Articles about bug bounty

money

So you’ve got a zero-day – do you sell to black, grey or white markets?

Bsides SF Barely a decade ago the mere idea of selling vulnerabilities was highly controversial. Today the market is mature, but increasingly complicated - researchers can now choose between making lots of money, being moral and making less, or going fully black. The 2015 pwning of Italian surveillance-ware-for-governments vendor …
Iain Thomson, 15 Apr 2018
Smarter Wi-Fi kettle

'Well intentioned lawmakers could stifle IoT innovation', warns bug bounty pioneer

IoT security regulations could stifle innovation without addressing the security problems at hand, a well-respected security researcher controversially argues. Compromised IoT devices were press ganged into the Mirai botnet and infamously used in a DDoS attack that left many of the world’s most famous sites unreachable back in …
John Leyden, 12 Apr 2018
Someone in an Uber ride

Uber hid database hack from FTC while FTC probed Uber for an earlier database hack

Uber hid a database hack from America's Federal Trade Commission (FTC) while the very same watchdog was investigating Uber for a separate database hack, it was revealed on Thursday. The taxi app maker reached a settlement with the FTC in August 2017 after the biz allegedly "deceived consumers about its privacy and data …
Kieren McCarthy, 12 Apr 2018
Trying to catch money in a net

Facebook: Look at our latest bug bounty that proves we're serious!

Continuing its charm offensive, Facebook has published the details of its data abuse bounty, ahead of Mark Zuckerberg’s appearances in front of US lawmakers. The programme - which offers a minimum of $500 (and no maximum) for cases that prove to be true - will reward people who can prove an app has slurped up users’ data for …
Rebecca Hill, 10 Apr 2018
Bounty chocolate - Shuterstock

What ends with X and won't sue security researchers?

If you listen carefully, you'll hear the sound of a very small ship coming in: Netflix has joined Bugcrowd, offering bounties of up to US$15,000 for vulnerabilities. The bounty program covers a host of apps and platforms. Netflix Android and iOS mobile apps are included, the various APIs at netflix.com, nine other domains on …

SecurEnvoy SecurMail, you say? Only after this patch is applied, though

Recently resolved vulnerabilities in SecurEnvoy's encrypted email transfer SecurMail created a way for encrypted emails in users' inboxes to be read, overwritten and deleted by others. The flaws – uncovered by Austrian security firm SEC Consult during a crash test – included cross-site scripting, cross-site request forgery, …
John Leyden, 13 Mar 2018

Hehe, still writing code for a living? It's 2018. You could be earning x3 as a bug bounty hunter

Ethical hacking to find security flaws appears to pay better, albeit less regularly, than general software engineering. And while payment remains one of the top rationales for breaking code, hackers have begun citing more civic-minded reasons for their activities. A survey of 1,700 bug bounty hunters from more than 195 …
Thomas Claburn, 17 Jan 2018

Bug-finders' scheme: Tick-tock, this tech's tested by flaws.. but who the heck do you tell?

Security researcher E. Foudil is pushing a scheme to make it easier for bug finders to notify companies about problems with their technology. The idea revolves around “security.txt” - a simple text file, much like robots.txt, that contains information on whom to contact or where to look for security related information about a …
John Leyden, 3 Jan 2018
bribe

Florida Man… pockets Uber cash to keep quiet about data breach

A 20-year-old Florida man who lives with his mom was the "security researcher" that Uber paid off last year not to reveal a massive hack of its systems. In a typically Uber take on network security, the ride-hailing app company paid the man $100,000 in October last year to destroy data he downloaded on 57 million users, …

DJI bug bounty NDA is 'not signable', say irate infosec researchers

Chinese drone maker DJI faces questions from infosec researchers about its bug bounty programme. Sources have told The Register that a non-disclosure agreement (NDA) they were invited to sign would result in the company "owning their actions". DJI's scheme to pay those that highlight security weaknesses, announced months ago …
Gareth Corfield, 16 Nov 2017
Boba Fett

Hack apps, attack code drawbacks for cash stacks, Google yaks

Google is offering cash to those who can find, exploit and report bugs in its Android apps, or similarly hack other programs in its Play Store. The goal is to get a large number of people and developers working together on improving security in the Android world. The advertising giant is very familiar with bug bounties, and …
Iain Thomson, 20 Oct 2017

Make America late again: US 'lags' China in IT security bug reporting

The US is starting to fall well behind China in terms of the speed at which organizations are alerted to reported security vulnerabilities, according to a study out this week by threat intel biz Recorded Future. The US government's National Vulnerability Database (NVD) lags China’s National Vulnerability Database (CNNVD) in …
John Leyden, 20 Oct 2017
Photo by UzFoto / Shutterstock

Samsung mobile launches bug bounty program

Samsung's mobile limb has become the latest major vendor to launch a bug bounty program, and within its tight rules, it offers a tasty maximum prize of US$200,000. The bounty is for newer devices only – 38 mobile devices launched since 2016, including Galaxies S, Note, A, J, and Tab, and the top-of-the-line the S8, S8+, and …

Look, we know you're all hacking DJI drones. How 'bout a bug bounty?

Bending to public pressure as more and more drone hackers break into their kit, Chinese firm DJI has now announced a bug bounty program. "Security researchers, academic scholars and independent experts often provide a valuable service by analysing the code in DJI's apps and other software products and bringing concerns to …
Gareth Corfield, 29 Aug 2017
Money explosion photo via Shutterstock

Schoolboy bags $10,000 reward from Google with easy HTTP Host bypass

A teenager in Uruguay has scored big after finding and reporting a bug in Google's App Engine to view confidential internal Google documents. While bored in July, high schooler Ezequiel Pereira, who has all the makings of a competent security researcher, used Burp to manipulate the Host header in web connections to Google's …
Iain Thomson, 10 Aug 2017

Microsoft adds all of Windows – including Server – to extended bug bounty program

Microsoft has extended its bug bounty program for Windows Insider to include the whole of the OS, extended its operation indefinitely and added Windows Server Insider to the eligibility list. Redmond’s previously offered bounties for specific Windows features only. Now you can score sweet Seattle-sourced dollars for finding a …
Simon Sharwood, 27 Jul 2017

Security bug bounty programs are a nice little earner for hackers

Some security-conscious organizations award hackers up to $900,000 a year, according to what's touted as the biggest bug bounty industry report to date. The study – commissioned by HackerOne, a bug bounty and vulnerability disclosure platform provider – examined 800 hacker-powered programs and 50,000 resolved security …
John Leyden, 29 Jun 2017
bouncer

HackerOne says 'no' to FlexiSpy stalkerware bug bounty program

Bug bounty organizer HackerOne has told stalkerware developer FlexiSpy that it won't take its business because of the ethics – or lack thereof – that the software maker exhibits. FlexiSpy has been around for years and is a surveillance application sold to paranoid spouses and those parents and employers who want to know more …
Iain Thomson, 5 May 2017

Create a news alert about bug bounty, or find more stories about bug bounty.

Biting the hand that feeds IT © 1998–2018