Search results for: bug bounties


Exploring the dynamics of the attacker economy

Global software companies are increasingly turning to attackers for help identifying security vulnerabilities in their offerings – and they’re not the only ones. Conservative government agencies are even beginning to welcome bug bounty hunters. Just recently, the U.S. Department of Defense (DoD) announced its search for a commercial bug bounty company that conducts crowdsourced vulnerability discovery and disclosure. Despite the growing number of organizations and government agencies that are embracing bug bounty hunters, questions still … More

general virtual digital

Week in review: Zero-login, Magecart threat, cybersecurity expert shortage

Here’s an overview of some of last week’s most interesting news and articles: Dealing with a system launch: It requires more than just testing Rolling out new IT systems or software can be a challenge and fraught with issues from day one – and the recent IT crisis with TSB has shown how damaging these can be if managed poorly. Only 65% of organizations have a cybersecurity expert Despite 95 percent of CIOs expecting cyberthreats … More

Microsoft logo

Microsoft offers bug bounties for holes in its identity services

Microsoft is asking security researchers to look for and report technical vulnerabilities affecting its identity services and OpenID standards implementations, and is offering bug bounties that can reach as high as $100,000. “Microsoft has invested heavily in the security and privacy of both our consumer (Microsoft Account) and enterprise (Azure Active Directory) identity solutions. We have strongly invested in the creation, implementation, and improvement of identity-related specifications that foster strong authentication, secure sign-on, sessions, API … More


George Gerchow, CSO at Sumo Logic: Our DevSecOps strategy

Sumo Logic was founded in 2010 by experts in log management, scalable systems, big data, and security. Today, their purpose-built, cloud-native service analyzes more than 100 petabytes of data, more than 16 million searches, and delivers 10s of millions of insights daily – positioning Sumo among the most powerful machine data analytics services in the world. In this podcast, George Gerchow, CSO with Sumo Logic, talks about their DevSecOps strategy. Here’s a transcript of the … More

magnifying glass

Hacker-powered security is reaching critical mass

HackerOne announced findings from the 2018 Hacker-Powered Security Report, based on over 72,000 resolved security vulnerabilities, 1,000 customer programs and more than $31 million in bounties awarded to hackers from over 100 countries. The annual report is a benchmark study of the bug bounty and vulnerability disclosure ecosystem based on the largest data set of reported vulnerabilities. Bounties for high impact findings are rising Hackers are finding more severe vulnerabilities than ever before. The total … More


The pace of vulnerability disclosure shows no signs of slowing

Unless the pace of vulnerability disclosure slows down in the coming quarters, we are looking at yet another record-breaking year, according to Risk Based Security’s 2018 Q1 Vulnerability QuickView Report. Note that bug bounties are a subset of the ‘Coordinated Disclosures’ total Key findings 5,375 unique vulnerabilities were reported. This is just a 1.8% increase over the same period in 2017. Note that this number will continue to rise throughout 2018. 1,790 (33.3%) of the … More


How many threats hit the mainframe? No one really knows

Mainframes are the definition of mission-critical for countless businesses. Mainframes can run 1.1 million transactions per second and are at the core of the technology strategies within the worldwide financial markets. In 2017, IBM launched a new mainframe capable of running 12 billion encrypted transactions a day. Why, despite the fact that businesses can’t afford a costly breach, is mainframe security still not getting enough attention? Like any other system, mainframes are subject to ransomware … More

bug bounties

Intel offers to pay for Spectre-like side channel vulnerabilities

Intel is expanding the bug bounty program it started last March, and is raising considerably the awards it plans to give out for helpful vulnerability information. Where information about critical vulnerabilities in Intel software, firmware and hardware could have previously been rewarded with up to $7,500, $10,000 and $30,000, respectively, now the bounties in those same categories go up to $10,000, $30,000 and $100,000. A new bug bounty program for side channel vulnerabilities The company … More


Is ethical hacking more lucrative than software engineering?

HackerOne published its 2018 Hacker Report, which examines the geography, demographics, experience, tools used and motivations of nearly 2,000 bug bounty hackers across 100 countries. HackerOne found that on average, top earning ethical hackers make up to 2.7 times the median salary of a software engineer in their respective home countries. Also, hackers in India are making as much as 16 times the median. And yet, the new data finds that overall hackers are less … More


What motivates bug hunters?

Crowdsourced security penetration testing outfit Bugcrowd has released its second annual “Mind of a Hacker” report, to provide insight into bug hunters’ motivations and preferences, and help companies tailor their bug bounty initiatives so they can lead to better results for everyone. The most interesting insights gleaned from the answers of the 500 or so bug hunters who participated in the survey are as follows: They come from all over the world (216 countries), but … More


The Internet Bug Bounty offers rewards for bugs in data processing libraries

The Internet Bug Bounty (IBB), a project aimed at finding and fixing vulnerabilities in core internet infrastructure and free open source software, has announced that it will be giving out rewards for critical vulnerabilities in core infrastructure data processing libraries. The software packages in scope are: Libav LIBcap ImageMagick LIBPNG GraphicsMagick libcurl tcpdump For the moment, bug bounties will be given out only for reports that flag “vulnerabilities that demonstrate unambiguous remote code execution,” the … More

Samsung Galaxy S8

Samsung offers up to $200,000 for bugs in its devices, services

South Korean giant Samsung Electronics is now offering bounties for reported bugs in its mobile devices, software and services. “The rewards program kicked off with a pilot in January 2016 to ensure an efficient and productive public introduction to the broader security community,” the company explained. “Samsung’s Mobile Security Rewards program is the latest initiative to demonstrate the company’s steadfast commitment to enabling secure experiences for all its customers.” What’s in scope? Researchers are instructed … More