Bug Bounty Radar // The latest bug bounty programs for February 2023

New opportunities for hackers seeking web vulnerabilities

A notable achievement in the bug bounty space includes a bypass of Facebook’s SMS-based two-factor authentication (2FA) which was identified as one of Meta’s significant vulnerabilities in 2022.

Initially, the company did not fully grasp the severity of the issue and offered a bounty of $3,000, later increasing it to $27,200 upon further evaluation.

“With no rate limit protection during the verification of contact points—either email or phone—an attacker could easily add the victim’s 2FA-enabled number to their Instagram-linked Facebook account,” explained security researcher Manoj Gautam in a statement to The Daily Swig.

Additionally, this month, a hacker duo shared their research on the Google Cloud Platform (GCP), leading to six payouts totaling over $22,000.

The duo’s most notable discovery earned them a dual $5,000 reward for a Server-Side Request Forgery (SSRF) vulnerability and an associated patch bypass in the Vertex AI machine learning platform.

Their findings, detailed across four blog posts, highlighted other significant issues including SSH key injection in Google Cloud’s Compute Engine and vulnerabilities within Theia and Cloud Workstations.

Moreover, a third bug bounty report this month focused on Cross-Origin Resource Sharing (CORS) misconfigurations.

Exploits aimed at several private programs—including Tesla—enabled Truffle Security researchers to earn “thousands of dollars,” affirming their theory that “large internal networks are often prone to impactful CORS misconfigurations.”

Upcoming hacking challenges include the US Department of Defense (DoD)’s third annual Hack The Pentagon event and the inaugural Pwn2Own Automotive, operated by Zero Day Initiative, scheduled for January 2024.

New Bug Bounty Programs for February 2023

Several new bug bounty programs were introduced this month. Here’s a list of the latest options available:

8×8

Provider: HackerOne

Type: Public

Max Reward: $1,337

Overview: 8×8, a US provider of business communication technologies, invites hackers to test its websites, mobile applications, and services including Jitsi, its open-source video meeting software.

Notes: Despite the modest upper bounty, 8×8 has already dispensed over $90,000 in bounties within a month of launching its program.

For more details, visit the 8×8 bug bounty page.

Hedera Hashgraph

Provider: HackerOne

Type: Public

Max Reward: $30,000

Overview: Hedera Hashgraph presents itself as a responsibly governed decentralized network involving enterprises, web3 projects, and distinguished universities.

Notes: The program includes seven assets like services and mirror node codebases, Java and JavaScript SDKs, testnet API endpoints, and testnet mirror node APIs.

Check out the Hedera Hashgraph bug bounty page for more details.

Hyperlane

Provider: Immunefi

Type: Public

Max Reward: $2.5 million

Overview: Hyperlane is a modular interoperability platform enabling developers to create interchain applications that communicate securely between blockchains.

Notes: A maximum reward is available for critical bugs on smart contracts, while application bugs can yield payouts of up to $20,000.

More information can be found on the Hyperlane bug bounty page.

Kiwi.com

Provider: HackerOne

Type: Public

Max Reward: $5,000

Overview: Kiwi.com, a Czech online travel agency, offers fare aggregation, metasearch, and ticket booking services.

Notes: The program’s scope includes the main website, kiwi.com; tequila.kiwi.com; jobs.kiwi.com; along with APIs and internal tools.

For more details, check the Kiwi.com bug bounty page.

Net+

Provider: GObugfree

Type: Mix of public and private

Max Reward: CHF5,000 ($5,389)

Overview: Netplus.ch provides internet, telephony, and TV services to over 220,000 users in Switzerland, paying between CHF 2,000-5,000 for critical vulnerabilities.

Notes: New targets are initially part of the private program for testing, moving to the public program afterward.

More details can be found on the Net+ private and public bug bounty pages.

