Domain: hackerone.com
Stories and comments across the archive that link to hackerone.com.
Stories · 12
-
Uber Tightens Bug Bounty Extortion Policies Following 2016 Data Breach (threatpost.com)
lod123 shares a report from Threatpost: Uber is tightening policies around its bug-bounty program after a 2016 data breach exposed deep flaws in its policies around handling extortion. With the updates, Uber's HackerOne bug bounty policies more thoroughly outline "good-faith vulnerability research and disclosure," and contain language defining what constitutes unacceptable behavior, stating that the company wants researchers "to hunt for bugs, not user data."
One newly outlined policy makes it clear that Uber won't take legal action against researchers -- as long as they report vulnerabilities with no strings attached. "You should never illegally or in bad faith leverage the existence of a vulnerability or access to sensitive or confidential information, such as making extortionate demands or ransom requests, or trying to shake us down. In other words, if you find a vulnerability, report it to us with no conditions attached," the policy said. Uber has made additional changes to its program to offer researchers an additional $500 if they include a fully scripted proof-of-concept (PoC) in their original report. -
Google Offers $1,000 Bounties For Hacking Dropbox, Tinder, Snapchat, and Others (mashable.com)
An anonymous reader quotes Mashable: Google, in collaboration with bug bounty platform HackerOne, has launched the Google Play Security Reward Program, which promises $1,000 to anyone who can identify security vulnerabilities in participating Google Play apps. Thirteen apps are currently participating, including Tinder, Duolingo, Dropbox, Snapchat, and Headspace... If you find a security vulnerability in one of the participating apps, you can report that vulnerability to the developer, and work with them to fix it. When the problem has been resolved, the Android Security team will pay you $1,000 as a reward, on top of any reward you get from the app developer. Google will be collecting data on the vulnerabilities and sharing it (anonymized) with other developers who may be exposed to the same problems. For HackerOne, it's about attracting more and better participants in bounty programs. -
Army Bug Bounty Researcher Compromises US Defense Department's Internal Network (threatpost.com)
Thursday the U.S. Army shared some surprising results from its first bug bounty program -- a three-week trial in which they invite 371 security researchers "trained in figuring out how to break into computer networks they're not supposed to." An anonymous reader quotes Threatpost: The Army said it received more than 400 bug reports, 118 of which were unique and actionable. Participants who found and reported unique bugs that were fixed were paid upwards of $100,000... The Army also shared high-level details on one issue that was uncovered through the bounty by a researcher who discovered that two vulnerabilities on the goarmy.com website could be chained together to access, without authentication, an internal Department of Defense website.
"They got there through an open proxy, meaning the routing wasn't shut down the way it should have been, and the researcher, without even knowing it, was able to get to this internal network, because there was a vulnerability with the proxy, and with the actual system," said a post published on HackerOne, which managed the two bounty programs on its platform. "On its own, neither vulnerability is particularly interesting, but when you pair them together, it's actually very serious." -
Nintendo Offers Up To $20,000 To Hack the 3DS (silicon.co.uk)
Mickeycaskill writes: Nintendo will pay up to $20,000 for system and software vulnerabilities in the Nintendo 3DS family of handheld gaming consoles. The company is looking to prevent activities such as piracy, cheating and the circulation of inappropriate content to children. The stated goal is to "provide a secure environment for our customers so that they can enjoy our games and services. In order to achieve this goal, Nintendo is interested in receiving vulnerability information that researchers may discover regarding Nintendo's platforms." Silicon.co.uk reports: "Rewards will range from $100 to $20,000, with one given per 'qualifying piece of vulnerability information.' Hackers looking to claim a reward will have to provide Nintendo with either a proof-of-concept or a piece of functional exploit code in order to qualify." -
Yelp Launches Public Bug Bounty Program (techcrunch.com)
Yet another company has launched a public bug bounty program to lure in hackers in an effort to find and eradicate vulnerabilities. Yelp is the latest company to do such a thing. Specifically, they are inviting hackers to dissect its websites and mobile application and look for vulnerabilities that could affect reviewers and businesses. In return, they will pay "researchers" who find vulnerabilities, starting at $100 and maxing out at $15,000 "for more complex and critical exploits." TechCrunch reports: "The program, which Yelp is coordinating through the bug bounty platform HackerOne, is a public extension of a bug bounty system that Yelp has privately run for two years. The private version was open to dozens of researchers, who uncovered more than 100 vulnerabilities for Yelp and earned $65,160 in total, and focused primarily on Yelp's main website. Now, Yelp is inviting everyone to test Yelp sites and products. Yelp, which averages 73 million unique visitors to its desktop site and 63 million unique visitors on mobile each month, is asking hackers to cover broad ground -- the bug bounty program includes the company's main website, yelp.com, as well as its business-owners website, apps, reservation platform, corporate blogs, support center, and API." -
Pornhub Launches Bug Bounty Program With Rewards Up To $25,000 (techweekeurope.co.uk)
