Bug Bounty Programs: March 2022

Google recently announced that security flaws were addressed 28 days faster in 2021 than in 2019. The flaws revealed by Project Zero 2021 also appreciated the vendors that discovered them.

Only one problem surpassed its 90-day patch deadline, with hardware and software providers taking an average of 52 days to address security flaws. Responsible disclosure policies, according to the corporation, are to blame.

Payout News

Sriram Kesavan of TG Cyberlabs earned $3,133 for discovering that the unsubscribe feature in Google Groups might be misused to remove users without their knowledge or consent. 

A hefty $250,000 prize was offered to pseudonymous security engineer ‘Tree of Alpha,’ who discovered a vulnerability in Coinbase that allowed users to sell cash they did not own.

Due to a missing logic validation check in a Retail Brokerage API endpoint, a user was able to submit trades to a specific order book using an incorrect source account, potentially allowing an attacker to steal a limitless amount of cryptocurrencies.

Meanwhile, the Government Communications Security Bureau (GCSB) in New Zealand has urged government agencies to implement vulnerability disclosure policies (VDPs). Researchers can submit flaws without fear of repercussions, but there will be no bug bounty available.

PortSwigger Web Security has published its yearly list of the top ten web hacking techniques. The list was topped by dependency confusion attacks. Researcher Alex Birsan used this technique to get access to Apple, Microsoft, and other high-profile organisations.

Following that was research from PortSwigger’s James Kettle, which revealed that many sites that had switched to HTTP/2 were still vulnerable to smuggling attacks since they rewrote requests in order to communicate with the backend server.

Bug bounty programmes for the month of March 2022

1. Cardano is a public blockchain platform that was established in 2015. The Cardano Foundation is offering to quadruple bug bounty rewards to researchers as part of a six-week promotion. Beginning February 14, bug bounty hunters who identify significant vulnerabilities in the Cardano Node will be rewarded up to $20,000 in cash.
2. As previously reported, CloudFlare, a content delivery network and DDoS mitigation technology provider, has made its formerly invite-only bug bounty programme public. Before going public, Cloudflare and its bug bounty provider improved documentation and guidance to increase report quality and reduce false alarms.
3. Coinstore bills itself as a bitcoin “financial arcade.” Vulnerabilities in its website, API, and mobile apps are all covered by its newly-launched bug bounty programme.
4. Databricks sells cloud-based data warehousing technology to businesses. The vendor’s awards are determined by severity as measured by CVSS. Databricks is curious about several other typical types of web security vulnerabilities. 
5. ExpressVPN, a provider of virtual private network (VPN) technology, has raised its incentives for security researchers. Security researchers that can demonstrate “unauthorised access, remote code execution, IP address leakage, or the capacity to monitor unencrypted (non-VPN encrypted) user traffic” will be rewarded.
6. With ‘Project Circuit Breaker,’ Intel has expanded its existing bug bounty programme. Vulnerabilities in firmware, hypervisors, GPUs, chipsets, and other components come under the scope.
7. Kiteworks is a company that provides file sharing and collaboration solutions to businesses. Researchers that uncover remote code execution and privilege escalation to root/admin vulnerabilities will receive the highest compensation under the company’s new bug bounty programme.
8. Lachain.io, a provider of decentralised finance technology, has launched a new bug bounty programme. Payment manipulation, business logic difficulties, and a wide range of web security vulnerabilities are in the scope of the bounty.
9. MakerDAO, a cryptocurrency startup, has started a bug bounty programme with a potential compensation of $10 million. Vulnerabilities in its smart contracts technology are most likely to be rewarded, but faults in Maker DAO’s website and applications are also in play.
10. Pandora, a provider of decentralised finance technology, has launched two bug bounty programmes covering its web infrastructure and smart contracts technology.

Stay tuned about the latest in cybersecurity by following us on LinkedIn and subscribing to our newsletters.