Security News
It's $2M less than in 2022, but it's still a lot. The highest reward for a vulnerability report in 2023 was $113,337, while the total tally since the program's launch in 2010 has reached $59 million.
Google joins OpenAI and Microsoft in rewarding AI bug hunts. Google expanded its Vulnerability Rewards Program to include bugs and vulnerabilities that could be found in generative AI. Specifically, Google is looking for bug hunters for its own generative AI, products such as Google Bard, which is available in many countries, or Google Cloud's Contact Center AI, Agent Assist.
HackerOne has announced that its bug bounty programs have awarded over $300 million in rewards to ethical hackers and vulnerability researchers since the platform's inception. Thirty hackers have earned over a million USD for their submissions, and one has broken the record, receiving over $4 million for his bug reports.
Bug hunters who found security holes in Google - and also responsibly disclosed details of those flaws to the Chocolate Factory - earned more than $12 million in bounty rewards in 2022, marking a record year for the corporation's Vulnerability Reward Programs in terms of payouts and number of vulnerabilities found and fixed. Avrahami found several vulnerabilities and attack paths in Google Kubernetes Engine Autopilot that would allow an attacker to escape their pod, compromise the underlying node, escalate privileges to administrator level, and then deploy backdoors to maintain this access.
Google last year paid its highest bug bounty ever through the Vulnerability Reward Program for a critical exploit chain report that the company valued at $605,000. In total, Google spent over $12 million for more than 2,900 vulnerabilities in its products discovered and reported by security researchers.
According to bug bounty platform HackerOne and the DoD, the Hack US initiative received 648 submissions from 267 security researchers who uncovered 349 security holes. The Pentagon didn't say how many bug hunters received rewards, or how much they each earned.
It has been relatively busy this week with new ransomware attacks unveiled, a bug bounty program introduced, and new tactics used by the threat actors to distribute their encryptors. The LockBit ransomware operation has released 'LockBit 3.0,' introducing the first ransomware bug bounty program and leaking new extortion tactics and Zcash cryptocurrency payment options.
Microsoft will pay more - up to $26,000 more - for "High-impact" bugs in its Office 365 products via its bug bounty program. The new "Scenario-based" payouts to the Dynamics 365 and Power Platform Bounty Program and M365 Bounty Program aim to incentivize bug hunters to focus on finding vulnerabilities with "The highest potential impact on customer privacy and security," Microsoft said late last week.
The Ministry of Defence has paid out the first bug bounties to ethical computer hackers who probed web-accessible systems for vulnerabilities, according to a cheery missive from HackerOne. A month-long "Hacker security test" culminated in a couple of dozen folk being handed unspecified rewards - and marking the first public confirmation of HackerOne's UK government partnership.
Microsoft this week revealed that it paid out more than $13.6 million in bug bounties between July 1, 2020, and June 30, 2021. As part of the company's 17 bug bounty and grant programs, participating security researchers can earn awards as high as $250,000 - the highest rewards are for critical vulnerabilities in Hyper-V. More than 340 security researchers across 58 countries received payouts as part of Microsoft's bug bounty programs over the past year, with the largest single amount awarded by the company being $200,000, for a Hyper-V vulnerability.