Bug Bounty Blog

FROM THE EDITORS AT CYBERSECURITY VENTURES

Q2 2017

BugBountyBlog.com — sponsored by HackerOne — provides chief information security officers (CISOs) and IT security teams with a quarterly diary of noteworthy bug bounty activity.

FIRST EDITION

Bug bounty programs and payouts on the rise

USAF, software vendors, and large enterprises adopt new platforms to plug vulns

kacyzurkusbwKacy Zurkus

Menlo Park, Calif. – Jul. 15, 2017

In the past few years, bug bounty programs have become increasingly more popular as enterprises have seen the value in working with ethical hackers to find vulnerabilities before they are exploited in the wild.

Since the Hack the Pentagon initiative launched, the government has extended bug bounty programs to include other branches of the military, which has helped to shift the mindset about exploring bug bounty programs. Now, major enterprises and SMBs alike are looking to build relationships with certified researchers.

BUG BOUNTY DIARY

June

Jun. 30. Ethereum users who have embraced the Status Network Token (SNT) are invited to hunt for bugs in the company’s smart contracts and software, with major bugs and critical vulnerabilities valued at up to $50,000.

Jun. 29. A study of 800 hacker-powered programs sponsored by HackerOne reports that bounty payments are increasing, with some researchers earning an average of $50,000 a month.

Jun. 28. New report shows huge payouts to over 60,000 security researchers as bug bounty programs show a 300 percent increase from last year among businesses with more than 500 employees.

Jun. 27. A shocking 94 percent of companies on the Forbes Global 2000 have no bug bounty programs, which means there is no established program for researchers to report any flaws that they find.

Jun. 22. In hot competition with HackerOne, Bugcrowd announced a new release to its platform that offers what they call the most advanced feature set for bug bounty management.

Jun. 21. While many enterprises established bug bounty programs on a trial basis, some—including Microsoft—see the value in continuing to pay researchers to find and report vulnerabilities.

Jun. 19. The discovery of back-end server flaws and misconfigurations earned a UK researcher $30,000 in bug bounty rewards, and he will reveal the details of the hack at this year’s Black Hat USA in Las Vegas.

grayfooterline
RELATED: HackerOne–The Vulnerability Coordination & Bug Bounty Platform
grayfooterline

Jun. 16. Security researcher earned a $10,500 bug bounty for discovering a high-severity sandbox escape bug in a new version of Chrome for Windows, Mac, and Linux desktop systems.

Jun. 15. Whether it’s a platform with HackerOne or BugCrowd, more enterprises like Centrify—who will award up to $3,000 per vulnerability—are launching bug bounty programs.

Jun. 8. Bug bounty programs are reportedly not working effectively to solve security issues in mobile, IoT, and irresponsible software developers. According to a High-Tech Bridge report, enterprises need to do more than offer cash rewards to address application security threats.

Jun. 7. While India is home to some of the top white hat hackers in the world, few Indian companies are proactive about their security. It’s reported that even fewer bug hunters in India are recognized for their work.

Jun. 6. Department of Homeland Security agrees to review legislation that would develop a bug bounty program, awarding ethical hackers for discovering vulnerabilities in DHS networks.

Jun. 5. Recognizing that agencies like DHS and DoD are constantly under attack, Ohio Senator Rob Portman introduces legislation for a pilot bug bounty program inviting white hat hackers to search for flaws without consequence of criminal charges if they follow the rules and agree to a background check.

Jun. 3. Google increases its cash reward to pay up to $200,000 in hopes of attracting the most highly skilled security researchers to its Android Security Rewards program.

May

May 31. Chief technology officer for HackerOne talks about what factors determine the payout on a vulnerability disclosure, noting that it’s not always black market value that drives the reward.

May 30. Despite not receiving a bug bounty for disclosing a technical loophole in Air India’s website, bug hunter Kanishk Sajnani did receive a hamper full of HackerOne swag.

May 29. Though bug bounty programs are now commonplace, there are some companies that still fail to fix vulnerabilities reported by ethical hackers. When those hackers come from India, who has the world’s largest population of ethical hackers, it’s a good idea to heed caution.

May 28. A career as an ethical hacker promises to award thousands of dollars to skilled researchers who enjoy trying to break into networks and find flaws before the bad guys exploit them.

May 26. Legislation for developing a bug bounty program to testing for security vulnerabilities in federal government, the Hack DHS Act, has been introduced by Sens. Maggie Hassan and Rob Portman.

