Search results for: bug bounties

Week in review: JPMorgan Chase breach, iOS spyware, and BadUSB attack code

Here’s an overview of some of last week’s most interesting news and articles: Bash Shellshock bug: More attacks, more patches As vendors scramble to issue patches for the GNU Bash Shellshock bug and companies rush to implement them, attackers around the world are probing systems for the hole it opens. CloudFlare offers free SSL encryption Web performance and security company CloudFlare launched Universal SSL, making Secure Socket Layer (SSL) encryption available to anyone at no … More

Google triples Chrome bug bounties

Google has announced another change in its Chrome bug bounty: the maximum reward per bug has been tripled, and now stands at $15,000. “Due in part to our collaboration with the research community, we’ve squashed more than 700 Chrome security bugs and have rewarded more than $1.25 million through our bug reward program,” says Tim Willis of the Chrome Security Team. “But as Chrome has become more secure, it’s gotten even harder to find and … More

Microsoft launches bug bounty program for Online Services

Microsoft has launched another bug bounty program, and this one will focus on its Online Services. Bug hunters are urged to submit vulnerabilities affecting the following services: Office 365, Outlook (only as it regards Office 365 business services), Microsoft Online Services, Sharepoint, Lync, Yammer, and several others. The company is looking for XSS and CSRF bugs, injection and authentication flaws, server-side code execution and privilege escalation vulnerabilities, misconfiguration holes, insecure direct object references and vulnerabilities … More

Blackphone and Silent Circle announce bug bounty program

Blackphone and Silent Circle today announced the launch of their bug bounty program. Both companies’ mission is to enable secure and private communications for individuals and enterprises. The Silent Circle program encompasses the client apps, network services, cloud infrastructure, web sites, and web services. Silent Circle will pay a minimum of $128 per security related bug. The Blackphone program encompasses PrivatOS, update servers, and associated web portals. Blackphone will pay a minimum of $128 per … More

Week in review: Microsoft axes Trustworthy Computing Group, Apple’s new privacy policy, and the new issue of (IN)SECURE Magazine

Here’s an overview of some of last week’s most interesting news, interviews, reviews and articles: (IN)SECURE Magazine issue 43 released (IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics. Kit: The Essentials of IT Security The Essentials of IT Security brings together the latest in information, coverage of important developments, and expert commentary to help with your IT Security related decisions. Emerging cloud threats and how to address … More

Bug bounty programs: The road to hell is paved with good intentions

Bug bounties are in the news again. Twitter has announced its own new scheme, while Robert Graham of Errata Security claims legal actions brought for loss of personal data will more likely succeed if the service provider does not have a bounty program. Twitter’s bounties start from $140 (with no specified upper limit) – a figure that has been widely derided; while Graham (an expert witness) claims the lack of a program indicates that the … More

Twitter launches bug bounty program

With a simple tweet, Twitter has officially launched its own bug bounty program. Set up through the security response and bug bounty platform HackerOne, the program offers a minimum of $140 per threat. The maximum reward amount has not been defined. The company is currently asking bug hunters to submit reports about bugs on its Twitter.com domain and subdomains (ads.twitter.com, apps.twitter.com, tweetdeck.twitter.com, and mobile.twitter.com) and its iOS and Android apps. “Any design or implementation issue … More

4chan launches bug bounty program

In the wake of the recent data breach that spelled the end of art products Canvas and DrawQuest, 4chan founder and owner Chris “moot” Poole has announced that they will be launching the 4chan Vulnerability Disclosure Program. After having described the various mistakes that allowed the intruder to obtain and leak information about 4chan users, as well as moderator names and IP addresses, Poole added that they have patched the vulnerability that made the attack … More

Record year for Facebook bug hunters

With nearly 15,000 submissions – 687 of which were valid and eligible for awards – 2013 has been a record year for Facebook’s bug bounty program. Add to this the fact that the company paid out $1.5M to 330 researchers across the globe, you can say that this has been a good year for everyone involved. “The average reward in 2013 was $2,204, and most bugs were discovered in non-core properties, such as websites operated … More

Full Disclosure mailing list closure elicits mixed reactions

The Full Disclosure mailing list has long been the perfect place for security researchers to disclose and discuss newly found vulnerabilities. But John Cartwright, one of its creators, has pulled the plug on the list today. “When Len [Rose] and I created the Full Disclosure list way back in July 2002, we knew that we’d have our fair share of legal troubles along the way. We were right. To date we’ve had all sorts of … More

GitHub sets up bug bounty program

GitHub is the latest service to announce that they have started a security bug bounty program. “The idea is simple: hackers and security researchers find and report vulnerabilities through our responsible disclosure process. Then, to recognize the significant effort that these researchers often put forth when hunting down bugs, we reward them with some cold hard cash,” they stated in a blog post on Thursday. Rewards will range from $100 up to $5000, and the … More

Google broadens Patch Rewards Program

Google has announced the expansion of its recently unveiled Patch Reward Program, which urges security researchers to submit patches for third-party open source software critical to the health of the entire Internet. Initially the program included core infrastructure network services such as OpenSSH, BIND, ISC DHCP; image parsers such as libjpeg, libjpeg-turbo, libpng, giflib; open source foundations of Google Chrome (Chromium, Blink); high-impact libraries such as OpenSSL and zlib, and security-critical components of the Linux … More