Security News

Facebook has announced a series of updates for its bug bounty program, including bonus rewards for engaged researchers, as well as a faster bug triage process. The social media platform announced that it streamlined the triage of security vulnerabilities reported through its bug bounty program, to increase efficiency and lower response timeframe.

Facebook has lifted the curtain on what it claims is an industry first: A loyalty program as part of its bug-bounty offering, which aims to further incentivize researchers to find vulnerabilities in its platform. The loyalty program, called "Hacker Plus," offers bonuses on top of bounty awards, access to more products and features that researchers can stress-test, and invites to Facebook annual events.

If you're designing a security bug bounty for your organization's products, by all means get the lawyers to take a look, but keep their hands off the keyboard. Chloé Messdaghi, veep of strategy at infosec training firm Point3, said she's encountered bounty programs that look more like they're intended for the legal team than the security community.

Grindr isn't alone - many companies are looking to adopt, or have already adopted, bug-bounty programs or vulnerability-disclosure programs. It's important to distinguish the two: A bug-bounty program offers cash rewards for finding flaws, while a VDP covers when a vulnerability is reported by a third party to an organization.

HP has expanded its Bug Bounty Program to focus specifically on office-class print cartridge security vulnerabilities. As part of this program, HP has engaged with Bugcrowd to conduct a three-month program in which four professional white hat hackers have been challenged to identify vulnerabilities in HP Original print cartridges.

Threatpost brought together leading voices in the bug bounty community to participate in a webinar Five Essentials for Running a Successful Bug Bounty Program. Are the hackers getting legal advice before engaging in these programs or are you relying on the bug bounty programs to keep them within in the legal lines?

Bounty-hunting hackers are uncovering new vulnerabilities every two minutes on average, according to bug bounty platform HackerOne. "Mickos rejected the idea that ethical hackers deprived of a legitimate bug bounty market would instead sell newly discovered vulnerabilities to black hats for exploitation, saying:"If we didn't organise this program, the vulnerabilities would not be sold to criminals.

Google this week increased the reward amounts paid to researchers for reporting abuse risk as part of its bug bounty program. Google added product abuse risks to its Vulnerability Reward Program two years ago and says that more than 750 such issues have been identified since.

FireEye this week announced that its Bugcrowd-powered bug bounty program has become public, for all registered researchers to participate. The program, which has been running privately on the crowd-sourced bug hunting platform for a while, welcomes all Bugcrowd researchers interested in identifying vulnerabilities in a broad range of FireEye websites, including those of subsidiaries and localized domains.

Microsoft reported on Tuesday that it paid out roughly $13.7 million through its bug bounty programs between July 1, 2019, and June 30, 2020. The tech giant runs 15 bug bounty programs, which 327 researchers used in the past year to report 1,226 eligible vulnerabilities.