Search results for: bug bounties

Abstract

A possible future for IoT security

There are many problems with Internet of Things devices, and security is one of the biggest ones. To serve as an example of this important issue, two researchers from Princeton University have recently analyzed the network traffic to and from five currently very popular IoT devices: the Samsung SmartThings hub, the Sharx security IP camera, the PixStar digital photoframe, the Nest thermostat, and the Ubi Smart speaker. One of the researchers, CS Ph.D. student Sarthak … More

Microsoft expands Bug Bounty programs, increases rewards

Microsoft is continually tweaking its Bug Bounty programs, and the latest step in this evolution has been announced on Wednesday at Black Hat USA 2015.“We are raising the Bounty for Defense maximum from $50,000 USD to $100,000 USD,” Jason Shirk of the Microsoft Security Response Center noted, and explained that the company is eager to “reward the novel defender equally for their research.”The Online Services bug bounty has also been expanded to include vulnerabilities in … More

The rapid growth of the bug bounty economy

On average, nearly five high-to-critical priority vulnerabilities are found within the lifetime of a single program, according to Bugcrowd.Another observed trend includes the migration from public programs over to invitation-only programs. In the first quarter of 2013, there were no private bug bounties. By the first quarter of 2015, private bounties accounted for upwards of 35 of the newly initiated programs, handily surpassing new public bounty programs.Additional report findings include: A total of 729 high-priority … More

Why LinkedIn chose to keep its bug bounty program private

Bug bounty programs have become de rigueur for tech and Internet companies that want to improve the security of their products by (partly) outsourcing bug discovery. But while most companies opt for public programs, LinkedIn has decided to keep its program private.Started in October 2014, the program has so far received 65 actionable bugs, and they awarded over $65,000 in bounties. The flagged issues have been fixed.“This program grew out of engagement with security researchers … More

A call to researchers: Mix some creation with your destruction

Since I can first remember being interested in information security, my personal hacker heroes (and I’m using hacker positively here) were the researchers who discovered zero day software vulnerabilities and could create proof-of-concept exploits to demonstrate them. Some security nerds (again, a term I use positively) are fascinated by social engineers like Kevin Mitnick; others admire keen cryptographers like Bruce Schneier; but I always most respected the folks with deep programming and technical computing knowledge … More

Mozilla increases rewards given out to bug hunters

Once again the Mozilla Foundation has upped the bounties it offers to researchers who find and responsibly disclose vulnerabilities in Firefox.“Those of us on the Bug Bounty Committee did an evaluation of the Firefox bug bounty program as it stands and decided it was time for a change,” says Raymond Forbes, an application security engineer at Mozilla. “The amount awarded was increased to $3000 five years ago and it is definitely time for this to … More

Week in review: RSA Conference 2015, security guidance, mobile malware

Here’s an overview of some of last week’s most interesting news and articles. We also have in-depth coverage of RSA Conference 2015, with product releases, news, photos and research.Five misunderstandings about cloud storageCloud storage is a solution that users are driving IT organizations to use whether we want to or not. As IT organizations, we need to take notice and understand the impact to our process and the effect to the data stored outside of … More

Microsoft announces bug bounties for Spartan, Azure

As the official launch of Windows 10 approaches, Microsoft has launched a new bug bounty related to its Technical Preview version, and is asking bug hunters to analyze its new browser codenamed Spartan. They are asked to concentrate on remote code execution vulnerabilities, sandbox escape flaws, and design-level security bugs, and they only have two months (April 22, 2015 to June 22, 2015) to report the flaws and receive up to $15,000 for each.“Microsoft’s new … More

Dropbox launches bug bounty, will also pay for previously reported bugs

Dropbox is the latest company to officially announce a bug bounty program set up through the HackerOne platform. While the program has been up and running for several months now, the company has decided that aside from recognizing the researchers who reported vulnerabilities on a hall of fame page, they will also provide monetary rewards. Another good news is that the company will retroactively reward researchers who’ve already reported critical bugs through the program. The … More

How can defenders gain advantage in the 0day market?

According to MIT, Harvard, and HackerOne researchers, the answer is not throwing more money at bug hunters, but incentivize them to find the the same vulnerabilities that the offense researchers have found. In short, to increase “bug collision.” “The vulnerability market is not controlled by price alone — many levers exist that tip the scales between offense and defense,” says HackerOne Chief Policy Officer Katie Moussouris. Offering huge sums for vulnerabilities can ultimately be counterproductive, … More

Adobe launches bug disclosure program, skimps on bounties

Adobe has launched its own web application vulnerability disclosure program. Set up through the bug bounty platform HackerOne, the program is limited to vulnerabilities affecting Adobe online services or its web properties. Adobe is looking for the following types of flaws: Cross-site scripting, cross-site request forgery in a privileged context, server-side code execution, authentication or authorization flaws, injection vulnerabilities, directory traversal, information disclosure, and significant security misconfiguration. Spam, social engineering or denial of service issues … More

Facebook doubles bounties for bugs in ads code

Facebook has announced that all vulnerabilities affecting the company’s ads code will now be worth twice as much to the bug hunters who find and responsibly disclose them via Facebook’s bug bounty program. If you’re asking why the bounties were increased, the answer is simple: Facebook’s own security team recently went through this code and found and fixed as many vulnerabilities they could find, and now they are looking to get information from researchers looking … More