bugbounty
Latest
Apple will pay the teenager who discovered the Group FaceTime bug
Apple has said it will pay the teen who discovered the Group FaceTime bug that let you listen in on someone before they answered a call. Grant Thompson, a 14-year-old high school student from Tucson, Arizona, discovered the flaw around two weeks ago while setting up a group chat with friends playing Fortnite. His mother Michele Thompson said she repeatedly tried to contact Apple about the issue through email and social media to no avail. The company got in touch with her a week ago, once news of the bug had gone viral online, by which point it had taken Group FaceTime offline.
Researcher finds macOS bug but won’t share details with Apple
A researcher has discovered an exploit that can expose passwords on macOS, but says he won't share details of the bug with Apple because of its bug bounty policies. Linus Henze posted a demo video of the KeySteal exploit this week. It seems to grab passwords from login and system keychains without requiring administrator privileges, with a simple click of a button. It works on the latest version of macOS Mojave, though it doesn't seem to affect items stored in iCloud's keychain.
EU offers bounties to help find security flaws in open source tools
The European Union believes it has a simple way to bolster its digital security: offer lots of cold, hard cash. The European Commission is launching bug bounties in January that will offer prizes in return for spotting security flaws in 14 free, open source software tools EU institutions use. These include well-known tools like VLC Media Player, KeePass, 7-zip and Drupal as well as something as vital as the GNU C Library.
Facebook will reward those who report bugs in third-party apps
Facebook is expanding its bug bounty program and will begin offering rewards to those that report vulnerabilities in third-party apps that connect to its platform. Specifically, the company is concerned with the misuse of access tokens, which allow Facebook users to log into other apps and websites with their Facebook account. "If exposed, a token can potentially be misused, based on the permissions set by the user," Dan Gurfinkel, Facebook's security engineering manager, said in a blog post. "We want researchers to have a clear channel to report these important issues, and we want to do our part to protect people's information, even if the source of a bug is not in our direct control."
HP bug bounty program aims to boost printer security
Bug bounty programs aren't just for computing devices and apps -- HP is launching a "first of its kind" bug bounty initiative to boost the security of printers. The program will see it partner with the security crowdsourcing company Bugcrowd to reward researchers who spot vulnerabilities in its printer lineup. Those who discover completely new flaws will receive up to $10,000, but even those who find existing flaws may get a "good faith payment" in the right circumstances.
Netflix opens its public bug bounty program
Today, Netflix announced the launch of its public bug bounty program. The company, which has been expanding its bug bounty setup over the last few years, started with a responsible vulnerability disclosure program in 2013. That then led to its private bug bounty program, which it launched in 2016 with 100 Bugcrowd researchers on board. Since then, Netflix has invited over 700 researchers to participate and has received 145 valid submissions since launch. The company's new public program is on the Bugcrowd platform.
Air Force security hackathon leads to record payout
The US Air Force's second security hackathon has paid dividends... both for the military and the people finding holes in its defenses. HackerOne has revealed the results of the Hack the Air Force 2.0 challenge from the end of 2017, and it led to volunteers discovering 106 vulnerabilities across roughly 300 of the USAF's public websites. Those discoveries proved costly, however. The Air Force paid out a total of $103,883, including $12,500 for one bug -- the most money any federal bounty program has paid to date.
Intel expands bug bounty to catch more Spectre-like security flaws
To say Intel was caught flat-footed by the Meltdown and Spectre flaws would be an understatement. However, it has a potential solution: enlist more people for help. It's widening its bug bounty program to both include more researchers and offer more incentives to spot Meltdown- and Spectre-like holes. The program is now open to all security researchers, not just by invitation, and includes sweeter rewards for discovering exploits. You now get up to $100,000 for disclosing general security flaws, and there's a new program dedicated to side channel vulnerabilities (read: issues like Spectre) that offers up to $250,000 through December 31st, 2018.
Senate bill would help guard against election hacks
American election security is a mess. Many voting systems are vulnerable, but replacing machines is expensive -- and then there's the lack of coordination between different levels of government. The country needs a lot of help if it's going to prevent a repeat of Russia's 2016 interference, let alone full-fledged tampering. Some new legislation might sort things out, however. A bipartisan group of senators has introduced the Secure Elections Act, a bill that would support state election systems with resources and expertise that could help fend off hacking attempts.
Uber paid off a 20-year-old Florida man to destroy hacked data
More details are coming to light about Uber's huge data breach. Reuters is reporting that a 20-year-old Florida man was behind the 2016 extortion-oriented cyberattack and was paid through the firm's bug bounty program. We know that the individual, whose identity Uber refuses to disclose, received $100,000 for destroying the info, which exposed the personal data of roughly 57 million customers and drivers. The ride-hailing firm then kept quiet about the breach for more than a year. You can bet Congress and the five states investigating Uber will be paying close attention to any new nuggets of info.
