Bug Bounty Radar // The latest bug bounty programs for March 2023

New web targets for the demanding hacker

Belgium became a haven for ethical hackers after the passage of a nationwide safe harbor agreement last month.

The framework means that well-intentioned security researchers are free from legal dangers when reporting computer security vulnerabilities in any system in any European country – provided they follow strict conditions and codes of conduct.

The guidelines announced by the Center for Cyber ​​​​Security Belgium apply to both private and public sector organizations. Belgium is further up the curve, but it is hoped that the program will inspire other countries to follow suit and encourage companies to introduce their own vulnerability disclosure programs.

In less congenial bug bounty-related news, independent researcher Peter Geissler released the details of a number of security vulnerabilities that are affected Lexmark Drucker rather than accept what he saw as a ridiculous reward. The vulnerabilities – which could be chained into a remote code execution attack – have since been fixed.

Another example of researchers balking at bug bounty terms was the disclosure of a web vulnerability in an analysts’ marketing widget gardener.

Security researcher Justin Steven wanted to write down the technical details of a DOM-based cross-site scripting vulnerability in the Gartner Peer Insights widget, but the analyst firm warned the researcher that doing so was against the rules of the private bug bounty program.

Steven nevertheless publicly disclosed technical details of the vulnerability, although this meant that he waived payment for the find.

There was plenty of drama as a new variety of popular hacking tools emerged XSS hunter published telemetry (anonymized statistics about the unearthed vulnerabilities) from security researchers using its version of the utility. Truffle Security faced a privacy backlash from security researchers, who were upset that it seemed to be “peering over their shoulders” and going through their findings.

In response to the criticism, Truffle Security began offering end-to-end encryption as an option for security researchers using its version of XSS Hunter.

---

The latest bug bounty programs for March 2023

Several new bug bounty programs have been introduced over the past month. Here is a list of recent entries:

ATG (extended)

Program provider:
YesWeHack

Program type:
Public

Maximum Reward:
$4,000

Outline:
ATG has increased rewards for medium, high and critical bugs and extended its scope to .atg.se and its subdomains. ATG is a Swedish gambling company specializing in horse racing.

For more information, see the ATG Bug Bounty page

bybit

Program provider:
bug crowd

Program type:
Public

Maximum Reward:
$20,000

Outline:
The cryptocurrency exchange pays out between $5,000 and $20,000 for the highest criticality level. The only destination in scope is bybit.com.

For more information, see the Bybit bug bounty page

Grindr

Program provider:
bug crowd

Program type:
Public

Maximum Reward:
$4,000

Outline:
The location-based social networking and dating application for the LGBTQ community cites RCE, arbitrary SQL queries against production databases, and significant authentication bypass failures as potentially critical bugs.

Visit the Grindr Bug Bounty page for more information

link tree

Program provider:
bug crowd

Program type:
Public

Maximum Reward:
$7,500

Outline:
Australian social media tool Linktree, which has 30 million users worldwide, has put “most” of its assets under the bug bounty program.

For more information, see the Linktree bug bounty page

Malwarebytes

Program provider:
HackerOne

Program type:
Public

Maximum Reward:
$2,000

Outline:
The anti-malware company offers payouts ranging from $50 to $2,000 for confirmed vulnerabilities. Those that pose an RCE risk to Malwarebytes’ web properties, customers running its endpoint protection software, or lead to adoption of AWS cloud infrastructure will reap the greatest rewards.

For more information, see the Malwarebytes bug bounty page

Miro

Program provider:
HackerOne

Program type:
Public

Maximum Reward:
$3,000

Outline:
The collaborative whiteboarding platform offers rewards of up to $3,000. Out-of-scope assets include Miro’s Jira Cards, Miro for Confluence, and Miro for Jira Cloud.

Visit the Miro Bug Bounty page for more information

Ninja Kiwi Games

Program provider:
intrigue

Program type:
Public

Maximum Reward:
$3,750

Outline:
The New Zealand video game developer has launched a second bug bounty program after a successful prequel in 2021. Ninja Kiwi Games developed the Bloons, Bloons TD, and SAS: Zombie Assault franchises.

Visit the Ninja Kiwi Games bug bounty page for more information

QNAP

Program provider:
Independent

Program type:
Public

Maximum Reward:
Not disclosed

Outline:
QNAP, the Taiwanese manufacturer of network attached storage appliances, has invited hackers to scan its operating systems, applications and cloud services for vulnerabilities.

For more information, see the QNAP bug bounty page

main port

Program provider:
HackerOne

Program type:
Public

Maximum Reward:
$6,000

Outline:
Skinport, a marketplace for in-game digital items, has launched a rewards program for critical bugs that open the door to trade or purchase manipulation. Vulnerabilities leading to unauthorized access to project servers or disclosure of confidential data are also within the scope.

For more information, see the Skinport bug bounty page

Spin by OXXO

Program provider:
YesWeHack

Program type:
Public

Maximum Reward:
$3,000

Outline:
The scope includes an API and mobile iOS and Android applications from Spin, a fintech app and a payment card from the Mexican convenience store chain Oxxo.

Visit the Spin by OXXO bug bounty page for more information

Xdefi Technologies

Program provider:
HackerOne

Program type:
Public

Maximum Reward:
$5,000

Outline:
Xdefi, a cross-chain wallet extension for cryptocurrencies and NFTs, has included the Xdefi extension (Chromium web extension) and app in the In-Scope assets, with rewards based on CVSS (Common Vulnerability Scoring Standard) severity ).

For more information, see the Xdefi bug bounty page

Zabbix

Program provider:
HackerOne

Program type:
Public

Maximum Reward:
$3,000

Outline:
Zabbix, a provider of open-source infrastructure monitoring technologies, is offering up to $1,000 for major errors and $3,000 for critical errors.

Visit the Zabbix bug bounty page for more information

---

More Bug Bounty and VDP news this month

• Google has expanded its OSS fuzz code testing service by updating its rewards program and increasing the number of computer languages ​​covered by the project

  The search engine giant has also paid out its biggest bug bounty to date – worth a potentially life-changing £500,000 ($605,000) for an Android-related vulnerability. Google is keeping a low profile on the details of the bug, but ITPro has narrowed down the list of possibilities.

• intel reports that it paid out $935,000 in bug bounties last year. The chip giant’s Intel Product Security Report (pdf) said it spotted 243 vulnerabilities in 2022, 90 of which were discovered by security researchers and reported through its bug bounty programs. The provider “employed 151 researchers last year, more than double the previous three years,” reports Security Week.
• A detailed article on the YesWeHack blog by security researchers BitK And SakiiR provides a technical perspective to detect and exploit Prototype pollution vulnerabilities into JavaScript. The research builds on previous work by Portswigger’s Gareth Heyes on detecting server-side prototypical vulnerabilities.
• Security researcher Mike Takahashi put together a Twitter thread on the hot topic of how AI-powered chatbots such as ChatGPT might be able to help bug bounty hunters. Takahashi’s social media brainstorming is the second in a potentially ongoing series.

Additional reporting by Adam Bannister

PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for February 2023