Bug Bounty Blog

Q3 2017

BugBountyBlog.com — sponsored by HackerOne — provides chief information security officers (CISOs) and IT security teams with a quarterly diary of noteworthy bug bounty activity.

Bug bounty programs grow in popularity, hospitals join the fray

Payouts to ethical hackers and security researchers are trending up

Kacy Zurkus

Menlo Park, Calif. – Oct. 3, 2017

More government agencies and private companies are jumping aboard the bug bounty platforms, though some major enterprises—specifically Apple—are trying to avoid paying fair market value for disclosures.

Hospitals are reluctantly getting involved with bug bounty programs, motivated by growing breach activity in the healthcare sector.

As bug bounty programs become more mainstream, the industry might have to educate the public about the value of awarding hefty payouts to ethical hackers.

Google partnered with HackerOne to launch a bug bounty program for apps on Google Play — as the gaming sector continues its push to engage outsiders for security help.



September

Sep. 27. Chief security researcher at Synack, Patrick Wardle, discovered a bug keychain passwords, but Apple couldn’t put out a fix in the macOS version 10.13. The good news is that the exploit only works if the computer is infected with the malicious code.

Sep. 26. At SOURCE Seattle 2017, bug bounty programs will be at the heart of the session “Building a Collaborative & Social Application Security Program,” by Joe Basirico, VP of services, Security Innovation.

Sep. 21. Startups that made it to India’s Tech30 list for “making it matter” include AppSecure India, co-founded by Anand Prakash (India’s top bug bounty hunter).

Sep. 20. An impressive change to the payout scale will add protection to Ethereum Foundation as they test the Ropsten environment. They’ll be doubling down on bug bounty awards to help prevent denial of service attacks.

Sep. 18. Though it was only supposed to last until June of 2017, Microsoft had decided not to close down its bug bounty program. They’ve extended their hunt for zero-day flaws in Microsoft Office Insider on Windows until the end of the year.

Sep. 15. Bug bounty platforms lend a hand to Ed Foudil, a web developer and security researcher who is hoping to standardize a file (secuirty.txt) that webmasters can host on their domain root and detail the security policies.


RELATED: HackerOne–The Vulnerability Coordination & Bug Bounty Platform


Sep. 13. Bug bounty rewards range from hundreds to hundreds of thousands of dollars, but Zerodium has promised a payout of up to $1 million to researchers who can not only find bugs but develop techniques of exploits on Tor.

Sep. 13. A push for bipartisan support to build a better cybersecurity posture in the age of cyberwarfare comes with the “Hack DHS Act”. The bill advocates for the development of a bug bounty program using highly vetted computer security specialists.

Sep. 11. Having launched a bug bounty program for Android in early 2017, Google gained credibility as a company committed to security. The latest announcement of a security feature that notifies Chrome users of man in the middle attacks is another step in the direction of improved security.

Sep. 11. Only weeks after the US Army dropped DJI, the Chinese drone company has announced a bug bounty reward of up to $30,000 to anyone who finds security flaws in their flight control software.

Sep. 8. The lag time between bugs reported to the Open Bug Bounty and issues resolved may not have had anything to do with the Equifax breach, but web application vulnerabilities certainly did. When companies make responsible disclosure a challenge for ethical hackers, they are putting their security at risk.

Sep. 7. Note to Mastercard: when a security researcher reports a blatant flaw that allows hackers to spoof your payment system, you might want to take action rather than ignore the information. Otherwide, why have a bug bounty program?

Sep. 6. Bugcrowd institutes a bug bounty project for cryptocurrency firm, Dash. As bitcoin’s rival takes steps toward proactive security, financial institutions might want to take some notes.

Sep. 6. The General Service Administration’s TTS has embraced bug bounty programs and the security researchers whose expertise is invaluable to them. The Federalist website publishing service is currently the only project using the platform, but TTS has plans for expansion.