May 24. Twitter avoided a potential hack when it was able to fix a flaw reported by a bug hunter who earned $7,560 days after reporting the issue to HackerOne.

May 19. Zomato was lucky to have the keen eye of an ethical hacker back in 2015, but they might have avoided the 2017 breach in which hackers stole 17 million user records if they have continued to participate in a bug bounty program.

May 19. In exchange for agreeing to run a bug bounty program, Zomato received assurance that the stolen data would be destroyed. The food and restaurant search engine that was compromised had direct communication with the attacker and negotiated a deal.

May 18. An exploit that was worth only a few thousand dollars a few years ago may now be valued ten times higher in the growing market of exploit brokers—the buying and selling of vulnerabilities.

May 18. Cross-site-scripting bugs updated in new version of WordPress, which was released only one day after the company announced it had launched a bug bounty program with HackerOne.

grayfooterline
RELATED: Bug Bounty Program Basics for Companies–by HackerOne
grayfooterline

May 18. Penn State launched a pilot bug bounty program, driven in large part by a graduate from the College of Information and Sciences Technology who realized students could both help to protect the school’s systems and learn from real-life experience. Only approved students may participate.

May 17. Casey Ellis, founder and CEO of Bugcrowd, talks about bug bounty programs—what makes them successful, how to determine awards, and what to expect as the concept grows more mainstream.

May 16. Though many branches of the military and federal government have jumped on the bug bounty bandwagon, the Air Force program is the largest one yet with payouts of tens of thousands of dollars.

May 12. Federal civilian agency join forces with HackerOne, making the General Services Administration (GSA) the first to partner with private sector in establishing bug bounty program.

May 10. Yahoo! recognized the necessary risk and opted to develop a bug bounty program three years ago. To date, they’ve paid over $2 million, with one hunter earning $7,000 for finding the flaw in Flickr.

May 5. A United Airlines bounty hunter and Georgia Tech graduate earned a spot in the university’s headlines after donating 5 million miles of his bounty earnings to his Alma Mater. Current students and organizations participating in charity work across the globe will benefit from his generous gift.

May 5. HackerOne, a leading bug bounty program organizer, declines to do business with Flexispy, a software maker that offers surveillance application to spy on spouses and kids.

May 2. A firmware update fixed a privilege escalation vulnerability discovered by a bug hunter through Intel’s bug bounty program.

May 1. In addition to the Hack the Pentagon program, the U.S. Department of Defense (DoD) launched a “Hack the Air Force” challenge but given the concerns over Russian hacking groups, Russia was not invited to compete in the challenge.

April

Apr. 26. The Air Force is another branch of the federal government open to developing bug bounty programs to reward hackers for discovering potentially dangerous flaws.

Apr. 26. The Defense Department’s hacking competition opens up the pool of registered hackers to include those from foreign countries.

Apr. 24. Though not all companies are on board with hiring hackers to find vulnerabilities, Sophos has joined forces with Bugcrowd to formalize its pre-existing Responsible Disclosure Program.

Apr. 21. Expect to see an expansion of the Hack the Pentagon bug bounty program to include searching for vulnerabilities in critical infrastructure.

grayfooterline
RELATED: Hack. Earn. Learn. Join the HackerOne Community of hackers, developers, and more.
grayfooterline

Apr. 15. A second phase for Kaspersky Lab’s bug bounty program kicks off, offering greater reward to both individuals and organizations who discover remote code execution bugs.

Apr. 12. White hat hackers hired by the Defense Department to search through critical systems and snuff out any bugs as part of the Hack the Pentagon program.

Apr. 11. A look inside the life of a hacker for hire who became one of HackerOne’s best UK researchers at only 17 years old.

Apr. 7. Security industry leaders call for altruism in bug bounty programs, calling on researchers to use their skills for good, offering pro-bono pen testing. In exchange, they challenged the companies to make charitable donations.

Apr. 5. Google’s $200,000 Project Zero Prize went unclaimed as no researchers were able to submit valid entries to the company’s bug bounty contest.

Kacy Zurkus is a freelance writer for Cybersecurity Ventures and has contributed to several other publications. She covers a range of cybersecurity and cybercrime topics.

grayfooterline

© 2016-2017 Cybersecurity Ventures. All rights reserved. Federal copyright law prohibits unauthorized reproduction of this Report by any means and imposes fines up to $150,000 for violations. Reproduction in whole or in part in any form or medium without expressed written permission of Cybersecurity Ventures is prohibited.