Search results for: bug bounties

Week in review: RSA Conference 2015, security guidance, mobile malware

Here’s an overview of some of last week’s most interesting news and articles. We also have in-depth coverage of RSA Conference 2015, with product releases, news, photos and research.Five misunderstandings about cloud storageCloud storage is a solution that users are driving IT organizations to use whether we want to or not. As IT organizations, we need to take notice and understand the impact to our process and the effect to the data stored outside of … More

Microsoft announces bug bounties for Spartan, Azure

As the official launch of Windows 10 approaches, Microsoft has launched a new bug bounty related to its Technical Preview version, and is asking bug hunters to analyze its new browser codenamed Spartan. They are asked to concentrate on remote code execution vulnerabilities, sandbox escape flaws, and design-level security bugs, and they only have two months (April 22, 2015 to June 22, 2015) to report the flaws and receive up to $15,000 for each.“Microsoft’s new … More

Dropbox launches bug bounty, will also pay for previously reported bugs

Dropbox is the latest company to officially announce a bug bounty program set up through the HackerOne platform. While the program has been up and running for several months now, the company has decided that aside from recognizing the researchers who reported vulnerabilities on a hall of fame page, they will also provide monetary rewards. Another good news is that the company will retroactively reward researchers who’ve already reported critical bugs through the program. The … More

How can defenders gain advantage in the 0day market?

According to MIT, Harvard, and HackerOne researchers, the answer is not throwing more money at bug hunters, but incentivize them to find the the same vulnerabilities that the offense researchers have found. In short, to increase “bug collision.” “The vulnerability market is not controlled by price alone — many levers exist that tip the scales between offense and defense,” says HackerOne Chief Policy Officer Katie Moussouris. Offering huge sums for vulnerabilities can ultimately be counterproductive, … More

Adobe launches bug disclosure program, skimps on bounties

Adobe has launched its own web application vulnerability disclosure program. Set up through the bug bounty platform HackerOne, the program is limited to vulnerabilities affecting Adobe online services or its web properties. Adobe is looking for the following types of flaws: Cross-site scripting, cross-site request forgery in a privileged context, server-side code execution, authentication or authorization flaws, injection vulnerabilities, directory traversal, information disclosure, and significant security misconfiguration. Spam, social engineering or denial of service issues … More

Facebook doubles bounties for bugs in ads code

Facebook has announced that all vulnerabilities affecting the company’s ads code will now be worth twice as much to the bug hunters who find and responsibly disclose them via Facebook’s bug bounty program. If you’re asking why the bounties were increased, the answer is simple: Facebook’s own security team recently went through this code and found and fixed as many vulnerabilities they could find, and now they are looking to get information from researchers looking … More

Week in review: JPMorgan Chase breach, iOS spyware, and BadUSB attack code

Here’s an overview of some of last week’s most interesting news and articles: Bash Shellshock bug: More attacks, more patches As vendors scramble to issue patches for the GNU Bash Shellshock bug and companies rush to implement them, attackers around the world are probing systems for the hole it opens. CloudFlare offers free SSL encryption Web performance and security company CloudFlare launched Universal SSL, making Secure Socket Layer (SSL) encryption available to anyone at no … More

Google triples Chrome bug bounties

Google has announced another change in its Chrome bug bounty: the maximum reward per bug has been tripled, and now stands at $15,000. “Due in part to our collaboration with the research community, we’ve squashed more than 700 Chrome security bugs and have rewarded more than $1.25 million through our bug reward program,” says Tim Willis of the Chrome Security Team. “But as Chrome has become more secure, it’s gotten even harder to find and … More

Microsoft launches bug bounty program for Online Services

Microsoft has launched another bug bounty program, and this one will focus on its Online Services. Bug hunters are urged to submit vulnerabilities affecting the following services: Office 365, Outlook (only as it regards Office 365 business services), Microsoft Online Services, Sharepoint, Lync, Yammer, and several others. The company is looking for XSS and CSRF bugs, injection and authentication flaws, server-side code execution and privilege escalation vulnerabilities, misconfiguration holes, insecure direct object references and vulnerabilities … More

Blackphone and Silent Circle announce bug bounty program

Blackphone and Silent Circle today announced the launch of their bug bounty program. Both companies’ mission is to enable secure and private communications for individuals and enterprises. The Silent Circle program encompasses the client apps, network services, cloud infrastructure, web sites, and web services. Silent Circle will pay a minimum of $128 per security related bug. The Blackphone program encompasses PrivatOS, update servers, and associated web portals. Blackphone will pay a minimum of $128 per … More

Week in review: Microsoft axes Trustworthy Computing Group, Apple’s new privacy policy, and the new issue of (IN)SECURE Magazine

Here’s an overview of some of last week’s most interesting news, interviews, reviews and articles: (IN)SECURE Magazine issue 43 released (IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics. Kit: The Essentials of IT Security The Essentials of IT Security brings together the latest in information, coverage of important developments, and expert commentary to help with your IT Security related decisions. Emerging cloud threats and how to address … More

Bug bounty programs: The road to hell is paved with good intentions

Bug bounties are in the news again. Twitter has announced its own new scheme, while Robert Graham of Errata Security claims legal actions brought for loss of personal data will more likely succeed if the service provider does not have a bounty program. Twitter’s bounties start from $140 (with no specified upper limit) – a figure that has been widely derided; while Graham (an expert witness) claims the lack of a program indicates that the … More