Security News

Threatpost brought together leading voices in the bug bounty community to participate in a webinar Five Essentials for Running a Successful Bug Bounty Program. Are the hackers getting legal advice before engaging in these programs or are you relying on the bug bounty programs to keep them within in the legal lines?

Bounty-hunting hackers are uncovering new vulnerabilities every two minutes on average, according to bug bounty platform HackerOne. "Mickos rejected the idea that ethical hackers deprived of a legitimate bug bounty market would instead sell newly discovered vulnerabilities to black hats for exploitation, saying:"If we didn't organise this program, the vulnerabilities would not be sold to criminals.

Google this week increased the reward amounts paid to researchers for reporting abuse risk as part of its bug bounty program. Google added product abuse risks to its Vulnerability Reward Program two years ago and says that more than 750 such issues have been identified since.

A security researcher was awarded a $1,750 bug bounty reward for discovering a remote code execution vulnerability in the Slack desktop applications. An attacker could exploit the vulnerability to execute arbitrary code within Slack's desktop apps for macOS, Linux, and Windows.

FireEye this week announced that its Bugcrowd-powered bug bounty program has become public, for all registered researchers to participate. The program, which has been running privately on the crowd-sourced bug hunting platform for a while, welcomes all Bugcrowd researchers interested in identifying vulnerabilities in a broad range of FireEye websites, including those of subsidiaries and localized domains.

Microsoft reported on Tuesday that it paid out roughly $13.7 million through its bug bounty programs between July 1, 2019, and June 30, 2020. The tech giant runs 15 bug bounty programs, which 327 researchers used in the past year to report 1,226 eligible vulnerabilities.

Microsoft has revamped its Windows Insider Preview bug bounty program with higher rewards and an improved portal for bounty hunters to report flaws, in an effort to help sniff out more vulnerabilities on its platform. The Microsoft Windows Insider Preview bounty program is part of the Microsoft Windows Bounty Program, launched in 2017, which encompasses flaws in all features of the Windows Insider Preview in addition to focus areas in Hyper-V, Mitigation bypass, Windows Defender Application Guard, and Microsoft Edge.

Microsoft announced last week that it has added scenario-based rewards to the Windows Insider Preview Bounty Program, with a top bounty of $100,000. As part of the WIP program, eligible researchers are invited by Microsoft to find vulnerabilities in the Windows Insider Preview Dev Channel, with general rewards ranging between $500 for denial-of-service issues and $5,000 for remote code execution flaws.

The US State Department and Secret Service offered $2 million in reward money Wednesday for help capturing two Ukrainians charged with hacking and selling valuable insider corporate information from the Securities and Exchange Commission. The agencies offered a bounty of $1 million each for information leading to the arrest and/or conviction of Artem Viacheslavovich Radchenko and Oleksandr Vitalyevich Ieremenko on charges of international cybercrime.

Virtual private network service ExpressVPN this week announced the launch of a bug bounty program managed by crowdsourced security testing platform Bugcrowd. ExpressVPN has been running a bug bounty rewards program for four years, paying tens of thousands of dollars to security researchers who reported vulnerabilities in its apps, network, servers, site, and routers, among other assets.