Security News

The LockBit ransomware operation has released 'LockBit 3.0,' introducing the first ransomware bug bounty program and leaking new extortion tactics and Zcash cryptocurrency payment options. The ransomware operation launched in 2019 and has since grown to be the most prolific ransomware operation, accounting for 40% of all known ransomware attacks in May 2022.

A new cybercrime outfit that calls itself RansomHouse is attempting to carve out a niche of the cyber extortion market for itself by hitting organizations, stealing their data, and offering to delete it and provide a full report on how and what vulnerabilities were exploited in the process - all for a fee, of course. "The thing is that, at least according to what they claim, RansomHouse's sole purpose is not to act as another ransomware group, but rather to act as a pentesting/bug bounty group that forces their services on whoever does not take organizational security seriously enough," Cyberint researchers told Help Net Security.

Are you aware of fake clickjacking bug bounty reports? If not, you should be. How to identify a fake clickjacking bug bounty report?

Google has announced that all security researchers who report Android 13 Beta vulnerabilities through its Vulnerability Rewards Program will get a 50% bonus on top of the standard reward until May 26th, 2022. Bug hunters can get a maximum payout of $1.5 million for a full remote code execution exploit chain on the Titan M used in Google Pixel Phones running an Android 13 Beta build.

The first bug bounty program by America's Homeland Security has led to the discovery and disclosure of 122 vulnerabilities, 27 of which were deemed critical. In total, more than 450 security researchers participated in the Hack DHS program and identified weaknesses in "Select" external Dept of Homeland Security systems.

Microsoft has announced that Exchange, SharePoint, and Skype for Business on-premises are now part of the Applications and On-Premises Servers Bounty Program starting today. With the expansion of this bug bounty program, security researchers who find and report vulnerabilities affecting on-premises servers are eligible for awards ranging from $500 up to $26,000.

Bug bounty platform HackerOne disabled Kaspersky's bug bounty program on Friday following sanctions imposed on Russia and Belarus after the invasion of Ukraine. Kaspersky also added that its bug bounty program was disabled indefinitely following "Unilateral action from HackerOne."

Intel says its engineers are partnering with security researchers to hunt for vulnerabilities in firmware, GPUs, hypervisors, chipsets, and other products in a new expansion to its bug bounty program. Last year, 97 out of the 113 externally found security vulnerabilities were reported by researchers who joined the public bug bounty program, according to Intel.

Cloudflare, an American company focused on web infrastructure and website security, has announced the launch of a new public bug bounty program. "Today we are launching Cloudflare's paid public bug bounty program," said Rushil Shah, a Product Security Engineer at Cloudflare.

A researcher who showed Apple how its webcams can be hijacked via a universal cross-site scripting bug Safari bug has been awarded what is reportedly a record $100,500 bug bounty. The bug could be used by an adversary as part of an attack to gain full access to every website ever visited by the victim.