Bug Bounty News, Articles and Updates

Facebook to expand bug bounty program to include data misuse

The last item included in a short list of changes that Facebook said it would make to its platform in the wake of the growing Cambridge Analytica scandal - growing its bug bounty programme to include developer misuse of data.

Microsoft launches $250,000 bug bounty for Spectre/Meltdown-like flaws

Microsoft has kicked off a bug bounty programme that could bring in between US$ 25,000 and US$ 250,000 (£17,800 to £178,000) to anyone able to find vulnerabilities similar to the now infamous Spectre and Meltdown.

Kaspersky ups bounty to US$ 100K (£72K) for some severe RCE bugs

Kaspersky Lab has upped the high end of its bug bounty rewards program to US$ 100,000 (£72,000) for severe vulnerabilities that allow remote code execution (RCE) through the database update channel.

Not-for-profit Open Bug Bounty announces 100K fixed vulnerabilities

The not for profit bug bounty hunters of Open Bug Bounty recently announced its number of recorded bug bounties had reached 100,000 and it had completed the revision of its internal process to comply with ISO 29147 standards.

Facebook bug bounty programme paid out £638K in 2017

Facebook's 2017 Bug Bounty programme paid out US$ 880,000 (£638,000) to more than 100 researchers and will update its Thanks page in 2018 to reflect dollar amount and submission validity, among other items.

2,837 flaws found under US Defence Dept vulnerability disclosure programme

The US Defence Department's vulnerability disclosure programme (VDP) has yielded 2,837 security flaws in the nearly one year since its inception.

Slack hack could have let attackers hijack a stack of user accounts

Security researcher earns bug bounty after discovering he can steal Slack tokens by hijacking WebSocket connections through unvalidated functions.

ImageMagick bug in Facebook could have allowed remote execution of code

Researcher gets $40,000 bounty for finding exploit that could have allowed an attacker to exploit ImageMagick to gain control of a Facebook server.

Pen testers discover mega vulnerabilities in Uber

Portuguese pen testing team discover 14 flaws in Uber apps which would have enabled them to get free rides and disclose details of passengers' and drivers' journeys.

Pornhub dismisses hacker's offer to sell access to servers as hoax

A hacker calling himself Revolver yesterday advertised on Twitter that he was selling access to Pornhub servers for $1,000 after discovering an exploit, but the pornography video sharing website is disputing the veracity of this hack.

Pornhub launches bug bounty programme on HackerOne

Pornhub is offering white hats between $50 (£35) and $25,000 (£17,300) for reporting qualifying vulnerabilities.

Google denies email injection flaw can bypass filters and pwn users

Israel-based cyber-threat specialists Cyberint insists it has found a serious flaw in Google security despite the tech giant's denials that email injection can bypass security filters.

Microsoft to open up bug bounty programme to find flaws in OneDrive

Bug hunters get rewarded for finding vulnerabilities in cloud storage service

Zerodium puts out $100,000 contract on Flash's heap isolation

The bug bounty broker Zerodium has offered big bucks to whoever can crack Flash's recent heap isolation security update.

Tor launching bug bounty programme

A bug bounty programme will be launched later this year by the Tor Project to help steer security researchers to report issues that they find in software in a responsible manner.

Facebook threatens security researcher over 'keys to the kingdom' exploit

Wesley Wineberg claimed to have discovered a million dollar bug in Facebook but the social media company has objected to the intrusive nature of his investigation and threatened to sue him.

ICYMI: Madison extortion, Cyber-sec challenge, United bug-bounty, French intelligence, and Anonymous/ISIS spat

The latest In Case You Missed It (ICYMI) looks at suspected Madison extorortionists, Cyber-Sec challenge finals, bug-bounty criticism, French intelligence & Anonymous' ISIS twitter battle.

Security researcher blasts United Airlines' bug bounty programme

Security researcher claims United Airlines sat on serious bug for five months which would have allowed an attacker to access customers' flight details and even cancel flights.

Can bounty hunters stop the DDoS gangs?

Is the idea of putting a cash bounty on hackers an effective way to disrupt or stop DDoS attacks, or a vigilante action that takes time and money from the business of protecting networks?

Is responsible disclosure responsible enough?

We ask industry experts, when life and limb are at risk, is responsible disclosure of vulnerabilities enough? Or should there be mandated disclosure?

War of words as researchers reveal Kaspersky and FireEye zero-days

Researchers reveal zero-day vulnerabilities in FireEye and Kaspersky's security software during the US Labor Day holiday weekend.

PayPal patches stored XSS vulnerabilities discovered by bounty hunters

Stored XSS vulnerabilities exposed payments page and opened PayPal users to malicious file attacks, say researchers.

Unpatched 0-day threatens Apple Mac users

OS X flaw is exposed by teenage Italian security researcher without warning Apple - reigniting the debate about 'irresponsible' bug disclosure.

Oracle pulls CSO's reverse engineering and bug bounty programme rant

Oracle CSO Mary Ann Davidson penned a blog post on Monday and warned researchers they would receive a legal letter if they continued to reverse engineer the company's code.

Microsoft boosts bug bounty programme rewards

Bonanza for bug hunters? After Windows 10, it's time to clean up

Yahoo bug bounty programme pays out more than US$1 m to researchers

Yahoo's Interim CEO Ramses Martinez detailed the company's bug bounty programme's successes since its creation in 2013.

ICYMI: Polish airlines, Samsung, VoIP, LinkedIn bounty, Verify limitations

ICYMI: Lot airline DDoS attack; Samsung keyboard vulnerability, poor VoIP server security; LinkedIn bug bounty programme, Verify programme has severe privacy/security problems.

LinkedIn 'invitation-only' bug bounty programme pays out £41k

LinkedIn's director of information security confirms that its private bug bounty programme was formalised in October.