The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: Bug Bounty Program

Top 5 Bug Bounty Platforms to Watch in 2021

Top 5 Bug Bounty Platforms to Watch in 2021
February 08, 2021The Hacker News
While Gartner does not have a dedicated Magic Quadrant for Bug Bounties or Crowd Security Testing yet, Gartner Peer Insights already lists 24 vendors in the "Application Crowdtesting Services" category. We have compiled the top 5 most promising bug bounty platforms for those of you who are looking to enhance your existing software testing arsenal with knowledge and expertise from international security researchers:  1. HackerOne Being a unicorn backed by numerous reputable venture capitalists,  HackerOne  is probably the most well-known and recognized Bug Bounty brand in the world. According to their most recent annual report, over 1,700 companies trust the HackerOne platform to augment their in-house application security testing capacities. The report likewise says that their security researchers earned approximately $40 million in bounties in 2019 alone and $82 million cumulatively. HackerOne is also famous for hosting US government Bug Bounty programs, including the

The Rise of the Open Bug Bounty Project

The Rise of the Open Bug Bounty Project
February 06, 2020The Hacker News
Can you imagine launching a global bug bounty platform with almost 500,000 submissions and 13,000 researchers without consuming a cent from venture capitalists? If not, this success story is for you. The once skyrocketing bug bounty industry seems to be not in the best shape today. While prominent security researchers are talking about a growing multitude of hurdles they experience with the leading commercial bug bounty platforms, the latter are trying to reinvent themselves as "next-generation penetration testing" or similar services. You be the judge of how successful they will be. Generous venture funds have poured many millions into rapidly spending bug bounty startups that have not replaced Managed Penetration Testing (MPT) services (as some declared). However, these startups have positively improved the price/quality ratio of pen testing services on the global market. Amid the uncertainty for the future of commercial bug bounty platforms, the not-for-profit Op

Apple Opens Its Invite-Only Bug Bounty Program to All Researchers

Apple Opens Its Invite-Only Bug Bounty Program to All Researchers
December 20, 2019Mohit Kumar
As promised by Apple in August this year, the company today finally opened its bug bounty program to all security researchers, offering monetary rewards to anyone for reporting vulnerabilities in the iOS, macOS, watchOS, tvOS, iPadOS, and iCloud to the company. Since its launch three years ago, Apple's bug bounty program was open only for selected security researchers based on invitation and was only rewarded for reporting vulnerabilities in the iOS mobile operating system. However, speaking at a hacking conference in August this year, Ivan Krstić, head of Apple Security Engineering and Architecture at Apple, announced the company's upcoming extended bug bounty program which included three main highlights: an enormous increase in the maximum reward from $200,000 to $1.5 million, accepting bug reports for all of its operating systems and latest hardware, opening the program for all researchers. Now starting from today, all security researchers and hackers are

Google Offers Financial Support to Open Source Projects for Cybersecurity

Google Offers Financial Support to Open Source Projects for Cybersecurity
December 18, 2019Mohit Kumar
Besides rewarding ethical hackers from its pocket for responsibly reporting vulnerabilities in third-party open-source projects, Google today announced financial support for open source developers to help them arrange additional resources, prioritizing the security of their products. The initiative, called " Patch Rewards Program ," was launched nearly 6 years ago, under which Google rewards hackers for reporting severe flaws in many widely used open source software, including OpenSSH, OpenSSL, Linux kernel, Apache, Nginx, jQuery, and OpenVPN. So far, Google has paid hundreds of thousands of dollars as bounty to hackers across the world who helped improve the overall security of many crucial open source software and technologies that power the Internet, operating systems, and networks. The company has now also decided to motivate volunteer work done by the open source community by providing upfront financial help to project teams, using which they can acquire addition

Microsoft to Reward Hackers for Finding Bugs in Open Source Election Software

Microsoft to Reward Hackers for Finding Bugs in Open Source Election Software
October 18, 2019Mohit Kumar
Fair elections are the lifelines of democracy, but in recent years election hacking has become a hot topic worldwide. Whether it's American voting machines during the 2016 presidential election or India's EVMs during 2014 general elections, the integrity, transparency, and security of electronic voting machines remained questionable, leaving a wound in the minds of many that is difficult to heal. Many countries, including the largest democracy in the world i.e., India, believe the best way to ensure the security of EVMs is to make its technology opaque to bad actors, but in recent years a large section of the population is losing trust in any system that has been certified by a closed group of experts only. To make a balance between transparency and security, in May 2019, Microsoft released a free, open-source software development kit (SDK) called ElectionGuard that aims to enable end-to-end verification of voting. Microsoft's ElectionGuard SDK can be integra

Facebook Now Pays Hackers for Reporting Security Bugs in 3rd-Party Apps

Facebook Now Pays Hackers for Reporting Security Bugs in 3rd-Party Apps
October 16, 2019Mohit Kumar
Following a series of security mishaps and data abuse through its social media platform, Facebook today expanding its bug bounty program in a very unique way to beef up the security of third-party apps and websites that integrate with its platform. Last year, Facebook launched " Data Abuse Bounty " program to reward anyone who reports valid events of 3rd-party apps collecting Facebook users' data and passing it off to malicious parties, violating Facebook's revamped data policies. Apparently, it turns out that most of the time, Facebook users' data that had been misused was exposed in the first place as the result of a vulnerability or security weakness in third-party apps or services. The Facebook ecosystem contains millions of third-party apps, and unfortunately, very few of them have a vulnerability disclosure program or offer bug bounty rewards to white-hat hackers for responsibly reporting bugs in their codebase. Because of this communication g

