Items tagged with bug bounty
Like many big tech companies including Microsoft and Google, Apple has a bug bounty program that pays big bucks for newly-discovered security vulnerabilities. The fees for confirmed reports of issues range from $25,000 for "limited" unauthorized control of an iCloud account, to a cool million bucks for a zero-click remote chain with full kernel access without requiring user interaction. Of course companies build good will by following through on their promises of payment in these programs. When a researcher feels ignored, however, that can break trust in the program and leave vulnerabilities unpatched and exposed. In a recent Washington Post article, several security researchers shared...
Read more...
Sony has announced via an official PlayStation blog post that it has launched a new bug bounty program for the PlayStation 4 game console in collaboration with the security platform HackerOne. Sony says that it started the Bug Bounty program because security is a fundamental part of creating amazing experiences for the community. The program has rewards in place for various issues, including critical issues on the PS4. Those who discover a critical vulnerability for the PS4 are eligible for bounties as high as $50,000. The image below shows the range of bounties offered for issues of different types. PlayStation says that it was running this bug bounty program privately with some security researchers...
Read more...
Think you have what it takes to thwart the security mechanisms in Azure Sphere, a comprehensive security solution Microsoft developed for the Internet of Things (IoT) category? Those who do could potentially collect up to a $100,000 bug bounty. That's some serious cash, and it applies to two specific type of hacks. The bug bounties are part of a three-month research challenge, in which accepted applicants are invited to look for flaws in Microsoft's Azure Sphere platform. To qualify for the maximum award amount, a security researcher would need to demonstrate an ability to execute unauthorized code on either Pluton or Secure World. "While Azure Sphere implements security upfront and by default,...
Read more...
A security researcher who discovered a over half a dozen zero-day vulnerabilities in the Safari browser has lined his pockets with $75,000, courtesy of Apple's bug bounty program. Left unaddressed, a few of the vulnerabilities could allow an attacker to hijack the webcam on Mac systems, as well as iPhone and iPad devices. Ryan Pickren detailed the vulnerabilities in a pair of blog posts. He found seven in total (CVE-2020-3852, CVE-2020-3864, CVE-2020-3865, CVE-2020-3885, CVE-2020-3887, CVE-2020-9784, & CVE-2020-9787), three of which were directly related to potentially taking over the webcam or camera on macOS and iOS devices. "If a malicious website strung these issues together, it could...
Read more...
Tesla Model 3 Pwned As Hack Disables Autopilot Notifications, Speedometer, Climate Controls And More
There’s no question that the Tesla Model 3 is one of the most advanced cars on the planet, thanks in part to its advanced EV powertrain, its heavy use of powerful computers for its Autopilot self-driving system, and its heavy software integration with numerous vehicle functions. Tesla is also a leader in the industry when it comes to over-the-air updates that bring new features or fixes for existing features (and in some cases, removing features altogether). That complex integration of software and hardware is coming to light in findings posted by “Jacob A” of SafeKeep Cybersecurity. Jacob describes himself as a veteran security engineer that has disclosed previous...
Read more...
Microsoft has announced that it is launching a new Xbox Bounty Program that will pay gamers, security researchers, and tech fans globally for finding and reporting bugs. Bug bounty programs have been around for a long time and are an effort by companies to allow the public to uncover vulnerabilities in software and hardware to report them to the manufacturer rather than putting them on the black market (or using them personally for nefarious purposes). Microsoft says that the new Xbox bounty program requires the person finding a bug to share it with the Microsoft Xbox team via the Coordinated Vulnerability Disclosure or CVD. Eligible submissions that have a clear and concise proof of concept...
Read more...
OnePlus has been in the news recently for all the wrong reasons. This past month, the company experienced its second major security breach in two years, resulting in the leak of personal details like customer name, email address, physical address, and phone number. In an effort to get a handle on its security shortcomings, OnePlus has announced a new bug bounty program called the OnePlus Security Response Center. This particular bounty is being run by OnePlus, and is open to both academic institutions and security professionals. OnePlus is hoping that participants in the program will "proactively search for and report" on security issues and threats that affect its products and systems, including...
Read more...
