Bug Bounty Radar // The latest bug bounty programs for March 2023

Emerging Web Targets for Expert Hackers

The introduction of a nationwide safe harbor agreement last month has made Belgium a hotspot for ethical hackers.

This framework allows dedicated security researchers to report computer security vulnerabilities in any Belgian system without fear of legal repercussions, provided they adhere to specific conditions and rules of conduct.

These guidelines, established by the Centre for Cyber Security Belgium, apply to organizations in both the private and public sectors. While Belgium is leading in this initiative, the hope is that this will motivate other nations to adopt similar measures and encourage businesses to create their own vulnerability disclosure programs.

In another development within the bug bounty realm, independent researcher Peter Geissler opted to publicly share details of a series of vulnerabilities affecting Lexmark printers instead of accepting a reward he deemed insufficient. These security flaws could be exploited to execute remote code, but they have now been addressed.

Additionally, security researcher Justin Steven encountered hurdles while attempting to document a DOM-based cross-site scripting vulnerability in Gartner’s Peer Insights widget. Despite warnings from the company that disclosing this information violated their private bug bounty program, Steven went ahead and publicly shared the technical details, sacrificing payment for his findings.

Another notable incident involved XSS Hunter, a widely used hacking tool, which faced a privacy backlash from researchers following the release of telemetry data that seemingly monitored their work. In light of the criticism, Truffle Security has begun offering end-to-end encryption for researchers using this tool.

New Bug Bounty Programs for March 2023

Over the past month, several new bug bounty programs have launched. Here’s a rundown of the latest additions:

ATG (Enhanced)

Provider: YesWeHack

Type: Public

Max Reward: $4,000

Overview: ATG has increased rewards for medium, high, and critical bugs and expanded its bug bounty scope to include .atg.se and its subdomains. This Swedish gaming company specializes in horse racing.

For further information, visit the ATG bug bounty page.

Bybit

Provider: Bugcrowd

Type: Public

Max Reward: $20,000

Overview: This cryptocurrency exchange is offering payouts ranging from $5,000 to $20,000 for critical vulnerabilities, focusing solely on the bybit.com platform.

Details are available on the Bybit bug bounty page.

Grindr

Provider: Bugcrowd

Type: Public

Max Reward: $4,000

Overview: The dating app for the LGBTQ community has highlighted RCE, arbitrary SQL queries on production databases, and authentication bypass as significant vulnerabilities.

Further details can be found on the Grindr bug bounty page.

Linktree

Provider: Bugcrowd

Type: Public

Max Reward: $7,500

Overview: With 30 million global users, this Australian social media tool has included most of its assets in its bug bounty program.

Visit the Linktree bug bounty page for further information.

Malwarebytes

Provider: HackerOne

Type: Public

Max Reward: $2,000

Overview: This anti-malware company offers rewards ranging from $50 to $2,000 for confirmed vulnerabilities, particularly those that pose RCE risks to their web properties or their endpoint protection software.

Check the Malwarebytes bug bounty page for more details.

Miro

Provider: HackerOne

Type: Public

Max Reward: $3,000

Overview: This collaborative whiteboarding platform is offering rewards of up to $3,000. Assets excluded from the scope include Jira Cards and Miro’s services for Jira Cloud and Confluence.

For additional details, check the Miro bug bounty page.

Ninja Kiwi Games

Provider: Intigriti

Type: Public

Max Reward: $3,750

Overview: The New Zealand-based game developer relaunched its bug bounty program after a successful run in 2021. They are known for the Bloons and SAS: Zombie Assault franchises.

Find out more on the Ninja Kiwi Games bug bounty page.

QNAP

Provider: Independent

Type: Public

Max Reward: Undisclosed

Overview: The Taiwanese manufacturer of network-attached storage devices has opened its systems, applications, and cloud services to security researchers for vulnerability testing.

More information is available on the QNAP bug bounty page.

Skinport

Provider: HackerOne

Type: Public

Max Reward: $6,000

Overview: Skinport, a marketplace for in-game items, is rewarding discoveries of critical flaws that could enable trading or purchase manipulations. Vulnerabilities resulting in unauthorized server access or data breaches are included.

Visit the Skinport bug bounty page for more details.

Spin by OXXO

Provider: YesWeHack

Type: Public

Max Reward: $3,000

Overview: The Spin fintech app and payment card from the Mexican convenience store chain Oxxo covers an API and both iOS and Android mobile applications.

For further details, visit the Spin by OXXO bug bounty page.

Xdefi Technologies

Provider: HackerOne

Type: Public

Max Reward: $5,000

Overview: This cross-chain wallet extension for cryptocurrencies and NFTs has specific in-scope assets, including the Xdefi Extension and app, with rewards determined by CVSS severity metrics.

Further information can be found on the Xdefi bug bounty page.

Zabbix

Provider: HackerOne

Type: Public

Max Reward: $3,000

Overview: Zabbix, known for its open-source infrastructure monitoring solutions, is offering up to $3,000 for critical vulnerabilities and $1,000 for high severity issues.

Additional details are available on the Zabbix bug bounty page.

Other Bug Bounty and VDP Updates This Month

• Google has expanded its OSS Fuzz code testing service, enhancing its reward structure and the range of programming languages covered by the project.
• The tech giant has also issued its largest-ever bug bounty of £500,000 ($605,000) for a vulnerability related to Android, although specifics remain undisclosed. However, ITPro has speculated on potential scenarios.
• Intel has reported $935,000 in bug bounty payouts last year, as noted in the Intel Product Security Report. The report mentions that 243 vulnerabilities were triaged in 2022, and over 150 researchers were engaged, doubling previous years’ numbers.
• An in-depth article on the YesWeHack blog offers insights into detecting and exploiting prototype pollution vulnerabilities in JavaScript, building on earlier research by Portswigger’s Gareth Heyes.
• Security researcher Mike Takahashi has initiated a Twitter thread discussing how AI-driven chatbots, such as ChatGPT, could aid bug bounty hunters, marking the second installment in a potential ongoing series.

Contributions by Adam Bannister

PREVIOUS EDITION: Bug Bounty Radar // The latest bug bounty programs for February 2023