Security News

Microsoft-owned software development solutions provider GitHub announced on Friday that it has paid out more than $1.5 million through its bug bounty program since 2016, when it started using the HackerOne bug bounty platform. According to the company, in 2020, it paid out over half a million dollars for more than 200 vulnerabilities affecting its products and services.

Southeast Asian e-commerce platform Lazada on Thursday announced the launch of a public bug bounty program with YesWeHack. Since January 2020, the Alibaba-owned platform has been running a private bug bounty program that resulted in more than $150,000 being paid out in bug bounty rewards.

Eavesdropping on the chatter of 600+ cybercriminal forums shows that cybercriminals have specific preferences, shown by the flavors of exploits they requisition, and that the bug bounty programs either are too slow, don't pay enough or are just the start of profit-making. A year-long study into the underground market for exploits in cybercriminal forums demonstrates that crooks are salivating for Microsoft bugs, which are far and away the most requested and most sold exploits, but that exploits can be valuable for years past their zero days, meaning that patching is still high-priority for high-priority vulnerabilities.

Staying on top of the latest web application security trends and new vulnerabilities, and knowing the basics there, and digging in and understanding and application and how its authorization works, and how the pieces of a large application tie together. They know all the features, how they work, how they interact together and it's really in those areas where we see a lot of our great vulnerabilities being reported internally and externally.

The United States' Department of Defense has opened up all of its publicly facing systems and apps to investigation under a bug bounty program. The bug bounty system had only been aimed at websites but now Kristopher Johnson, director of its Vulnerability Disclosure Program, has said "Websites were only the beginning as they account for a fraction of our overall attack surface" and urged the infosec community to take a wider view.

Reddit this week announced the launch of a public bug bounty program on the vulnerability hunting platform HackerOne. Following a three-year private bug bounty program on HackerOne, which has resulted in over $140,000 being awarded in bug bounties for 300 vulnerability reports focusing on reddit.com, the program is going public with an expanded scope.

A researcher has earned over $11,000 from TikTok after disclosing a series of vulnerabilities that could have been chained for a high-impact 1-click exploit. As for what an attacker could have done with this exploit, the researcher said "Anything TikTok can do on your device, the exploit can do."

A security researcher says Microsoft has awarded him a $50,000 bounty reward for reporting a vulnerability that could have potentially allowed for the takeover of any Microsoft account. The attack, the researcher explains, targets the password recovery process that Microsoft has in place, which typically requires the user to enter their email or phone number to receive a security code, and then enter that code.

Intel patched 231 vulnerabilities in its products last year, roughly the same as in the previous year, when it fixed 236 flaws. The chipmaker on Wednesday published its 2020 Product Security Report, which reveals that nearly half of the vulnerabilities patched last year were discovered by its own employees, and the company claims that a vast majority of the addressed issues are the direct result of its investment in product security assurance.

Facebook on Tuesday announced several new features for its bug bounty program, including an educational resource and payout guidelines. The payout guidelines provide insight into the process used by the company to determine rewards for certain vulnerability categories.