Google's Android bug bounty program has come a long way since its humble roots back in mid-2015. At the time, the search and software giant offered a maximum payout of $38,000 for specific exploits that compromised the world's most popular operating system. Today, Google has announced that its maximum payout now weighs in at up to a staggering $1.5 million if certain exploit conditions are met. Google previously offered payouts that maxed out at $200,000, but the new "baseline" top prize is $1 million. The $1.5 million maximum payout is achieved with a $500,000 bonus that will likely be incredibly tough to pull off. The purpose of the bug bounty is to help beef up the security of both its first-party...
Read more...
In the past nine years, Google has awarded over $5 million in bug bounties to security researchers who have found and disclosed security holes in the company's Chrome browser. That is a drop in the bucket for a company like Google, but an enormous sum in its own right. Going forward, bug hunters can expect even bigger payouts. Google is bumping up the reward amounts associated with its bug bounty program for Chrome. These are not minor increases, either—Google is tripling the maximum baseline reward amount from $5,000 to $15,000, and doubling the maximum reward amount for high quality reports from $15,000 to $30,000. In addition, it is doubling the bonus for bugs found by fuzzers running...
Read more...
Bug Bounty programs are very common today with most of the big tech firms hosing them. The goal is to get hackers to report any bugs they find for a payday rather than turning to the black market to sell their hacks. HP has announced a new Bug Bounty program to lure researchers in to hack its printer software. The program offers up to $10,000 to hackers who can find these vulnerabilities. HP’s opened its Bug Bounty program in May and had 34 security researchers signed up at the start. One of those researchers was already paid out $10,000 for what was identified as a serious flaw with HP's printers. HP has a wealth of product outside of printers, but says that it chose the printer arm for...
Read more...
Forget about 'Netflix and chill', how about 'Netflix and make some money!'? Sure, the latter isn't likely to trend as a popular catchphrase, and it's not a euphemism for cuddling on the couch (or bed) and getting intimate. However, it is a possibility now that Netflix is opening up its bug bounty program to the public. Rewards for uncovering vulnerabilities vary by the severity, with the highest payout so far being $15,000. The bug bounty program is not new—Netflix has been paying select researchers to uncover security issues since September 2016. Prior to that, Netflix had in place a vulnerability disclosure program dating back to 2013 that allowed researchers to report bugs to the company,...
Read more...
With critical vulnerabilities like Meltdown and Spectre having been disclosed to the public, it's clearer than ever that more eyeballs are needed when it comes to making sure that our software and hardware is secure. Not long after Intel suffered the bulk of fallout from Meltdown and Spectre, the company bolstered its bug bounty program to encourage more people to dive in and discover bugs before they can be exploited. Intel made great strides to improve the program overall by cutting out the invite-only requirement, allowing anyone to find, explore and report potential bugs. Clearly, Microsoft liked that idea, as it has also enhanced its bug bounty program to offer the the same top quarter...
Read more...
Intel has been operating its Bug Bounty Program for nearly a year now, with the program originally launching back in March 2017. Initially, the only way that hackers or security researchers could participate was to receive an invite from Intel. Without that invite, you could find all the bugs you wanted, but Intel wouldn't pay you for them. Intel this week announced that it has made changes to that program and one of the biggest is that anyone can now get paid for finding bugs if they follow the program rules. Those rules revolve around using coordinated disclosure practices. What that really means is that Intel must know about the flaw and be given time to address the flaw before any public...
Read more...
Google has been paying out some significant money to get security researchers and hackers to tear apart its Chrome browser and Chrome OS. In March of 2015, Google offered up $100,000 for anyone who could find an exploit chain that would allow for a persistent compromise of a Chromebox or Chromebook using guest mode via a webpage. That $100,000 offer was an increase from the original $50,000 bounty.That bounty went unclaimed for many months until a researcher that uses the moniker Gzob Qq notified Google on September 18 that he had identified a set of vulnerabilities in Chrome OS. The hacker was able to identify a series of vulnerabilities that could lead to persistent code execution on Chromebooks...
Read more...
There is good money to be earned from being an software exterminator. Several companies have so-called bug bounty programs in place in which they pay out rewards for rooting out certain software flaws and vulnerabilities. DJI, a major player in consumer and professinal drones and aerial imaging technology, is the latest to the join the fray. Through its Threat Identification Reward Program, researchers can earn up to five figures per bug. "Security researchers, academic scholars and independent experts often provide a valuable service by analyzing the code in DJI’s apps and other software products and bringing concerns to public attention," said DJI Director of Technical Standards Walter Stockwell....