Sep. 6. Waiting until a breach occurs to think about implementing a bug bounty program is too little too late. Sony learned that lesson the hard way, unlike Google, Facebook, and different government agencies who have all benefited greatly from working with ethical hackers.

Sep. 4. With over 100,000 hackers finding more than 50,000 bugs, HackerOne is experiencing great success as a leading bug bounty platform. Also reaping the benefits of their success are the talented researchers on their platform, who collectively have earned $20 million in bounty awards.

Sep. 3. Celebrities are likely not big fans of Instagram after hackers pilfered oodles of personal data via a bug in an Instagram API. Hopefully since 2015, when they suffered another high profile hack, Instagram has been more agreeable in their relationships with researchers.

August

Aug. 31. The XXS vulnerability in WordPress WooCommerce, (a level two severity score) discovered by SiteLock’s automated scanner, has been patched.

Aug. 31. A common yet potentially weaponizable cross site scripting (XSS) bug was discovered in the Product Vendors plugin of a WordPress plugin. The parent company, WooCommerce learned of the vulnerability through it’s HackerOnce bug bounty program.

Aug. 29. HackerOne CEO Marten Mickos talks about the value of investing in a bug bounty and vulnerability coordination. Relying on ethical hackers to report vulnerabilities before they are exploited allow companies to work on quick security fixes.

Aug. 28. Part of being a good leader is letting go of ego and knowing when to play to your strengths and allow others to do the same. Casey Ellis has taken Bugcrowd a long way, and now he’s hired a new CEO. Ellis will continue to grow rapidly with the company as chairman and CTO.

Aug. 26. After having its social media pages hacked and being held hostage by hackers who repeatedly threatened to leak the contents of the 1.5TB of information they stole from HBO, the executives at HBO might want to think more proactively about their security and invest in an actual bug bounty program.

Aug. 24. There are many challenges to securing connected cars. To address the concerns of the gaping security flaws, ATIS has offered an end-to-end security framework. The frameworks addresses issues of collaboration and talk about a potential connected vehicle bug bounty program.

Aug. 23. The success of the Hack the Air Force, the Pentagon’s third bug bounty program, is the subject of this audio news segment with Federal News Radio.

Aug. 23. Mashable seems to misunderstand the bug bounty program, reporting that Zerodium is willing to payout bounties to in exchange for access to devices. Calling the bug bounty program “sketchy”, they also warn users to value their privacy.

Aug. 23. The hackers known as Mr. Smith Group threaten to release the season finale of Game of Thrones, season 7. HBO takes a firm stance with media, arguing that they won’t respond every time the hackers release tidbits to the media. It was also reported that HBO offered the group a $250,000 bug bounty, which some might call hush money instead.

Aug. 21. Despite having a bug bounty program, game developer, Unity, cautioned users about a flaw in the Windows game editor. Still in question is who found the flaw.


RELATED: Bug Bounty Program Basics for Companies–by HackerOne


Aug. 16. While bug bounty platforms may vary in some of their policies, all of them will have rules for responsible disclosure. Carnegie Mellon University established a “Guide to Coordinated Vulnerability Disclosure”, authored by experts at the CERT Coordination Center.

Aug. 16. When teenagers go bug hunting, they might just stumble upon a small fortune. High school student, Ezequiel Pereira was bored when he started poking around, but he ended up discovering a bug in Google’s App Engine server and received a $10k reward.

Aug. 16. It’s not only important for companies to develop their own bug bounty programs. To defend against exploit packages in the wild, you need to know about the security practices of all of your down line vendors.

Aug. 16. Notable preventative and proactive security measures have unfortunately been ignored in InfoSec. SMBs can build stronger defenses against hacks and malware with a proactive security posture that includes having clear policies for updates, incident response, and bug bounty programs.

Aug. 10. Celebrating the most successful bug bounty program in the Department of Defense (DOD) the “Hack the Air Force” program awarded more than $130,000 for the disclosure of 207 security flaws.

Aug. 10. The Technology Transformation Service, (TTS) steps in line with other government agencies and launches a bug bounty program with rewards of up to $5,000, using the HackerOne SaaS bug reporting platform.  

