Search results for: bug bounties


Trust nothing: A life in infosec is a life of suspicion

Like many before him, Amit Serper started his cybersecurity career in one of Israel’s intelligence agencies. Nine years later, he left for the private sector: he joined Cybereason, a cyber security company started by former colleagues which specializes in endpoint (EDR) and managed detection and response (MDR). When he started there as a senior security researcher, then progressed to different research roles. Today, he’s the company’s head of security research, leading Nocturnus, its advanced global … More


Meet the new generation of white hats

The past two years have seen an explosion in the number of software vulnerabilities being published, jumping from 6,447 in 2016 to 14,714 in 2017. Seeing as 2018 beat out the previous year with 16,521 CVEs reported, we should prepare ourselves for plenty of patching ahead in 2019. While factors like the adoption of automated Application Security Testing (AST) tools by more vendors and the absolute growth of code are definitely playing a bigger role … More


Week in review: How data becomes intelligence, email security predictions, EU bug bounties

Here’s an overview of some of last week’s most interesting news and articles: The attack surface is growing faster than it has at any other point in the history of technology Avast launched its annual Threat Landscape Report, detailing the biggest security trends facing consumers in 2019 as collected by the Avast Threat Labs team. Four cybersecurity trends every CIO should know The cybersecurity landscape in 2019 will likely bolster bigger, more complex threats and … More

bug bounties

EU launches bug bounties on free and open source software

After setting up a bug bounty program for VLC Media Player in late 2017, the European Commission (EC) has announced the launch of 14 new ones that will cover other free and open source software used by European Union institutions. The list of target software is as follows: Filezilla (FTP app) Apache Kafka (stream-processing software platform) Notepad++ (text/source code editor) PuTTY (terminal emulator, network file transfer app) VLC Media Player FLUX TL (the Transportation Layer … More

HackerOne expands Hacker101 web training platform with HackEDU partnership

HackerOne has expanded its online hacker training program, Hacker101 through a partnership with cybersecurity training company HackEDU. Hacker101 is giving away the sandboxed training environments, modeled after five real-world vulnerability reports. HackerOne and HackEDU are committed to empowering the hacker community by providing access to training materials. The new HackEDU-developed vulnerability sandboxes are the latest in their interactive coursework available to hackers and join existing Hacker101 interactive content, coursework and capture the flag (CTF) challenges. … More


Facebook offers bounties for user token bugs in third-party apps, websites

Facebook is expanding its bug bounty program to include vulnerabilities in third-party apps and websites that involve improper exposure of Facebook user access tokens. What’s in scope? “Access tokens allow people to log into another app using Facebook and are uniquely generated for the specific person and app,” security engineer Dan Gurfinkel noted. “If exposed, a token can potentially be misused, based on the permissions set by the user. We want researchers to have a … More

Department of Defense

Hack the Marine Corps bug bounty program kicks off

The U.S. Department of Defense (DoD) and HackerOne launched the Department’s sixth bug bounty program, Hack the Marine Corps. The bug bounty challenge will focus on Marine Corps’ public-facing websites and services in order to harden the defenses of the Marine Corps Enterprise Network (MCEN). The bug bounty program will conclude on August 26, 2018. The Marine Corps’ bug bounty program kicked off with a live-hacking event in Las Vegas, Nev. on August 12, 2018 … More


Bugcrowd University to provide hands-on training for security researchers

Bugcrowd announced the launch of Bugcrowd University to educate and empower the crowd with the latest skills and methodologies. The first advanced program of its kind, Bugcrowd University provides researcher education and training to improve the state of application security training, community engagement and content delivery. Bugcrowd University is free and open to all security researchers — not just those on the Bugcrowd Platform. In the last few years, organizations around the world have witnessed … More


Bugcrowd launches to provide a safe harbor for white hat hackers

Bugcrowd and Amit Elazari, a University of California, Berkeley doctoral candidate and CLTC grantee, announce the launch of — a project to standardize practices for providing a safe harbor for security researchers within bug bounty and vulnerability disclosure programs (VDPs). Current U.S. anti-hacking laws, such as the Computer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA), along with public incidents have had a chilling effect on the security researcher community. … More


Week in review: Bluetooth flaw, ERP applications under attack, advancing security with machine learning

Here’s an overview of some of last week’s most interesting news and articles: SCADA vulnerabilities in ICS architectures A major challenge in industrial control system architecture involves the dual nature of its underlying technologies. Vulnerability research and responsible disclosure: Advice from an industry veteran “Everything changes once you have to supervise and mentor and schedule and coordinate and keep in mind all the things others don’t. You often have to hold back your own wish … More


ZDI offers hefty bounties for zero-days in popular web servers, CMSes

The Trend Micro-backed Zero Day Initiative is asking bug hunters to look for zero-day RCE vulnerabilities in several open source server-side products and is ready to pay up to $200,000 for some of them. A server-side bug bounty program “Starting August 1st, the Targeted Incentive Program (TIP) offers a special monetary award for specific targets, but only for the first successful entry and only for a certain period of time,” ZDI’s Brian Gorenc explained. Joomla, … More

Sec Consult

Vulnerability research and responsible disclosure: Advice from an industry veteran

“Everything changes once you have to supervise and mentor and schedule and coordinate and keep in mind all the things others don’t. You often have to hold back your own wish to research a certain thing yourself or crack things open, because people rely on you to take a second look on their work. You kind of become the invisible ‘I’ in ‘Team’,” says Johannes Greil, Head of the SEC Consult Vulnerability Lab. Any member … More