Security News

Microsoft announced last week that it has added scenario-based rewards to the Windows Insider Preview Bounty Program, with a top bounty of $100,000. As part of the WIP program, eligible researchers are invited by Microsoft to find vulnerabilities in the Windows Insider Preview Dev Channel, with general rewards ranging between $500 for denial-of-service issues and $5,000 for remote code execution flaws.

The US State Department and Secret Service offered $2 million in reward money Wednesday for help capturing two Ukrainians charged with hacking and selling valuable insider corporate information from the Securities and Exchange Commission. The agencies offered a bounty of $1 million each for information leading to the arrest and/or conviction of Artem Viacheslavovich Radchenko and Oleksandr Vitalyevich Ieremenko on charges of international cybercrime.

Virtual private network service ExpressVPN this week announced the launch of a bug bounty program managed by crowdsourced security testing platform Bugcrowd. ExpressVPN has been running a bug bounty rewards program for four years, paying tens of thousands of dollars to security researchers who reported vulnerabilities in its apps, network, servers, site, and routers, among other assets.

Verizon Media tops the list with $9.4 million paid out since it started its program in 2014, with its top bounty coming in at $70,000. That said, PayPal follows as a distant second with Verizon Media in terms of bounty volume.

HackerOne on Monday released a list of the companies that have paid out the most money through their bug bounty programs. According to HackerOne, Verizon has paid out more than $9.4 million since the launch of its program in February 2014, with a top bounty of $70,000 and an average first response time of 8 hours.

Bug bounty hunting is, at heart, a competitive market, and winner-takes-all is the easiest way for a vendor to avoid the problem of two researchers covertly colluding for extra money. Most bug bounty programs have a rule under which a reasonable timeframe is agreed for fixing the bug.

Sony this week announced the launch of a public PlayStation bug bounty program in partnership with hacker-sourced vulnerability hunting platform HackerOne. Previously, the company ran a private bug bounty with some researchers only, but says that it has come to realize that the research community plays an important role in improving security, and that the newly launched program builds on that realization.

The Defense Advanced Research Projects Agency is running a bug bounty program in an effort to find security vulnerabilities in a new, advanced implementation of the System Security Integration Through Hardware and Firmware program. With the new bug bounty program, DARPA is looking to harden SSITH hardware security protections in development.

The security researcher, Bhavuk Jain, reported the flaw to Apple via its bug bounty program, and was awarded $100,000 for the find. Threatpost has reached out to Apple for further comment.

HackerOne announced on Wednesday that its bug bounty platform has helped researchers earn more than $100 million since the company started paying hackers in October 2013. The San Francisco-based company reported in late February that it had paid out a total of over $82 million in bounties, $40 million of which was awarded in 2019 alone.