Hacker scouts will be pleased to learn about new web targets
The northern hemisphere is experiencing summer, but that hasn’t stopped the steady flow of new bug bounty programs hitting the market.
Apple revealed vulnerabilities in its anti-spyware technology via the Security Bounty program during the teaser video for the new Lockdown mode. There are rewards up to $2,000,000 available.
Lockdown Mode will be available with iOS 16, iPadOS 16 and macOS Ventura. It is “extreme, optional protection for those users who face serious, targeted threats to digital security”.
The Monash University in Australia has also created a bug bounty program that is designed to strengthen its defenses against a series of cyber-attacks on the education sector.
This month, two new reward programs were added to the mix for the growing digital identity market. Onfido partners YesWeHack while India’s Aadhaar takes a dip in the water with its own program.
Aadhaar, India’s largest digital identity program, provides services for more than 1.3 billion Indian residents. Hackers can apply to participate in the private bug bounty by visiting the UIDAI webpage.
Aadhaar also stipulates that candidates must be in the top 100 bug bounty leaderboards like HackerOne and Bugcrowd or in bounty programs run by well-respected companies such as Microsoft, Google and Facebook.
Read also: best practices for penetration testing
The latest bug bounty programs for August 2022
Several new bug bounty programs were launched in the past month. Here are the most recent entries:
Aadhaar
Provider of program:
Independent
Type of program:
Private
Maximum reward:
TBD
Outline:
UIDAI plans to launch a bug bounty program in an effort secure Aadhaar data stored in UIDAI’s Central Identities Data Repository.
Notes:
The UIDAI website has all the details. There are only 20 participants, all Indian residents.
Apple – Lockdown Mode
Provider of program:
Independent
Type of program:
Public
Maximum reward:
$2 Million
Outline:
Apple has created a new category in the Apple Security Bounty program that rewards researchers who discover Lockdown Mode bypasses, and help improve its protections.
Notes:
For Lockdown Mode qualifying findings, the bounty has been doubled up to a maximum $2 million. This is one of the highest maximum payouts available in the industry.
BKEX
Provider of program:
HackenProof
Type of program:
Public
Maximum reward:
$10,000
Outline:
BKEX is a global platform for digital asset trading, with more than 1,200 coins.
Notes:
The new bug bounty program for financial services companies is replete in a variety of in-scope web attacks vectors including remote code execution, SQL injection vulnerabilities and file inclusion and control issues, server side request forgery, cross-site request fogery (CSRF), scripting cross-site (XSS), and directory traversal.
For more information, visit the BKEX bug bounty page
ClickHouse
Provider of program:
Bugcrowd
Type of program:
Public
Maximum reward:
$2,500
Outline:
ClickHouse, an open-source column-oriented OLAP management system that allows users generate real-time analytical reports by using SQL queries, is available as a free and open-source project. The Open Source Version of ClickHouse Platform is the main focus of this public program.
Notes:
ClickHouse stated that “No technology is perfect” and said it believes that working with skilled security analysts around the world is essential in identifying vulnerabilities in technology. We are looking for security researchers to identify vulnerabilities in open-source assets.
Monash University
Provider of program:
Bugcrowd
Type of program:
Public
Maximum reward:
$2,500
Outline:
Monash University, Melbourne, Australia has created a public bug bounty program in order to maintain security on its digital platforms.
Notes:
In-scope targets include Monash University’s main web domain, mobile apps, and various technologies used by the institution such as its FileShare and VPN instances.
Onfido
Provider of program:
YesWeHack
Type of program:
Private
Maximum reward:
TBD
Outline:
Onfido, a digital identity verification company, has launched a bug bounty program in collaboration with YesWeHack, an European vulnerability disclosure platform.
Notes:
Alex Valle, Onfido’s chief product officer, commented on the partnership. “Security is essential to our mission to create a more open universe, where identity holds the key to online accessibility, and we are always searching for ways to strengthen that.”
SideFX
Provider of program:
HackerOne
Type of program:
Public
Maximum reward:
$3,000
Outline:
SideFX, Canada’s developer of Houdini is a 3D animation software program that can be used in film, television and advertising.
Notes:
This new bug bounty program applies only to vulnerabilities found on the company’s main website, sidefx.com.
ZBWeb
Provider:
HackenProof
Type of program:
Public
Maximum reward:
$5,000
Outline:
ZB.com was founded in 2013 and is a global digital trading platform that facilitates the management and exchange of digital assets.
Notes:
In-scope web vulnerabilities can include payment manipulation, business logic issues and RCE.