DJI threatens legal action after researcher reports bug
In August, DJI announced that it was launching a bug bounty program that would give out rewards to people who could find flaws in its software. The company said it would pay between $100 and $30,000 depending on the flaw. But according to an essay written by security researcher Kevin Finisterre, and reported by the Verge, the program isn't off to a great start.
Samsung’s mobile bug bounty program pays up to $200,000
Samsung is the latest in a long line of tech titans to announce its very own bug bounty program. As its title suggests, the newly-launched Mobile Security Rewards Program will pay users for reporting vulnerabilities in the company's latest firmware. If you spot a weakness, and back it up with solid research, you could pocket up to $200,000. That's in line with the sums offered by the likes of Google (for Android) and Apple. Like those companies (along with Microsoft, Facebook, and Twitter), the rewards program sees Samsung reaching out to researchers to help squash bugs.
DJI will pay you to find security exploits in its drones
DJI clearly doesn't like that organizations are shying away from its drones over security fears, and it knows it can't solve the problem by itself. The company is launching a bug bounty program that will pay between $100 and $30,000 to anyone who finds flaws in its software, whether they're showstopping security exploits, privacy threats, safety issues or simple app crashes. Bug bounties certainly aren't anything new, but this shows how important drone security has become -- DJI doesn't want to lose business or risk an injury because it didn't catch a glitch in time.
Dark net black markets are turning to bug bounty programs
Dark net black markets are taking a leaf out of many legit companies' book and turning to bounty hunters to find security flaws in their systems. Hansa Market is one of them. According to CyberScoop, the marketplace, which brought in $3 million last year, has launched a bug bounty program offering rewards worth up to 10 BTC or around $10,000. Considering marketplaces like Hansa sell drugs, illegal firearms, log-ins and other data, the websites likely want to amp up their security measures to protect their sellers from law enforcement. They also likely want to protect all the log-in/password dumps and other data for sale from other hackers who might break into their system to steal them.
Apple announces $200,000 bug bounty program
Unlike many of the other major tech companies, Apple has never had a formal bug bounty program or corporate policy for welcoming outsiders who poke holes in their security features. However, as TechCrunch reports today, Apple's head of Security Engineering and Architecture Ivan Krstic announced at Black Hat that his company will now offer cash bounties of up to $200,000 for hackers and researchers who find and report security flaws in Apple products.
Google offers even more money for Android bugs
Since launching its Android Security Rewards program last year, Google has paid out more than $550,000 to 82 people for their discoveries of security flaws in the company's mobile operating system. Now, the tech giant is offering between 33 percent and 50 percent more money for reports filed after June 1st, 2016.
Twitter awarded bug bounty hunters $322,420 over two years
A total of 1,662 researchers earned some cash from Twitter's bug bounty program since it launched in May 2014. Twitter has revealed that it received 5,171 reports and that it paid out a total of $322,420 over two years' time. The smallest amount anyone ever got was $140, while the biggest was $12,040. Although bug hunting for Facebook sounds much more lucrative -- the social network spent a million dollars within the first two years of its own program and awarded some researchers over $100,000 each -- a single bug hunter for Twitter did make $54,000 in 2015.
Who hacked Facebook?
Late last week, a hacker named Orange Tsai wrote about how he hacked into Facebook under the aegis of its bug bounty program. A bug bounty is when a company pays hackers for vulnerabilities they find, providing the company with real-world threat testing outside the scope of its security team. But Tsai found much more than a bug. He discovered that another hacker had been in the company's systems for around eight months, grabbing employee usernames and passwords -- and probably more.
Tor plans to launch a bug bounty program
Tor will open itself to attack in 2016 with the start of a bug bounty program aimed at identifying weaknesses in its security systems, Motherboard reports. Tor is a free service that allows users to browse the internet anonymously, and it's working with sponsor Open Technology Fund and bug bounty coordinator HackerOne to pull off this latest security sweep. The bug-hunting will be invite-only at first, Tor Browser Lead Developer Mike Perry told Motherboard.
Facebook accuses bug hunter of unethical behavior
A security researcher who uncovered a major Instagram hole has gotten into a tiff with Facebook and opened up a can of worms about the boundaries of "bug bounty" programs. Wesley Wineberg is a well-known bug hunter, having received $24,000 from Microsoft for stopping a nasty Outlook worm. He then turned to Instagram (via Facebook's bug bounty program), after receiving a tip about a potential vulnerability on an exposed Amazon server. After confirming the bug, he decided to dig a bit deeper, and that's where things went wrong.
