Security News

A new cybercrime outfit that calls itself RansomHouse is attempting to carve out a niche of the cyber extortion market for itself by hitting organizations, stealing their data, and offering to delete it and provide a full report on how and what vulnerabilities were exploited in the process - all for a fee, of course. "The thing is that, at least according to what they claim, RansomHouse's sole purpose is not to act as another ransomware group, but rather to act as a pentesting/bug bounty group that forces their services on whoever does not take organizational security seriously enough," Cyberint researchers told Help Net Security.

Are you aware of fake clickjacking bug bounty reports? If not, you should be. How to identify a fake clickjacking bug bounty report?

Google has announced that all security researchers who report Android 13 Beta vulnerabilities through its Vulnerability Rewards Program will get a 50% bonus on top of the standard reward until May 26th, 2022. Bug hunters can get a maximum payout of $1.5 million for a full remote code execution exploit chain on the Titan M used in Google Pixel Phones running an Android 13 Beta build.

The first bug bounty program by America's Homeland Security has led to the discovery and disclosure of 122 vulnerabilities, 27 of which were deemed critical. In total, more than 450 security researchers participated in the Hack DHS program and identified weaknesses in "Select" external Dept of Homeland Security systems.

Microsoft has announced that Exchange, SharePoint, and Skype for Business on-premises are now part of the Applications and On-Premises Servers Bounty Program starting today. With the expansion of this bug bounty program, security researchers who find and report vulnerabilities affecting on-premises servers are eligible for awards ranging from $500 up to $26,000.

Bug bounty platform HackerOne disabled Kaspersky's bug bounty program on Friday following sanctions imposed on Russia and Belarus after the invasion of Ukraine. Kaspersky also added that its bug bounty program was disabled indefinitely following "Unilateral action from HackerOne."

Intel says its engineers are partnering with security researchers to hunt for vulnerabilities in firmware, GPUs, hypervisors, chipsets, and other products in a new expansion to its bug bounty program. Last year, 97 out of the 113 externally found security vulnerabilities were reported by researchers who joined the public bug bounty program, according to Intel.

Cloudflare, an American company focused on web infrastructure and website security, has announced the launch of a new public bug bounty program. "Today we are launching Cloudflare's paid public bug bounty program," said Rushil Shah, a Product Security Engineer at Cloudflare.

A researcher who showed Apple how its webcams can be hijacked via a universal cross-site scripting bug Safari bug has been awarded what is reportedly a record $100,500 bug bounty. The bug could be used by an adversary as part of an attack to gain full access to every website ever visited by the victim.

PolKit vulnerability can give attackers root on many Linux distrosA memory corruption vulnerability in PolKit, a component used in major Linux distributions and some Unix-like operating systems, can be easily exploited by local unprivileged users to gain full root privileges. Attackers connect rogue devices to organizations' network with stolen Office 365 credentialsAttackers are trying out a new technique to widen the reach of their phishing campaigns: by using stolen Office 365 credentials, they try to connect rogue Windows devices to the victim organizations' network by registering it with their Azure AD. Stealthy Excel malware putting organizations in crosshairs of ransomware gangsThe HP Wolf Security threat research team identified a wave of attacks utilizing Excel add-in files to spread malware, helping attackers to gain access to targets, and exposing businesses and individuals to data theft and destructive ransomware attacks.