Mickeycaskill quotes a report from TechWeekEurope UK: Pornhub is launching a bug bounty program for security researchers and pornography enthusiasts who are able to identify flaws on its platform. Hunters will be paid a minimum of $50 for each vulnerability discovered, with up to $25,000 on offer for particularly vicious flaws, although the site notes that 23 reports have already been resolved. Successful applicants to the scheme will need to be the first person to responsibly disclose an unknown issue, which the Pornhub security team has 30 days to respond to, and up to 90 days to implement a fix base on the severity of the report. However there are some restrictions, such as users not being allowed to carry out Denial of Service (DDoS) attacks on Pornhub, or even carry out physical attacks on the company's offices or data centers. Social engineering tactics are also not allowed, such as phishing attacks against Pornhub employees, and researchers are not allowed to compromise user accounts. -
'Hack The Pentagon' Bug Bounty Program Opens For Registration (securityweek.com)
wiredmikey writes: Starting today, security researchers can register to test their hacking skills against the Department of Defense (DoD) through "Hack the Pentagon," a new bug bounty program that will award security researchers who discover vulnerabilities on the Pentagon's public web pages. The initiative, run through a partnership with bug bounty platform provider HackerOne, is the first of its kind in the history of the federal government. The Hack the Pentagon bug bounty pilot will start on Monday, April 18 and end by Thursday, May 12. "Critical, mission-facing computer systems will not be involved in the program," the DoD stated. -
Uber Announces Bug Bounty Program, To Pay Up To $10,000 To Friendly Hackers (wired.com)
An anonymous reader writes about Uber's newly announced bug bounty program: Taxi aggregator service says it is willing to pay security researchers thousands of dollars if they are able to find vulnerabilities in its apps and websites. The company says that it will reward security researchers who are able to deface its homepage or expose users' email addresses a sum of $5,000. A sophisticated breach, which presumably allows an attacker to get hold of Uber accounts, or facilitate execution of malicious code on an Uber production server will grant him or her up to $10,000. From a TechCrunch report, "Uber's program has several unique components. First of all, it's trying to be as direct as possible with researchers when it comes to ground rules and payments. Greene says one of the issues that researchers/hackers have with these programs is that the payment system can be capricious. Someone finds a bug and a negotiation commences over how valuable it its. He says that this program is going to be crystal clear about what Uber will pay, offering up to $10,000 for a critical bug. Secondly, the company wants to reward loyal researchers, who report lots of bugs, so they are setting up a loyalty program." -
Meet Mårten Mickos, Serial Open Source CEO (Video)
Marten was the MySQL CEO who built the company from a small-time free software database developer into a worldwide software juggernaut he sold to Sun Microsystems. Next, he became CEO of Eucalyptus Systems, another open source operation, which Hewlett Packard bought in 2014. Now Mårten is CEO of hackerone, a company that hooks security-worried companies up with any one of thousands of ethical hackers worldwide.
Some of those hackers might be companies that grew out of university CS departments, and some of them may be individual high school students working from their kitchen tables. Would a large company Board of Directors trust a kid hacker who came to them with a bug he found in their software? Probably not. But if Mårten or one of his hackerone people contacts that company, it's likely to listen -- and set up a bug bounty program if they don't have one already.
Essentially, once again Mårten is working as an intermediary between technically proficient people -- who may or may not conform to sociey's idea of a successful person -- and corporate executives who need hackers' skills and services but may not know how to find non-mainstream individuals or even know the difference between "hackers" and "crackers." Editor's note: I have known and respected Mårten for many years. If this interview seems like a conversation between two old friends, it is. -
The Army Bug Bounty Program: a Critical Need In Defense (cyberdefensereview.org)
hypercard writes: It seems just about every major tech company and even a few other large non-tech corporations have bug bounty programs as part of an effort to improve security through a community effort. Captains Rock Stevens and Michael Weigand, both Cyber officers in the U.S. Army, recently published Army Vulnerability Response Program, an outline for a legal way of disclosing bugs in Army software and networks. They say, "[T]he Army does not have a central location for responsibly disclosing vulnerabilities found through daily use, much less a program that can permit active security assessments of networks or software solutions. Without a legal means to disclose vulnerabilities in Army software or networks, vulnerabilities are going unreported and unresolved." -
4chan Launches '$20 Bug Bounty' After Hackers Ruin moot's Day
mask.of.sanity (1228908) writes "4chan's founder Moot has launched a bug bounty for the site after it was hacked, but is offering a meager $20 in 'self-serve ad spend' for all bugs. The bounty program was launched after the website and Moot's Amazon accounts were hacked. The intrusion spelled the end for DrawQuest which was closed after Moot decided it was not worth spending money to ensure the unprofitable but popular drawing platform was secure." -
Microsoft and Facebook Launch Internet Bug Bounty Program
An anonymous reader writes "Microsoft and Facebook today jointly launched a new initiative called the Internet Bug Bounty program. In short, the two companies are looking to secure the Internet stack by rewarding anyone and everyone who hacks it, and responsibly discloses vulnerabilities they find. The minimum bounty for hacking any component of the Internet is $5,000."