New cyber targets for discerning hackers
At the end of the year, a patch was claimed Microsoft The pass-by remote code execution (RCE) vulnerability in Windows 10 failed to solve the problem.
The security flaw affects Windows 10 through the Internet Explorer 11/Edge Legacy browser and Microsoft Teams. However, Positive Security researchers said that five months after the fix, the vulnerability still exists in the operating system.
In December, serious vulnerabilities were also discovered in the open source forum platform NodeBB. Attackers could use these vulnerabilities to steal private information and access administrator accounts.
These issues – path traversal errors, cross-site scripting (XSS) flaws, and authentication bypass vulnerabilities – are caused by Sonar source And it has now been patched.
At the same time, due to vulnerabilities in the registrar’s website, a flaw in the Tonga top-level domain allows an attacker to modify the name server of any domain.
Fortunately, after the network security company Palisade disclosed this issue, Tonga Network Information Center (Tonic) The vulnerability can be fixed within 24 hours before the vulnerability is exploited.
A 19-year-old hacker from Nepal received a $4,500 bounty for a Facebook vulnerability that allowed the attacker to reveal the identity of the page administrator.Researcher Sudip Shah says Facebook Act quickly to fix the insecure direct object reference (IDOR) vulnerability.
Egyptian security researcher Momen Ali discovered a potentially serious server-side request forgery (SSRF) vulnerability in a Russian search and internet service giant Yandex, Won a place in the organization’s hall of fame.
At the same time, a report by HackerOne, a bug bounty platform, showed that more than 66,000 valid bug reports have been received this year, an increase of 22% over 2020 – and bounty prices for high-severity and critical bugs are also rising.
In the program news, U.S. Department of Homeland Security (DHS) initiated a bug bounty program to develop a model that can be used by other government organizations. The plan runs throughout the year and will include penetration testing, field hacking activities, and a detailed review process.
Finally, Intel launched a bug bounty program after cooperating with Belgium-based Intigriti. hacker. For certain hardware and firmware product lines, the maximum payment limit for the most serious error has been increased from US$100,000 to US$150,000.
The latest bug bounty program in January 2022
In the past month, several new bug bounty programs have emerged. The following is a list of the latest entries:
Bit library
Program provider:
Anti-hacking
Program type:
Listed
Maximum reward:
3,000 USD
Outline:
Bitkub, a digital asset and cryptocurrency exchange, requires researchers to find vulnerabilities in its domains and mobile applications.
notes:
The company’s top three vulnerabilities are business logic issues, payment operations, and remote code execution. These vulnerabilities may receive the most rewards for critical issues.
Check Bitkub bug bounty page Learn more at HackenProof
Dear
Program provider:
Anti-hacking
Program type:
Listed
Maximum reward:
3,000 USD
Outline:
The cryptocurrency exchange Exmo was founded in 2014 and is looking for reports on multiple goals for its web, API, and application goals.
notes:
There are also some out-of-range network targets that should be consulted in advance.
Check Exmo bug bounty page Learn more at HackenProof
ATG
Program provider:
YesWeHack
Program type:
private
Maximum reward:
To be determined
Outline:
Swedish online gambling site ATG announced a new partnership that will focus on protecting its gambling and gaming platforms.
notes:
Although it is currently an invitation-only project, ATG plans to expand to a public project at some point in the future.
Check ATG bug bounty page Learn more at YesWeHack
Facebook (enhanced version)
Program provider:
Yuan (formerly Facebook)
Program type:
Listed
Maximum reward:
To be determined
Outline:
Facebook’s parent company Meta has expanded its bug bounty program to include crawling attacks.
notes:
The new plan will pay for vulnerabilities in its anti-crawl protection and will reward researchers who discover Facebook data collected through a crawling attack on the Internet.
Check Facebook bug bounty page more details
Brazing (enhanced)
Program provider:
Swarm
Program type:
Listed
Maximum reward:
2,500 USD
Outline:
Customer participation platform Braze has expanded its bug bounty program to the public.
notes:
Braze’s web and API platforms are in scope, but please note-any testing on platforms outside the scope will result in the prohibition of any Braze bug bounty program.
Check Braze bug bounty page Learn more in Bugcrowd
Oaks
Program provider:
Anti-hacking
Program type:
Listed
Maximum reward:
3,000 USD
Outline:
The cryptocurrency exchange Okex requires security researchers to find vulnerabilities in its Web, API, and Android platforms.
notes:
The top three vulnerabilities of Okex are also business logic issues, payment operations, and remote code execution.
Check Okex bug bounty page Learn more at HackenProof
Other bug bounty and VDP news this month
- This U.S. Department of Homeland Security (DHS) Yes Added Log4j To its Hack The DHS plan.
- Upright Released its list of top 20 bug bounty YouTubers, among which You can find it here.
- hacker Published its 2021 year in review, Hackers can share their statistics and goals for 2022 here.
Additional reporting by Emma Woollacott.
The previous version of the bug bounty radar // The latest bug bounty program in December 2021