Aug. 9. Yes, bug bounty programs are growing in popularity, but some sectors are still hesitant about inviting hackers onto their networks. More hospital security teams are taking the plunge after suffering some large scale breaches. They are advised to partner with established platforms rather than try to go it alone.

Aug. 9. Bug bounty programs are becoming more mainstream, but some companies don’t want to reveal they are working with hackers to find vulnerabilities. Bugcrowd launched a hybrid program for an unnamed company with payouts as high as $250,000.

Aug. 9. Questions continue as many want to understand the government’s purchase of malware through third parties and its vulnerability disclosures—or lack thereof. It’s troubling that earnings on the black market far surpass those of the private sector and government agency bug bounty programs.

Aug. 7. Famed British bug hunter, Marcus Hutchins—hailed as a hero in the Spring—has been arrested by US law enforcement. Hutchins pleaded not guilty to the charges of allegedly creating and selling the Kronos banking trojan.

Aug. 7. For those companies that don’t have a bug bounty program, like DJI of China, profits may drop. The U.S. Army has stopped using the DJI drones over growing concerns for cyber vulnerabilities in the products.

Aug. 4. HackerOne has lead the bug bounty market, but India’s most accomplished hacker hopes to build a rival. Best known for his disclosure of Facebook’s account takeover bug, Prakash has the name power to create a widely successful home-grown platform.  

Aug. 4. The Dash alt coin has grown rapidly and demonstrated strong security, which they plan to continue with. To that end, they’ve joined forces with Bugcrowd to gather an elite group of hackers to hack its Blockchain.

Aug. 2. At Def Con 2017, ethical hackers express concerns about Russia’s election meddling and the strict regulations that make offensive hacking a criminal offense. As more government agencies see the benefits of bug bounty programs, these regulations will hopefully change to let hackers work for the good of security.

July

Jul. 27. At Black Hat 2017, a panel of security professionals share their thoughts on bug bounty programs, their value, and best practices for disclosure.

Jul. 26. In an unprecedented move toward crime prevention, the National Crime Agency (NCA) has launched a rehabilitation program for hackers. Seven teenagers caught committing cyber crimes attended the first camp where they learned about bug bounty programs.

Jul. 21. To improve open-source security, the Internet Bug Bounty (IBB) raised funding to increase payouts to security researchers who disclose open source vulnerabilities.

Jul 18. Intent is noted as the key difference between countries using computers to spy or foment cyber war. Gen. Keith Alexander, a former NSA director, weighed in on many controversial and unorthodox approaches to cyber defense—including bug bounty programs—at the Brainstorm Tech conference in Aspen, CO.


RELATED: Hack. Earn. Learn. Join the HackerOne Community of hackers, developers, and more.


Jul. 13. A Southeast Asian ride-hailing company, GRAB, opened up its private bug bounty program with HackerOne. Opening the program up to the public network means that more than 100,000 hackers can now work to discover vulnerabilities.

Jul. 9. Experienced security researchers are not impressed with Apple’s bounty payout structure. They can actually make more money selling the vulnerabilities on the black market, which might motivate Apple to rethink its compensation program.

Jul. 3. As the IoT market delivers more devices, so too does it bring more bugs and security flaws. That’s why bounty hunters are earning higher payouts for disclosure of IoT vulnerabilities.

Kacy Zurkus is a freelance writer for Cybersecurity Ventures and has contributed to several other publications. She covers a range of cybersecurity and cybercrime topics.


Q2 2017

BugBountyBlog.com — sponsored by HackerOne — provides chief information security officers (CISOs) and IT security teams with a quarterly diary of noteworthy bug bounty activity.

Bug bounty programs and payouts on the rise

USAF, software vendors, and large enterprises adopt new platforms to plug vulns

Kacy Zurkus

Menlo Park, Calif. – Jul. 15, 2017

In the past few years, bug bounty programs have become increasingly more popular as enterprises have seen the value in working with ethical hackers to find vulnerabilities before they are exploited in the wild.

