Security News
Google on Monday introduced a new bug bounty program for its open source projects, offering payouts anywhere from $100 to $31,337 to secure the ecosystem from supply chain attacks. Called the Open Source Software Vulnerability Rewards Program, the offering is one of the first open source-specific vulnerability programs.
Google will now pay security researchers to find and report bugs in the latest versions of Google-released open-source software.The company's newly announced Vulnerability Reward Program focuses on Google software and repository settings.
Microsoft appears to have beat Google on the bug bounty front, with $13.7 million in rewards spread out over 335 researchers. The biggest prize awarded by Microsoft was $200,000 under the Hyper-V Bounty Program and the average award was $12,000.
Simply finding vulnerabilities and patching them "Is totally useless," according to Google's Eduardo Vela, who heads the cloud giant's product security response team. Instead, they've got to exploit the bug: connect to Google Kubernetes Engine instances, hack it, and use the bug to steal the hidden flags.
A Danish ethical hacker was able to work his way uninvited into a closed Cloudflare beta and found a vulnerability that could have been exploited by a cybercriminal to hijack and steal someone else's email. Student Albert Pedersen reported the critical vulnerability to Cloudflare via the company's bug bounty program, and was awarded $3,000.
The Feds have put up a $10 million reward for information about foreign interference in US elections in general, and more specifically a Russian oligarch and close friend of President Vladimir Putin accused of funding an organization that meddled in the 2016 presidential elections. The bounty, offered through the US Department of State's Rewards for Justice program, specifically seeks intel on Russia's Internet Research Agency, businessman Yevgeniy Viktorovich Prigozhin, and any "Linked Russian entities and associates for their engagement in US election interference."
The US is offering up to $10 million for information on members of state-sponsored North Korean threat groups, double the amount that the State Department announced in April. The agency's Rewards for Justice program this week said it will cough up the cash for intelligence related to "Government-linked cyber activities" in North Korea, including leads on people involved with such state-sponsored groups like Andariel, APT38, BlueNoroff, Guardians of Peace, Kimsuky, and Lazarus Group who are targeting critical infrastructure in the US. The latest notice is part of a larger ongoing campaign by the State Department and other US government agencies of offering bounties for information regarding cyberattacks from North Korea or other countries against the United States, particularly involving such sectors as critical infrastructure - such as power grids and water and food supplies - as well as federal elections.
LockBit ransomware gang promises bounty payment for personal data. In a new twist on the ransomware game, the LockBit cybercrime group has launched a bug bounty program promising money to people willing to share sensitive data that can be exploited in ransomware attacks.
The LockBit ransomware operation has released 'LockBit 3.0,' introducing the first ransomware bug bounty program and leaking new extortion tactics and Zcash cryptocurrency payment options. The ransomware operation launched in 2019 and has since grown to be the most prolific ransomware operation, accounting for 40% of all known ransomware attacks in May 2022.
A new cybercrime outfit that calls itself RansomHouse is attempting to carve out a niche of the cyber extortion market for itself by hitting organizations, stealing their data, and offering to delete it and provide a full report on how and what vulnerabilities were exploited in the process - all for a fee, of course. "The thing is that, at least according to what they claim, RansomHouse's sole purpose is not to act as another ransomware group, but rather to act as a pentesting/bug bounty group that forces their services on whoever does not take organizational security seriously enough," Cyberint researchers told Help Net Security.