New web targets for the discerning hacker

The latest bug bounty programs for May 2021

This month, we caught up with the maintainers of Open Bug Bounty, a crowdsourced security testing and vulnerability disclosure platform founded in 2014.

The non-profit project has around 1,300 active bug bounty programs and 22,000 registered security researchers. It’s made around one million coordinated disclosures, resulting in around half a million vulnerability patches.

The researchers say they’re not competing directly with the likes of HackerOne and Bugcrowd, which are in part now shifting to penetration testing and other traditional managed security services.

“Open Bug Bounty is a pure crowd-security testing and vulnerability disclosure platform where everyone can participate without restrictions while following the rules and code of conduct,” they say.

Meanwhile, gaming giant Valve came in for some criticism this month, after it was revealed that it took two years to fix critical security flaws in its Steam platform.

There’s also been more on the subject of coordinated vulnerability disclosure this month, with researchers launching a new GitHub repository of the times disclosure has gone sour.

The Research Threats project details examples of legal threats received by ethical hackers and how some were resolved - as well as giving guidance on the best ways of making a disclosure.

“The hope is for security researchers to be able to use this to make safer decisions," the site's coordinators said.

And finally, as some countries tentatively mark their first steps out of lockdown, we took a closer look at how bug bounty programs have been helping to secure the contact tracing app ecosystem.

The World Health Organization launched one of the first disclosure programs in December 2020, in conjunction with HackerOne, and has led to the patching of seven security vulnerabilities so far. Other programs are active in the UK, France, and India.

“Governments need to protect citizens’ data in order to minimize the risk of malicious acts, and bug bounty allows real in-depth security,” a spokesperson from YesWeHack told The Daily Swig.


The latest bug bounty programs for May 2021

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

Balancer Labs

Program provider:
Independent

Program type:
Public bug bounty

Max reward:
1,000 ETH ($2.7 million)

Outline:
Balancer Labs, the foundation behind the Balancer Protocol, has launched what it claims to be the biggest bug bounty prize on record as it looks to root out vulnerabilities in its V2 Vault architecture.

Notes:
The Balancer protocol provides liquidity and offers users automated portfolio management. The top prize of 1,000 ETH is on offer for researchers who disclose ways to drain funds from the vault, among other critical hacks.

Check out the Balancer Labs bug bounty announcement for full details

CoinMetro Exchange

Program provider: HackenProof

Program type: Public bug bounty

Max reward: $3,000

Outline: CoinMetro is an EU-based financial technology ecosystem that’s designed to simplify access to the digital asset economy.

Notes: In-scope vulnerabilities for the exchange’s new public bug bounty program include business logic issues, remote code execution, SQL injection, data leakage, and server-side issues.

Visit the CoinMetro Exchange bug bounty page at HackenProof for more info

CoinSpot

Program provider: HackerOne

Program type: Public bug bounty

Max reward: $10,000

Outline: CoinSpot, a popular Australian cryptocurrency exchange, has launched a new bug bounty program through HackerOne, with a particular focus on identifying critical flaws in the coinspot.com.au domain.

Notes: “CoinSpot looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe,” the company said.

Visit the CoinSpot bug bounty page at HackerOne for more info

Cream Finance

Program provider: Immunefi

Program type: Public bug bounty

Max reward: $1.5 million

Outline: Cream Finance is working with Immunefi, Armor.fi, and DeFiSafety to bring stronger security to its eponymous protocol and wider decentralized finance ecosystem. The security campaign started this month with the launch of a $1.5 million bug bounty program, with Immunefi, focused on strengthening Cream’s protocol, API, and website security.

Notes: As outlined in a recent blog post, the bug bounty program is focused around the Cream smart contracts and the prevention of loss of user funds, as well as its web and app assets and data breach vulnerabilities. It is further covered by the Armor Alliance Bug Bounty Challenge.

Visit the Cream Finance bug bounty page at Immunefi for more info

Nord – enhanced

Program provider: HackerOne

Program type: Public

Max reward: $5,000+

Outline: Nord’s bug bounty program has been expanded to include NordPass and NordLocker, alongside its existing program for NordVPN.

Notes: Nord’s HackerOne profile states that it will pay a maximum reward of $1,000, however it also states that $5,000+ is being offered for critical rewards, suggesting there is some flexibility at the company’s discretion.

Check out Nord’s bug bounty press release for further details

Parrot

Program provider: YesWeHack

Program type: Private

Max reward: TBC

Outline: European drone manufacturer Parrot has launched a private bug bounty program asking qualifying security researchers to find vulnerabilities in its products, mobile applications, and web services.

Notes: A press release from Parrot states that the program will eventually be made public, so any keen researchers that aren’t invited to take part need simply watch this space.

Check out YesWeHack and Parrot’s joint announcement for further details

Reddit – enhanced

Program provider: HackerOne

Program type: Public

Max reward: $10,000

Outline: Reddit has taken its private bug bounty program public after seeing what it says is “great engagement and success”, paying out $140,000 in security bounties across 300 vulnerability reports.

Notes: Vulnerabilities in scope include remote code execution, SQL injection, and authentication bypass resulting in access to a user’s account and private data.

Visit the Reddit.bug bounty page at HackerOne for more info

Swiss Post

Program provider: YesWeHack

Program type: Public

Max reward: €10,000

Outline: Swiss Post has opened its program to the public, asking researchers to find vulnerabilities in multiple web services after a successful private program paid out $270,000 in rewards.

Notes: Swiss Post previously told The Daily Swig that the public launch is part of its mission to its “constantly working on new ways to improve the security of the company’s IT infrastructure”.

Visit the Swiss Post bug bounty page at YesWeHack for more info

Telenor Sweden (Telenor Sverige AB)

Program provider: YesWeHack

Program type: Public bug bounty

Max reward: €2,000

Outline: Swedish telecommunications giant Telenor Sverige has hooked up with YesWeHack to launch a new bug bounty program and help keep its customers secure.

Notes: The telco has published a detailed list of program rules, including out-of-scope assets. Security researchers should ensure they have thoroughly read these terms engagement before they start testing.

Visit the Telenor bug bounty page at YesWeHack for more info


Other bug bounty and VDP news this month

  • Huntr is a new bug bounty platform offering rewards for vulnerabilities discovered in “any of the 28 million public repositories on GitHub”.
  • The flagship Pwn2Own live hacking event broke new ground on two fronts after total payouts surpassed $1 million and the competition’s first-ever solo female contestant notched a victory this month.
  • Drugs.com, Kryptor, MCUboot, and Fastify have launched unpaid VDPs on HackerOne.
  • Another bug bounty concept that gained ground in April was Immunefi, a “decentralized bug bounty protocol for crypto”. Check out the project’s latest blog post for full details.
  • The use of crowdsourced security jumped by more than 70% over the past year, according to Synack’s 2021 Signals in Security Report. The full report is available for free, although registration is required.
  • Bug bounty VIP and security engineer Tommy DeVoss (aka @thedawgyg) is making moves to create the world’s first bug bounty union. There’s little in the way of details, although a new Twitter account has been created for those interested in following any developments.
  • Sophos published the third and final instalment of its investigation into so-called ‘beg bounties’.
  • Lastly, for those who missed it, PortSwigger researcher Michael Stepankin published a tongue-in-cheek blog post detailing the ‘nOtWASP bottom 10’, an April Fools’ Day-inspired shortlist of “vulnerabilities that simply don’t make sense”.

  • Compiled by James Walker. Introduction by Emma Woollacott. Additional reporting by Jessica Haworth.


    PREVIOUS EDITION Bug Bounty Radar // April 2021