Since the Hack the Pentagon initiative launched, the government has extended bug bounty programs to include other branches of the military, which has helped to shift the mindset about exploring bug bounty programs. Now, major enterprises and SMBs alike are looking to build relationships with certified researchers.

June

Jun. 30. Ethereum users who have embraced the Status Network Token (SNT) are invited to hunt for bugs in the company’s smart contracts and software, with major bugs and critical vulnerabilities valued at up to $50,000.

Jun. 29. A study of 800 hacker-powered programs sponsored by HackerOne reports that bounty payments are increasing, with some researchers earning an average of $50,000 a month.

Jun. 28. New report shows huge payouts to over 60,000 security researchers as bug bounty programs show a 300 percent increase from last year among businesses with more than 500 employees.

Jun. 27. A shocking 94 percent of companies on the Forbes Global 2000 have no bug bounty programs, which means there is no established program for researchers to report any flaws that they find.

Jun. 22. In hot competition with HackerOne, Bugcrowd announced a new release to its platform that offers what they call the most advanced feature set for bug bounty management.

Jun. 21. While many enterprises established bug bounty programs on a trial basis, some—including Microsoft—see the value in continuing to pay researchers to find and report vulnerabilities.

Jun. 19. The discovery of back-end server flaws and misconfigurations earned a UK researcher $30,000 in bug bounty rewards, and he will reveal the details of the hack at this year’s Black Hat USA in Las Vegas.


RELATED: HackerOne–The Vulnerability Coordination & Bug Bounty Platform


Jun. 16. Security researcher earned a $10,500 bug bounty for discovering a high-severity sandbox escape bug in a new version of Chrome for Windows, Mac, and Linux desktop systems.

Jun. 15. Whether it’s a platform with HackerOne or BugCrowd, more enterprises like Centrify—who will award up to $3,000 per vulnerability—are launching bug bounty programs.

Jun. 8. Bug bounty programs are reportedly not working effectively to solve security issues in mobile, IoT, and irresponsible software developers. According to a High-Tech Bridge report, enterprises need to do more than offer cash rewards to address application security threats.

Jun. 7. While India is home to some of the top white hat hackers in the world, few Indian companies are proactive about their security. It’s reported that even fewer bug hunters in India are recognized for their work.

Jun. 6. Department of Homeland Security agrees to review legislation that would develop a bug bounty program, awarding ethical hackers for discovering vulnerabilities in DHS networks.

Jun. 5. Recognizing that agencies like DHS and DoD are constantly under attack, Ohio Senator Rob Portman introduces legislation for a pilot bug bounty program inviting white hat hackers to search for flaws without consequence of criminal charges if they follow the rules and agree to a background check.

Jun. 3. Google increases its cash reward to pay up to $200,000 in hopes of attracting the most highly skilled security researchers to its Android Security Rewards program.

May

May 31. Chief technology officer for HackerOne talks about what factors determine the payout on a vulnerability disclosure, noting that it’s not always black market value that drives the reward.

May 30. Despite not receiving a bug bounty for disclosing a technical loophole in Air India’s website, bug hunter Kanishk Sajnani did receive a hamper full of HackerOne swag.

May 29. Though bug bounty programs are now commonplace, there are some companies that still fail to fix vulnerabilities reported by ethical hackers. When those hackers come from India, who has the world’s largest population of ethical hackers, it’s a good idea to heed caution.

May 28. A career as an ethical hacker promises to award thousands of dollars to skilled researchers who enjoy trying to break into networks and find flaws before the bad guys exploit them.

May 26. Legislation for developing a bug bounty program to testing for security vulnerabilities in federal government, the Hack DHS Act, has been introduced by Sens. Maggie Hassan and Rob Portman.

May 24. Twitter avoided a potential hack when it was able to fix a flaw reported by a bug hunter who earned $7,560 days after reporting the issue to HackerOne.

