cops
News1 month ago

IG orders punishment for errant cops

Be ready to recover stolen mandate — Ighodalo tells PDP
News1 month ago

Be ready to recover stolen mandate — Ighodalo tells PDP

No part of Ogun will be ceded under my watch — Dapo Abiodun
News1 month ago

No part of Ogun will be ceded under my watch — Dapo Abiodun

Ruger calls out auto tune and hype culture in music
Entertainment1 month ago

Ruger calls out auto tune and hype culture in music

I hate to play same role repeatedly — Actress Bimbo Akintola
Entertainment1 month ago

I hate to play same role repeatedly — Actress Bimbo Akintola

Fans split on Davido, Wizkid, and Burna Boy's Grammy nominations.
Entertainment1 month ago

Fans split on Davido, Wizkid, and Burna Boy’s Grammy nominations

Samsung Galaxy S25 Slim: Leaker reveals launch details for Samsung's rival iPhone 17 Air
Technology1 month ago

Samsung Galaxy S25 Slim: Leaker reveals launch details for Samsung’s rival iPhone 17 Air

Realme names first smartphone to get Android 15 beta worldwide
Technology1 month ago

Realme names first smartphone to get Android 15 beta worldwide

England interim manager tipped for surprise Premier League job
Sports1 month ago

England interim manager tipped for surprise Premier League job

Hakim Ziyech mocks Israeli supporters attacked in Amsterdam
Sports1 month ago

Hakim Ziyech mocks Israeli supporters attacked in Amsterdam

Court jails seven for internet fraud in Kaduna
News1 month ago

Court jails seven for internet fraud in Kaduna

Edo APC criticizes Obaseki’s last-minute appointments
News1 month ago

Edo APC criticizes Obaseki’s last-minute appointments

Edo PDP announces caretaker committee
News1 month ago

Edo PDP announces caretaker committee

Tems makes history after securing 3 nominations for the 67th Grammys
Entertainment1 month ago

Tems makes history after securing 3 nominations for the 67th Grammys

Beyoncé surpasses Jay-Z to become the most nominated artist in Grammy history
Entertainment1 month ago

Beyoncé surpasses Jay-Z to become the most nominated artist in Grammy history

Davido, Wizkid, Tems, Asake make 2025 Grammy nominations
Entertainment1 month ago

Davido, Wizkid, Tems, Asake make 2025 Grammy nominations

Davido, Wizkid, Tems, Asake make 2025 Grammy nominations
Entertainment1 month ago

2025 GRAMMY: Academy unveils category changes ahead of nomination event

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Final Episode 13)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Episode 12)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Episode 11)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Episode 10)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Episode 09)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Episode 08)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Episode 07)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Episode 06)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Episode 05)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories1 month ago

[STORY] THE PASTOR’S DAUGHTER (Episode 04)

ANE Billboard Hots



Join "ANE sabi" clique

Don't miss a thing, get ogbonge ANE latest updates to fuel your conversation daily.