Take a closer look at Iran’s state-sponsored hacking groups
Human error bugs increasingly making a splash, study indicates
Software supply chain attacks – everything you need to know
North Korean cyber-threat groups become top-tier adversaries
What’s in a (domain) name?
How expired web domains are helping criminal hacking campaigns
Bug Bounty Radar
The latest programs for February 2022
A schedule of events in 2022 and beyond
New web targets for the discerning hacker
We begin this month’s bug bounty round-up with news that the European Commission (EC) has launched another open source-focused program, this time dedicated to projects underpinning its public services.
Following the “remarkable success” of the EU-FOSSA program, the EC is offering bug hunters up to €5,000 ($5,600) for unearthing vulnerabilities in LibreOffice, LEOS, Mastodon, Odoo, and CryptPad.
The Open Source Programme Office (EC OSPO), which is hosted by European bug bounty platform Intigriti, offers 20% bonuses where vulnerability submissions include effective code fixes.
In payout news, there was an enormous windfall for researcher Ryan Pickren after he demonstrated how vulnerabilities in iCloud and Safari 15 gave attackers a means to compromise macOS webcams and, thereafter, victims’ online accounts.
Pickren netted $100,500 for a universal cross-site scripting (uXSS) bug and a total of four flaws.
The uXSS exploit could give an “attacker full access to every website ever visited by the victim,” said the researcher.
Elsewhere, the discovery of 70 web cache poisoning vulnerabilities affecting Apache Traffic Server, GitHub, and HackerOne, among others, earned Iustin Ladunca $40,000.
Omer Gil from Cider Security, meanwhile, has warned that CI/CD platforms are an increasingly popular attack target after detailing a flaw in GitHub Actions that made it possible to circumvent code review safeguards.
Gil, who praised GitHub for rapidly addressing and paying a bounty for the flaw in the hugely popular continuous integration (CI) service, said authorization bypass weaknesses open the door to planting malicious software within the tributaries that feed production software.
Finally, the Internet Bug Bounty (IBB), a partnership between tech giants that aims to address vulnerabilities in critical open source software projects, paid $2,500 for a remote code execution (RCE) vulnerability in Apache HTTP Server.
Researcher ‘chamal’ earned $2,000 for the discovery in line with the program’s policy of paying bounties according to an 80/20 split between the bug hunter and relevant project.
The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:
Google has introduced a new reward tier for the Chrome Vulnerability Reward Program (VRP). “Memory corruption/RCE bugs in highly privileged processes, such as GPU or network process, can now earn you up to $7,000 for a baseline report, $10,000 for a high-quality report, and $15,000 for high-quality reports with a functional exploit,” the tech giant tweeted recently.
Google is interested in bugs that make it to stable, beta, and dev channels, including those in third-party components.
Check out the Chrome VRP bug bounty page for more details
The Open Source Programme Office (EC OSPO) is dedicated to open source projects underpinning its public services, specifically LibreOffice, LEOS, Mastodon, Odoo, and CryptPad.
EC OSPO will pay 20% bonuses where vulnerability submissions include effective code fixes.
Read our previous coverage of the EC OSPO launch for more details
Olympus DAO, a decentralized reserve currency protocol based on the OHM token, says payouts could potentially reach $3.3 million for issues in its smart contracts or app that might lead to loss of treasury, user, or bond funds.
“Olympus has a goal of becoming the reserve asset for all of DeFi,” said Olympus DAO bug bounty manager ‘@Proof_Steve’. “To achieve that we need to ensure its security, and that’s exactly why the community authorized this bug bounty program”.
Check out the related Olympus DAO press release for more details
Payoneer is a US financial services company that provides online money transfers, digital payment services and working capital.
Payoneer.com is the sole asset in scope, with critical flaws attracting bounties up to $5,000, while high severity issues will earn bug hunters up to $2,000.
Check out the Payoneer bug bounty page at TBC for more details
Skroutz, a Greek e-commerce platform, has invited bug hunters to probe its web application and associated API on the live production environment.
The application is built with Ruby on Rails and uses many open source components, as detailed on GitHub.
Check out the Skroutz bug bounty page at Bugcrowd for more details
Additional reporting by James Walker.
PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for January 2022
© 2022 PortSwigger Ltd.