Security News

The UK's Ministry of Defence has launched a bug bounty scheme, promising privateer pentesters they won't be prosecuted if they stick to the published script. The MoD has joined forces with bug bounty platform HackerOne, with the scheme seemingly being aimed at those who probe external web-facing parts of the ministry's sprawling digital estate.

In 1965, Gordon Moore published a short informal paper, Cramming more components onto integrated circuits. Based on not much more but these few data points and his knowledge of silicon chip development - he was head of R&D at Fairchild Semiconductors, the company that was to seed Silicon Valley - he said that for the next decade, component counts by area could double every year.

Bug bounty hunters have earned a total of more than $1.2 million over the weekend at the 2020 Tianfu Cup International PWN Contest, a major hacking competition that takes place every year in China. The winner was a team representing Chinese cybersecurity firm Qihoo 360, which earned over $740,000.

In a report published this week, HackerOne reveals that XSS flaws accounted for 18% of all reported issues, and that the bounties companies paid for these bugs went up 26% from last year, reaching $4.2 million. The second most awarded vulnerability type in 2020, HackerOne says, is Improper Access Control, which saw a 134% increase in occurrence compared to 2019, with a total of $4 million paid by companies in bug bounty rewards.

The vulnerability - which enables attackers to inject client-side scripts into web pages viewed by other users - earned hackers $4.2 million in total bug-bounty awards in the last year, a 26-percent increase from what was paid out in 2019 for finding XSS flaws, according to the report. In total, organizations paid ethical hackers $23.5 million in bug bounties for all of these flaws this year, according to HackerOne, which maintains a database of 200,000 vulnerabilities found by hackers.

HackerOne's list was topped by cross-site scripting, and found improper access control and SSRF vulnerabilities to be climbing in number and risk potential. Bug bounty platform HackerOne has released its list of the most commonly discovered security vulnerabilities for 2020, with the 10 vulnerabilities listed accounting for $23.5 million in payouts to white hat hackers hunting down bugs and reporting them on its platform.

I think, you've seen kind of how bounty programs specifically have shifted over the past decade or so, are you finding that companies are becoming more open to launching bug bounty programs? To your point about the the current ongoing pandemic, I know that that has had several impacts across the board, but specifically as it relates to bug bounty, like, I know that like Zoom, having kind of that influx in its user base, was looking to what their own bug bounty program and how they could improve that to kind of keep up with the the vulnerabilities that were being processed there.

Last year, HackerOne had paid over $62 million in bug bounty rewards, with the figure surpassing $100 million this year according to the platform's latest report. Over the weekend, security professional Guido Vranken alleged that a vulnerability reported to Monero's bug bounty program run by HackerOne was a verbatim copy of his previously discovered exploit.

TikTok announced this week that it has launched a public bug bounty program in collaboration with HackerOne. It's not uncommon for security researchers to find vulnerabilities in the TikTok app.

TikTok has expanded its vulnerability disclosure policy to include a global bug-bounty program through a partnership with the ethical hacker platform HackerOne. Hackers who find critical vulnerabilities in TikTok's platform can receive between $6,900 to $14,800 according to the program, which marks the first time TikTok has invited the public security community to analyze its platform for vulnerabilities.