May 19. Zomato was lucky to have the keen eye of an ethical hacker back in 2015, but they might have avoided the 2017 breach in which hackers stole 17 million user records if they have continued to participate in a bug bounty program.

May 19. In exchange for agreeing to run a bug bounty program, Zomato received assurance that the stolen data would be destroyed. The food and restaurant search engine that was compromised had direct communication with the attacker and negotiated a deal.

May 18. An exploit that was worth only a few thousand dollars a few years ago may now be valued ten times higher in the growing market of exploit brokers—the buying and selling of vulnerabilities.

May 18. Cross-site-scripting bugs updated in new version of WordPress, which was released only one day after the company announced it had launched a bug bounty program with HackerOne.


RELATED: Bug Bounty Program Basics for Companies–by HackerOne


May 18. Penn State launched a pilot bug bounty program, driven in large part by a graduate from the College of Information and Sciences Technology who realized students could both help to protect the school’s systems and learn from real-life experience. Only approved students may participate.

May 17. Casey Ellis, founder and CEO of Bugcrowd, talks about bug bounty programs—what makes them successful, how to determine awards, and what to expect as the concept grows more mainstream.

May 16. Though many branches of the military and federal government have jumped on the bug bounty bandwagon, the Air Force program is the largest one yet with payouts of tens of thousands of dollars.

May 12. Federal civilian agency join forces with HackerOne, making the General Services Administration (GSA) the first to partner with private sector in establishing bug bounty program.

May 10. Yahoo! recognized the necessary risk and opted to develop a bug bounty program three years ago. To date, they’ve paid over $2 million, with one hunter earning $7,000 for finding the flaw in Flickr.

May 5. A United Airlines bounty hunter and Georgia Tech graduate earned a spot in the university’s headlines after donating 5 million miles of his bounty earnings to his Alma Mater. Current students and organizations participating in charity work across the globe will benefit from his generous gift.

May 5. HackerOne, a leading bug bounty program organizer, declines to do business with Flexispy, a software maker that offers surveillance application to spy on spouses and kids.

May 2. A firmware update fixed a privilege escalation vulnerability discovered by a bug hunter through Intel’s bug bounty program.

May 1. In addition to the Hack the Pentagon program, the U.S. Department of Defense (DoD) launched a “Hack the Air Force” challenge but given the concerns over Russian hacking groups, Russia was not invited to compete in the challenge.

April

Apr. 26. The Air Force is another branch of the federal government open to developing bug bounty programs to reward hackers for discovering potentially dangerous flaws.

Apr. 26. The Defense Department’s hacking competition opens up the pool of registered hackers to include those from foreign countries.

Apr. 24. Though not all companies are on board with hiring hackers to find vulnerabilities, Sophos has joined forces with Bugcrowd to formalize its pre-existing Responsible Disclosure Program.

Apr. 21. Expect to see an expansion of the Hack the Pentagon bug bounty program to include searching for vulnerabilities in critical infrastructure.


RELATED: Hack. Earn. Learn. Join the HackerOne Community of hackers, developers, and more.


Apr. 15. A second phase for Kaspersky Lab’s bug bounty program kicks off, offering greater reward to both individuals and organizations who discover remote code execution bugs.

Apr. 12. White hat hackers hired by the Defense Department to search through critical systems and snuff out any bugs as part of the Hack the Pentagon program.

Apr. 11. A look inside the life of a hacker for hire who became one of HackerOne’s best UK researchers at only 17 years old.

Apr. 7. Security industry leaders call for altruism in bug bounty programs, calling on researchers to use their skills for good, offering pro-bono pen testing. In exchange, they challenged the companies to make charitable donations.

Apr. 5. Google’s $200,000 Project Zero Prize went unclaimed as no researchers were able to submit valid entries to the company’s bug bounty contest.

Kacy Zurkus is a freelance writer for Cybersecurity Ventures and has contributed to several other publications. She covers a range of cybersecurity and cybercrime topics.