Search results for: bug bounties


Kaspersky Lab launches public bug bounty program

Kaspersky Lab is asking researchers to look under the hood of two of its flagship security solutions and to report any bugs they might find. Kaspersky’s bug bounty program, which was in private beta for months, will be now be opened to all outside researchers for a period of six months. The move was announced at Black Hat USA 2016. Researchers are invited to look for security issues only in “Kaspersky Internet Security 2017 and … More


Bug bounty report card: Industry diversification and growth

With a global rise in cyberattacks and a critical deficit of security talent to combat adversaries, bug bounty programs congruently grew in both volume and scope in the last 12 months, according to Bugcrowd. Company industries represented in public data of all known public bug bounty programs Moving beyond technology companies, more than 25 percent of public and private programs are now run in more “traditional” industry sectors – with particular traction across retail & … More


0patch: Microscopic cures for big security holes

Software vulnerabilities are one of today’s most significant information security issues. Disclosing high profile vulnerabilities has become tremendously rewarding, to the point that some vendors are devising marketing campaigns that include a logo and a catchy name, regardless of the seriousness of the flaw. While vendors from different industries are starting to realize the impact of software vulnerabilities, and many run their bug bounties through platforms like HackerOne, some highly skilled security researchers still opt … More

Twitter paid out $322,420 in bug bounties

Researchers have proven that bug bounties are a cheaper way for discovering vulnerabilities than hiring full-time bug hunters would be and, in the last few years, many Internet and tech companies have instituted such programs. The security community has praised those who have, and the companies themselves are satisfied with the results. Take for example Twitter. Its bug bounty program, started in May 2014, has lead to 5,171 submissions and the discovery of an unspecified … More

digital pentagon

Hack the Pentagon: Hackers asked to help secure public-facing systems

The US Department of Defense (DoD) has invited hackers participate in “Hack the Pentagon”, a program aimed at finding vulnerabilities in some of the Department’s websites. The project is an alternative to the usual testing performed by the Department’s red teams, and is a way to get the tech industry involved. Ash Carter, the Defense Secretary, is currently on a West Coast tour that’s “part of efforts to strengthen ties with the tech community, expand … More


Revelation of security bugs jumpstarts launch of Malwarebytes’ bug bounty program

Malwarebytes CEO Marcin Kleczynski has announced that the company has launched a bug bounty program in an effort to make its software more secure. “The Coordinated Vulnerability Disclosure program incentivizes external researchers who work with us responsibly by promoting an open communication channel with our engineering division, awarding bug bounties and duly crediting the effort from leading researchers in our Hall of Fame and other hotfix release notes,” he explained. Bug reporters will receive between … More


A possible future for IoT security

There are many problems with Internet of Things devices, and security is one of the biggest ones. To serve as an example of this important issue, two researchers from Princeton University have recently analyzed the network traffic to and from five currently very popular IoT devices: the Samsung SmartThings hub, the Sharx security IP camera, the PixStar digital photoframe, the Nest thermostat, and the Ubi Smart speaker. One of the researchers, CS Ph.D. student Sarthak … More

Microsoft expands Bug Bounty programs, increases rewards

Microsoft is continually tweaking its Bug Bounty programs, and the latest step in this evolution has been announced on Wednesday at Black Hat USA 2015.“We are raising the Bounty for Defense maximum from $50,000 USD to $100,000 USD,” Jason Shirk of the Microsoft Security Response Center noted, and explained that the company is eager to “reward the novel defender equally for their research.”The Online Services bug bounty has also been expanded to include vulnerabilities in … More

The rapid growth of the bug bounty economy

On average, nearly five high-to-critical priority vulnerabilities are found within the lifetime of a single program, according to Bugcrowd.Another observed trend includes the migration from public programs over to invitation-only programs. In the first quarter of 2013, there were no private bug bounties. By the first quarter of 2015, private bounties accounted for upwards of 35 of the newly initiated programs, handily surpassing new public bounty programs.Additional report findings include: A total of 729 high-priority … More

Why LinkedIn chose to keep its bug bounty program private

Bug bounty programs have become de rigueur for tech and Internet companies that want to improve the security of their products by (partly) outsourcing bug discovery. But while most companies opt for public programs, LinkedIn has decided to keep its program private.Started in October 2014, the program has so far received 65 actionable bugs, and they awarded over $65,000 in bounties. The flagged issues have been fixed.“This program grew out of engagement with security researchers … More

A call to researchers: Mix some creation with your destruction

Since I can first remember being interested in information security, my personal hacker heroes (and I’m using hacker positively here) were the researchers who discovered zero day software vulnerabilities and could create proof-of-concept exploits to demonstrate them. Some security nerds (again, a term I use positively) are fascinated by social engineers like Kevin Mitnick; others admire keen cryptographers like Bruce Schneier; but I always most respected the folks with deep programming and technical computing knowledge … More

Mozilla increases rewards given out to bug hunters

Once again the Mozilla Foundation has upped the bounties it offers to researchers who find and responsibly disclose vulnerabilities in Firefox.“Those of us on the Bug Bounty Committee did an evaluation of the Firefox bug bounty program as it stands and decided it was time for a change,” says Raymond Forbes, an application security engineer at Mozilla. “The amount awarded was increased to $3000 five years ago and it is definitely time for this to … More