Open-Xchange (OX) App Suite

Provider: YesWeHack

Type: Public

Max Reward: €5,000 ($5,430)

Overview: Open-Xchange’s OX App Suite is an open-source email and productivity suite that prioritizes security by default.

Notes: Previously a HackerOne client, Open-Xchange has transferred its bug bounty programs to YesWeHack.

Visit the OX App Suite bug bounty page for additional information.

Open-Xchange Dovecot

Provider: YesWeHack

Type: Public

Max Reward: €5,000 ($5,430)

Overview: Dovecot serves as Open-Xchange’s IMAP, POP3, and submission server for email across various operating systems.

Notes: Open-Xchange has transitioned its bug bounty programs to YesWeHack from HackerOne.

Check the Dovecot bug bounty page for details.

Open-Xchange PowerDNS

Provider: YesWeHack

Type: Public

Max Reward: €5,000 ($5,430)

Overview: PowerDNS is a DNS server that supports domain resolution and offers network security features.

Notes: The program has transitioned from HackerOne to YesWeHack.

Visit the PowerDNS bug bounty page for further information.

S-Pankki

Provider: HackerOne

Type: Public

Max Reward: $4,000

Overview: The Finnish bank offers rewards of up to $4,000 for critical vulnerabilities, along with $2,000 for high and $1,000 for medium severity weaknesses.

Notes: The program encompasses 11 assets, including nine domains and iOS and Android applications.

Check out the S-Pankki bug bounty page for additional details.

Superbet

Provider: HackerOne

Type: Public

Max Reward: $2,000

Overview: The Romanian online gaming company offers up to $2,000 for critical vulnerabilities, $1,000 for high-severity issues, and $250 for medium impact flaws.

Notes: There is one asset in scope: the.superbet.ro domain.

Visit the Superbet bug bounty page for more information.

Swiss Bankers

Provider: GObugfree

Type: Private

Max Reward: Undisclosed

Overview: Swiss Bankers specializes in financial services including prepaid credit cards, mobile payments, and money transfers.

Notes: Participation is by invitation only.

More details can be found on the Swiss Bankers bug bounty page.

Threema (Enhanced)

Provider: GObugfree

Type: Public

Max Reward: CHF10,000 ($10,778)

Overview: The Swiss instant messenger service Threema has raised maximum payouts from CHF4,000 ($4,311) to CHF10,000 ($10,778) since starting its bug bounty program in May 2022.

Notes: This increase follows disputes over claims regarding security flaws in Threema’s encrypted messaging platform.

Find more information on the Threema bug bounty page.

TRON DAO

Provider: HackerOne

Type: Public

Max Reward: $5,000

Overview: TRON DAO is an open-source platform designed for developing decentralized applications and interoperable blockchains.

Notes: Currently, TRON’s Java source code is the only asset in consideration.

For more details, check the TRON DAO bug bounty page.

Wato-soft

Provider: GObugfree

Type: Private

Max Reward: Undisclosed

Overview: Wato-soft is a Swiss IT services firm focusing on enterprise resource planning (ERP) software.

Notes: Participation is restricted to invited hackers only.

Details available on the Wato-Soft bug bounty page.

Other Bug Bounty and VDP Updates for This Month

• An Amazon virtual hacking event in collaboration with HackerOne became the highest paying virtual event to date, with over 50 security researchers earning a collective total of $832,135. The overall winner of the 10-day hackathon was @jonathanbouman, while the prize for ‘Best Team Collaboration’ went to the group ‘spacebaffoons’.
• As noted in our latest Deserialized roundup, Intigriti identified a Belgium-wide safe harbor clause in proposed whistleblower legislation, alongside a New Scientist feature on a mathematical method for validating exploits without public risk.
• Lastly, YesWeHack released a guide on using the Burp Suite extension Highlighter And Extractor (HaE) to identify vulnerabilities via regular expressions.

PREVIOUS EDITION: Bug Bounty Radar // The latest bug bounty programs for January 2023