Search results for: bug bounties

Google hand

Google invites bug hunters to scrutinize its open source projects

Google wants to improve the security of its open source projects and those projects’ third-party dependencies by offering rewards for bugs found in them. “Depending on the severity of the vulnerability and the project’s importance, rewards will range from $100 to $31,337. The larger amounts will also go to unusual or particularly interesting vulnerabilities, so creativity is encouraged,” Googlers Francis Perron and Krzysztof Kotowicz explained. Google offers rewards for bugs in its open source software … More

bug bounties

HackerOne OpenASM enables customers to leverage scan data from multiple vendors

At RSA Conference 2022, HackerOne announced OpenASM, an initiative that combines scan data from customers’ attack surface management (ASM) tools with security testing efforts. Attack surface scans can be used to better set scopes for bug bounties, penetration tests, and vulnerability disclosure programs. In addition, ethical hackers can enrich, risk rank, and prioritize assets, helping organizations reduce risk more effectively. At the core of the initiative is HackerOne Assets, itself an ASM product and integrated … More

week in review

Week in review: F5 BIG-IP flaw, critical bugs in Aruba and Avaya network switches, Patch Tuesday forecast

Here’s an overview of some of last week’s most interesting news, articles and interviews: May 2022 Patch Tuesday forecast: Look beyond just application and OS updates April Patch Tuesday provided an extensive set of operating system and application updates after a few quiet months. TLStorm 2.0: Critical bugs in widely-used Aruba, Avaya network switches Armis researchers have discovered five critical vulnerabilities in the implementation of TLS communications in multiple models of network switches. Critical F5 … More

Android 13

Google offers 50% higher bounties for bugs in Android 13 Beta

Google has released Android 13 Beta 1 and has sent out a call for bug hunters: Find bugs in it, and you’ll get a 50% bonus reward payout. They should hurry up, though: the offer expires on May 26th, 2022. Getting Android 13 as secure as possible before the final release Android will, according to Google, focus on “building a responsible and high quality platform for all by providing a safer environment on the device … More

How to recruit cybersecurity talent from atypical backgrounds

In this interview with Help Net Security, Max Shuftan, Director of Mission Programs & Partnerships at SANS Institute, talks about how companies and the cybersecurity industry should try to recruit hobbyists and DIYers – as well as individuals from many atypical backgrounds – to help fill the growing cybersecurity workforce gap. From my (perhaps limited and anecdotal) perspective, some companies are already pulling prospective cyber security practitioners from the hobbyists/DIY pool – though perhaps there’s … More

EU bug

EU launches bug bounty programs for five open source solutions

The European Union is, once again, calling on bug hunters to delve into specific open source software and report bugs. This time around, the list of software that should be probed for weaknesses includes: LibreOffice – a free office suite Mastodon – free and open-source software for running self-hosted social networking services Odoo – a suite of business management software Cryptpad – a browser-based encrypted open-source collaboration platform that allows people to work together online … More

Log4j

The Log4j debacle showed again that public disclosure of 0-days only helps attackers

On December 9, 2021, a (now deleted) tweet linking to a 0-day proof of concept (PoC) exploit (also now deleted) for the Log4Shell vulnerability on GitHub set the internet on fire and sent companies scrambling to mitigate, patch and then patch again as additional PoCs appeared. Public vulnerability disclosure – i.e., the act of revealing to the world the existence of a bug in a piece of software, a library, extension, etc., and releasing a … More

HackerOne updates Internet Bug Bounty program to improve the security of open source software

HackerOne announced the next evolution of the Internet Bug Bounty (IBB) program at the company’s annual Security conference. The IBB’s mission is to secure open source by pooling funding and incentivizing security researchers to report vulnerabilities within open source software. The updated program builds upon this mission by providing a new pooled funding model so more organizations can leverage the IBB to secure open source dependencies within their software supply chains. Along with HackerOne, participating … More

Microsoft Teams

Bug hunters asked to probe Microsoft Teams mobile apps, can earn up to $30k

Microsoft’s Applications Bounty Program has been extended to cover Microsoft Teams mobile apps, and bug hunters can earn up to $30,000 for reports about specific vulnerabilities. Microsoft Teams: A popular business solution Microsoft Teams is an enterprise communication and collaboration platform that provides workspace one-on-one and group chat, videoconferencing, VoIP, file sharing and storage, and meetings. Its popularity and use soared in the wake of the COVID-19 pandemic and, as of April 2021, it has … More

The Pentester Blueprint

Review: The Pentester Blueprint: Starting a Career as an Ethical Hacker

Brough to you by cybersecurity researcher Kim Crawley and pentester and author Phillip L. Wylie, The Pentester Blueprint gives insights into the most common hurdles encountered by aspiring penetration testers, as well as tips on how to overcome them. The Pentester Blueprint: Starting a Career as an Ethical Hacker The book starts by explaining what a pentester is, why they are beneficial to a company, and describes common pentesting methodologies. A pentester needs to have … More

Offensive Security

Offensive Security announces bounty program for user generated content

Offensive Security announced a new bounty program for user generated content. Members of the infosecurity community can now receive cash bounties for submitting vulnerable virtual machines to Offensive Security (OffSec) that are eligible to be incorporated into the Proving Grounds training labs. OffSec is the only security training provider to offer bounty payments for content submissions, providing tangible rewards to the infosec community and expanding the content available in OffSec’s training labs. “No matter how … More

vulnerability

Companies rely on crowdsourced security to boost security efforts

61% of organizations perform attack surface discovery to offset frequently changing assets in their attack surface and attack surface expansion, yet 40% of companies perform continuous attack surface management, a Bugcrowd survey reveals. Only one out of five organizations surveyed qualified as a “leader” in how they execute attack surface and vulnerability management, while 49% ranked in the second tier as “fast-followers” and 39% ranked in the bottom tier as “emerging organizations.” The survey discovered … More