Search results for: bug bounties


Facebook offers bounties for user token bugs in third-party apps, websites

Facebook is expanding its bug bounty program to include vulnerabilities in third-party apps and websites that involve improper exposure of Facebook user access tokens. What’s in scope? “Access tokens allow people to log into another app using Facebook and are uniquely generated for the specific person and app,” security engineer Dan Gurfinkel noted. “If exposed, a token can potentially be misused, based on the permissions set by the user. We want researchers to have a … More

Department of Defense

Hack the Marine Corps bug bounty program kicks off

The U.S. Department of Defense (DoD) and HackerOne launched the Department’s sixth bug bounty program, Hack the Marine Corps. The bug bounty challenge will focus on Marine Corps’ public-facing websites and services in order to harden the defenses of the Marine Corps Enterprise Network (MCEN). The bug bounty program will conclude on August 26, 2018. The Marine Corps’ bug bounty program kicked off with a live-hacking event in Las Vegas, Nev. on August 12, 2018 … More


Bugcrowd University to provide hands-on training for security researchers

Bugcrowd announced the launch of Bugcrowd University to educate and empower the crowd with the latest skills and methodologies. The first advanced program of its kind, Bugcrowd University provides researcher education and training to improve the state of application security training, community engagement and content delivery. Bugcrowd University is free and open to all security researchers — not just those on the Bugcrowd Platform. In the last few years, organizations around the world have witnessed … More


Bugcrowd launches to provide a safe harbor for white hat hackers

Bugcrowd and Amit Elazari, a University of California, Berkeley doctoral candidate and CLTC grantee, announce the launch of — a project to standardize practices for providing a safe harbor for security researchers within bug bounty and vulnerability disclosure programs (VDPs). Current U.S. anti-hacking laws, such as the Computer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA), along with public incidents have had a chilling effect on the security researcher community. … More


Week in review: Bluetooth flaw, ERP applications under attack, advancing security with machine learning

Here’s an overview of some of last week’s most interesting news and articles: SCADA vulnerabilities in ICS architectures A major challenge in industrial control system architecture involves the dual nature of its underlying technologies. Vulnerability research and responsible disclosure: Advice from an industry veteran “Everything changes once you have to supervise and mentor and schedule and coordinate and keep in mind all the things others don’t. You often have to hold back your own wish … More


ZDI offers hefty bounties for zero-days in popular web servers, CMSes

The Trend Micro-backed Zero Day Initiative is asking bug hunters to look for zero-day RCE vulnerabilities in several open source server-side products and is ready to pay up to $200,000 for some of them. A server-side bug bounty program “Starting August 1st, the Targeted Incentive Program (TIP) offers a special monetary award for specific targets, but only for the first successful entry and only for a certain period of time,” ZDI’s Brian Gorenc explained. Joomla, … More

Sec Consult

Vulnerability research and responsible disclosure: Advice from an industry veteran

“Everything changes once you have to supervise and mentor and schedule and coordinate and keep in mind all the things others don’t. You often have to hold back your own wish to research a certain thing yourself or crack things open, because people rely on you to take a second look on their work. You kind of become the invisible ‘I’ in ‘Team’,” says Johannes Greil, Head of the SEC Consult Vulnerability Lab. Any member … More


Exploring the dynamics of the attacker economy

Global software companies are increasingly turning to attackers for help identifying security vulnerabilities in their offerings – and they’re not the only ones. Conservative government agencies are even beginning to welcome bug bounty hunters. Just recently, the U.S. Department of Defense (DoD) announced its search for a commercial bug bounty company that conducts crowdsourced vulnerability discovery and disclosure. Despite the growing number of organizations and government agencies that are embracing bug bounty hunters, questions still … More

general virtual digital

Week in review: Zero-login, Magecart threat, cybersecurity expert shortage

Here’s an overview of some of last week’s most interesting news and articles: Dealing with a system launch: It requires more than just testing Rolling out new IT systems or software can be a challenge and fraught with issues from day one – and the recent IT crisis with TSB has shown how damaging these can be if managed poorly. Only 65% of organizations have a cybersecurity expert Despite 95 percent of CIOs expecting cyberthreats … More

Microsoft logo

Microsoft offers bug bounties for holes in its identity services

Microsoft is asking security researchers to look for and report technical vulnerabilities affecting its identity services and OpenID standards implementations, and is offering bug bounties that can reach as high as $100,000. “Microsoft has invested heavily in the security and privacy of both our consumer (Microsoft Account) and enterprise (Azure Active Directory) identity solutions. We have strongly invested in the creation, implementation, and improvement of identity-related specifications that foster strong authentication, secure sign-on, sessions, API … More


George Gerchow, CSO at Sumo Logic: Our DevSecOps strategy

Sumo Logic was founded in 2010 by experts in log management, scalable systems, big data, and security. Today, their purpose-built, cloud-native service analyzes more than 100 petabytes of data, more than 16 million searches, and delivers 10s of millions of insights daily – positioning Sumo among the most powerful machine data analytics services in the world. In this podcast, George Gerchow, CSO with Sumo Logic, talks about their DevSecOps strategy. Here’s a transcript of the … More

magnifying glass

Hacker-powered security is reaching critical mass

HackerOne announced findings from the 2018 Hacker-Powered Security Report, based on over 72,000 resolved security vulnerabilities, 1,000 customer programs and more than $31 million in bounties awarded to hackers from over 100 countries. The annual report is a benchmark study of the bug bounty and vulnerability disclosure ecosystem based on the largest data set of reported vulnerabilities. Bounties for high impact findings are rising Hackers are finding more severe vulnerabilities than ever before. The total … More