Security News

Google says it has paid more than $29 million in rewards for pre-patch vulnerability data over the past 10 years. Since the launch of Google Vulnerability Rewards Program 10 years ago, the company said it paid bounties on 11,055 vulnerabilities that were reported by 2,022 researchers from 84 countries.

Shopify has forked out $50,000 in a bug bounty payment to computer science student Augusto Zanellato following the discovery of a publicly available access token which gave world+dog read-and-write access to the company's source code repositories. "I found out that the user in question was a member of the Shopify organisation and that he had push and pull access to all the private Shopify repositories."

European bug bounty and vulnerability disclosure policy platform YesWeHack this week announced the closing of a €16 million round of venture capital financing. The Series B funding round included investments from.

Microsoft on Monday announced that it has included the Teams mobile applications for Android and iOS within the scope of its bug bounty programs. The company added the desktop client of the Teams business communication platform to the Applications Bounty Program back in March, and is now expanding the program to include the mobile clients as well.

Microsoft-owned software development solutions provider GitHub announced on Friday that it has paid out more than $1.5 million through its bug bounty program since 2016, when it started using the HackerOne bug bounty platform. According to the company, in 2020, it paid out over half a million dollars for more than 200 vulnerabilities affecting its products and services.

Southeast Asian e-commerce platform Lazada on Thursday announced the launch of a public bug bounty program with YesWeHack. Since January 2020, the Alibaba-owned platform has been running a private bug bounty program that resulted in more than $150,000 being paid out in bug bounty rewards.

Eavesdropping on the chatter of 600+ cybercriminal forums shows that cybercriminals have specific preferences, shown by the flavors of exploits they requisition, and that the bug bounty programs either are too slow, don't pay enough or are just the start of profit-making. A year-long study into the underground market for exploits in cybercriminal forums demonstrates that crooks are salivating for Microsoft bugs, which are far and away the most requested and most sold exploits, but that exploits can be valuable for years past their zero days, meaning that patching is still high-priority for high-priority vulnerabilities.

Staying on top of the latest web application security trends and new vulnerabilities, and knowing the basics there, and digging in and understanding and application and how its authorization works, and how the pieces of a large application tie together. They know all the features, how they work, how they interact together and it's really in those areas where we see a lot of our great vulnerabilities being reported internally and externally.

The United States' Department of Defense has opened up all of its publicly facing systems and apps to investigation under a bug bounty program. The bug bounty system had only been aimed at websites but now Kristopher Johnson, director of its Vulnerability Disclosure Program, has said "Websites were only the beginning as they account for a fraction of our overall attack surface" and urged the infosec community to take a wider view.

Reddit this week announced the launch of a public bug bounty program on the vulnerability hunting platform HackerOne. Following a three-year private bug bounty program on HackerOne, which has resulted in over $140,000 being awarded in bug bounties for 300 vulnerability reports focusing on reddit.com, the program is going public with an expanded scope.