Security News

PolKit vulnerability can give attackers root on many Linux distrosA memory corruption vulnerability in PolKit, a component used in major Linux distributions and some Unix-like operating systems, can be easily exploited by local unprivileged users to gain full root privileges. Attackers connect rogue devices to organizations' network with stolen Office 365 credentialsAttackers are trying out a new technique to widen the reach of their phishing campaigns: by using stolen Office 365 credentials, they try to connect rogue Windows devices to the victim organizations' network by registering it with their Azure AD. Stealthy Excel malware putting organizations in crosshairs of ransomware gangsThe HP Wolf Security threat research team identified a wave of attacks utilizing Excel add-in files to spread malware, helping attackers to gain access to targets, and exposing businesses and individuals to data theft and destructive ransomware attacks.

The European Union is, once again, calling on bug hunters to delve into specific open source software and report bugs."One criteria in selecting bug bounties was their use within European public services," the European Commission Open Source Programme Office explained.

Researchers Ryan Ellis and Yuan Stevens provide a window into the working lives of hackers who participate in "Bug bounty" programs­ - programs that hire hackers to discover and report bugs or other vulnerabilities in their systems. This report illuminates the risks and insecurities for hackers as gig workers, and how bounty programs rely on vulnerable workers to fix their vulnerable systems.

The Dutch Initiative for Vulnerability Disclosure has scored $100k towards its founder's hope of a nationwide bug bounty available for anything at all. The DIVD's $100k cash injection is from infosec outfit Huntress Labs and is part of a grand vision aimed at discouraging individual researchers from dumping vulns online, the organisation's founder Victor Gevers told The Register.

The Department of Homeland Security has announced that the 'Hack DHS' program is now also open to bug bounty hunters willing to track down DHS systems impacted by Log4j vulnerabilities. The 'Hack DHS' bug bounty program was announced last week.

Meta has expanded its bug bounty program to include payouts for reports of scraping attacks on Facebook - but hold your applause. "We're tackling the industry-wide issue of scraping by expanding our bug bounty program to reward valid reports of scraping bugs and unprotected data sets," states an update from the Facebook security team.

The Department of Homeland Security has launched a new bug bounty program dubbed "Hack DHS" that allows vetted cybersecurity researchers to find and report security vulnerabilities in external DHS systems. "The Hack DHS program incentivizes highly skilled hackers to identify cybersecurity weaknesses in our systems before they can be exploited by bad actors. This program is one example of how the Department is partnering with the community to help protect our Nation's cybersecurity."

Google has announced the launch of its first vulnerability rewards program for Android Enterprise with bounties of up to $250,000. "And since we believe scrutiny and transparency are key to improving security, we've launched our first Android Enterprise Vulnerability Rewards Program," said Rajeev Pathak, Senior Product Manager at Google.

As more businesses rely on open-source software for mission-critical infrastructure, HackerOne, along with sponsors including Elastic, Facebook, Figma, GitHub, Shopify and TikTok, announced they are throwing a new round of resources behind an Internet Bug Bounty Program to lure threat hunters' attention to open-source supply chains. Following a spate of spectacular software supply-chain breaches, market leaders have decided to throw in some cash to fund the IBB to incentivize bug hunters to take a closer look at open-source code.

Singapore's governmental digital services arm, GovTech, has launched a "Rewards programme" to further crowdsource tests of the nation's cybersecurity. The Vulnerability Rewards Programme joins the Government Bug Bounty Programme and the Vulnerability Disclosure Programme, all of which work alongside the government's own security checks.