Security News

Eavesdropping on the chatter of 600+ cybercriminal forums shows that cybercriminals have specific preferences, shown by the flavors of exploits they requisition, and that the bug bounty programs either are too slow, don't pay enough or are just the start of profit-making. A year-long study into the underground market for exploits in cybercriminal forums demonstrates that crooks are salivating for Microsoft bugs, which are far and away the most requested and most sold exploits, but that exploits can be valuable for years past their zero days, meaning that patching is still high-priority for high-priority vulnerabilities.

Staying on top of the latest web application security trends and new vulnerabilities, and knowing the basics there, and digging in and understanding and application and how its authorization works, and how the pieces of a large application tie together. They know all the features, how they work, how they interact together and it's really in those areas where we see a lot of our great vulnerabilities being reported internally and externally.

The United States' Department of Defense has opened up all of its publicly facing systems and apps to investigation under a bug bounty program. The bug bounty system had only been aimed at websites but now Kristopher Johnson, director of its Vulnerability Disclosure Program, has said "Websites were only the beginning as they account for a fraction of our overall attack surface" and urged the infosec community to take a wider view.

Reddit this week announced the launch of a public bug bounty program on the vulnerability hunting platform HackerOne. Following a three-year private bug bounty program on HackerOne, which has resulted in over $140,000 being awarded in bug bounties for 300 vulnerability reports focusing on reddit.com, the program is going public with an expanded scope.

Intel patched 231 vulnerabilities in its products last year, roughly the same as in the previous year, when it fixed 236 flaws. The chipmaker on Wednesday published its 2020 Product Security Report, which reveals that nearly half of the vulnerabilities patched last year were discovered by its own employees, and the company claims that a vast majority of the addressed issues are the direct result of its investment in product security assurance.

Facebook on Tuesday announced several new features for its bug bounty program, including an educational resource and payout guidelines. The payout guidelines provide insight into the process used by the company to determine rewards for certain vulnerability categories.

Watch directly on YouTube if the video won't play here. Click the on-screen Settings cog to speed up playback or show subtitles.

The skyrocketing OpenBugBounty project is the only non-for-profit vulnerability disclosure and Bug Bounty platform on our list. With over 1,200 active Bug Bounty programs, OpenBugBounty also permits coordinated disclosure of security issues on any website if the issue was detected by non-intrusive means.

Google this week said it paid out more than $6.7 million in rewards as part of its bug bounty programs in 2020. The total amount of bug bounty rewards increased only slightly compared to 2019, when the Internet search giant paid just over $6.5 million.

The U.S. government on Wednesday announced the launch of another bug bounty program conducted in collaboration with hacker-powered cybersecurity platform HackerOne. Hack the Army 3.0, whose goal is to help the U.S. Army secure its digital assets and protect its systems against cyberattacks, takes place between January 6 and February 17, and it's open to both millitary and civilian white hat hackers.