Read more...
Barring an unexpected change in strategy, Windows 10 is and will remain the last monolithic release of Windows. With that being the case, it is in Microsoft's best interest—as well as its customers—to ensure that it remains the most secure release. To help with that, Microsoft is upping the ante for bug hunters—certain exploits brought to Microsoft's attention are now worth as much as a quarter of a million dollars. Imagine finding a bug in Windows 10, reporting it to Microsoft, and then be paid $250,000 for your discovery. That is now a possibility with Microsoft making Windows a 10 a permanent part of its bug bounty program and increasing monetary rewards. Previously only Windows Insiders were...
Read more...
Many technology companies have in place bug bounty programs that reward security researchers who submit discovered vulnerabilities in the products and services they offer. It is a win-win proposition in which technology companies are alerted to potentially crippling security holes, and hackers are compensated for their efforts. Apple is among the companies with a bug bounty program, though some researchers are choosing to hold onto discovered vulnerabilities, or worse yet, sell them on the underground market. Apple's is relatively new to the bug bounty scene. Ivan Krstic, head of Apple's security division, surprised attendees at last year's Black Hat conference by announcing the program, which...
Read more...
Nintendo is not a fan of the modder movement, at least not as it pertains to game consoles. The company has an entire section on its website explaining why it feels using ROMs is illegal and immoral, even if you already own a copy of the game. Nintendo's feelings on the matter aside, modders continue to hack game consoles so they can load up freely available ROMs from the Internet, and this has created a cat-and-mouse game between them and Nintendo. It happened with the Wii U and 3DS, and it will happen again with the Switch. In an effort to make modding more difficult (and its systems more secure), Nintendo launched a bug bounty program with HackerOne, a third-party service that pays out money...
Read more...
Microsoft is rolling out another perk to subscribers of its Office Insider program. In addition to testing out new builds and having access to features that have not yet been released to the public, Microsoft is launching a bug bounty program for Office Insiders. Through the bug bounty program, Office Insiders can score anywhere from $500 all the way up to $15,000 for discovering vulnerabilities. "The Microsoft Cloud and Online Services Bounty Program has helped us identify elusive vulnerabilities and provided a way to reward the individuals actively partnering with us to protect our customers. We want to continue incentivizing research around design and logic and reward deeper thought in important...
Read more...
Qualcomm is opening up a "vulnerability awards program," otherwise known as a bug bounty, in hopes that white hat hackers will root out security flaws in its Snapdragon family of processors, LTE modems, and related technologies, the company announced today. While rewarding security researchers for hunting bugs isn't new, Qualcomm points out that this is the first of its kind by a major silicon vendor. The mobile chipmaker is handing over administration duties to HackerOne with rewards of up to $15,000 per vulnerability up for grabs. Researchers may also find motivation by potential recognition in either the QTQ Product Security or the CodeAuroraForum Hall of Fame, depending on the submission....
Read more...
A start-up that sells security exploits to government agencies is willing to pay big money for remote hacks on iOS 10, the latest version of Apple's mobile operating system. Specifically, the top award is now an eye popping $1.5 million, or three times the previous award, for remote hacks that work against up-do-date iPhone and iPad devices running iOS 10. The company is called Zerodium. It bills itself as the premium exploit acquisition platform for high-end zero-days and advanced vulnerability research. Zerodium's only been in business for a year but is well known in tech circles for its controversial business model and open advertising of seeking exploits for specific reward amounts, which...
Read more...
Even Apple's software isn't immune to security holes and vulnerabilities. An admission of such by Tim Cook and the gang comes in the form of a new bug bounty program Apple announced at the Black Hat conference today in Las Vegas, Nevada. The program kicks off in September and will offer cash rewards for certain exploits. Apple's interested in vulnerabilities that affect iOS, it's mobile operating system, as well as any that might be present on its latest hardware devices. This is the first time Apple's offered a public bug bounty program with cash rewards, and those who participate stand to earn up to $200,000 per vulnerability, the max payment amount. At #BlackHat2016, Apple just announced a...
Read more...