Google Will Now Pay Anyone Who Reports Apps Abusing Users' Data

Google Will Now Pay Anyone Who Reports Apps Abusing Users' Data
August 29, 2019Mohit Kumar
In the wake of data abuse scandals and several instances of malware app being discovered on the Play Store, Google today expanded its bug bounty program to beef up the security of Android apps and Chrome extensions distributed through its platform. The expansion in Google's vulnerability reward program majorly includes two main announcements. First, a new program, dubbed 'Developer Data Protection Reward Program' (DDPRP), wherein Google will reward security researchers and hackers who find "verifiably and unambiguous evidence" of data abuse issues in Android apps, OAuth projects, and Chrome extensions. Second, expanding the scope of its Google Play Security Rewards Program (GPSRP) to include all Android apps from the Google Play Store with over 100 million or more installs, helping affected app developers fix vulnerabilities through responsibly disclosures.' Get Bounty to Find Data-Abusing Android & Chrome Apps The data abuse bug bounty progr

Apple will now pay hackers up to $1 million for reporting vulnerabilities

Apple will now pay hackers up to $1 million for reporting vulnerabilities
August 09, 2019Mohit Kumar
Apple has just updated the rules of its bug bounty program by announcing a few major changes during a briefing at the annual Black Hat security conference yesterday. One of the most attractive updates is… Apple has enormously increased the maximum reward for its bug bounty program from $200,000 to $1 million—that's by far the biggest bug bounty offered by any major tech company for reporting vulnerabilities in its products. The $1 million payouts will be rewarded for a severe deadly exploit—a zero-click kernel code execution vulnerability that enables complete, persistent control of a device's kernel. Less severe exploits will qualify for smaller payouts. What's more? From now onwards, Apple's bug bounty program is not just applicable for finding security vulnerabilities in the iOS mobile operating system, but also covers all of its operating systems, including macOS , watchOS, tvOS, iPadOS, and iCloud. Since its inception around three years ago, Apple

This Flaw Could Have Allowed Hackers to Hack Any Instagram Account Within 10 Minutes

This Flaw Could Have Allowed Hackers to Hack Any Instagram Account Within 10 Minutes
July 15, 2019Mohit Kumar
Watch out! Facebook-owned photo-sharing service has recently patched a critical vulnerability that could have allowed hackers to compromise any Instagram account without requiring any interaction from the targeted users. Instagram is growing quickly—and with the most popular social media network in the world after Facebook, the photo-sharing network absolutely dominates when it comes to user engagement and interactions. Despite having advanced security mechanisms in place, bigger platforms like Facebook, Google, LinkedIn, and Instagram are not completely immune to hackers and contain severe vulnerabilities. Some vulnerabilities have recently been patched , some are still under the process of being fixed, and many others most likely do exist, but haven't been found just yet. Details of one such critical vulnerability in Instagram surfaced today on the Internet that could have allowed a remote attacker to reset the password for any Instagram account and take complete contr

New Settings Let Hackers Easily Pentest Facebook, Instagram Mobile Apps

New Settings Let Hackers Easily Pentest Facebook, Instagram Mobile Apps
March 26, 2019Mohit Kumar
Facebook has introduced a new feature in its platform that has been designed to make it easier for bug bounty hunters to find security flaws in Facebook, Messenger, and Instagram Android applications. Since almost all Facebook-owned apps by default use security mechanisms such as Certificate Pinning to ensure integrity and confidentiality of the traffic, it makes it harder for white hat hackers and security researchers to intercept and analyze network traffic to find server-side security vulnerabilities. For those unaware, Certificate Pinning is a security mechanism designed to prevent users of an application from being a victim of network-based attacks by automatically rejecting the whole connection from sites that offer bogus SSL certificates. Dubbed " Whitehat Settings ," the new option now lets researchers easily bypass Certificate Pinning on the Facebook-owned mobile apps by: Disabling Facebook's TLS 1.3 support Enabling proxy for Platform API requests

Get paid up to $40,000 for finding ways to hack Facebook or Instagram accounts

Get paid up to $40,000 for finding ways to hack Facebook or Instagram accounts
November 21, 2018Mohit Kumar
Here we have great news for all bug bounty hunters. Now you can get paid up to $40,000 for finding and responsibly reporting critical vulnerabilities in the websites and mobile applications owned by Facebook that could allow cyber attackers to take over user accounts. In the latest post published Tuesday on the Facebook page, the social networking giant announced that it has raised the monetary reward for account takeover vulnerabilities to encourage security researchers and bug bounty hunters in helping Facebook to fix high impact issues before nefarious hackers exploit them. The announcement says: Cybersecurity researchers who find security vulnerabilities in any products owned by Facebook , including Instagram , WhatsApp , and Oculus , that can lead to a full account takeover, including access tokens leakage or the ability to access users' valid sessions, will be rewarded an average bounty of: $40,000 reward—if user interaction is not required at all $25,000 reward—

Tumblr Patches A Flaw That Could Have Exposed Users' Account Info

Tumblr Patches A Flaw That Could Have Exposed Users’ Account Info
October 17, 2018Swati Khandelwal
Tumblr today published a report admitting the presence of a security vulnerability in its website that could have allowed hackers to steal login credentials and other private information for users' accounts. The affected information included users email addresses, protected (hashed and salted) account passwords, self-reported location (a feature no longer available), previously used email addresses, last login IP addresses, and names of the blog associated with every account. According to the company, a security researcher discovered a critical vulnerability in the desktop version of its website and responsibly reported it to the Tumblr security team via its bug bounty program. Though the company has not revealed the researcher's name or any technical details about the vulnerability, Tumblr has disclosed that the flaw resided in the "Recommended Blogs" feature of its website. Recommended Blogs has been designed to display a short, rotating list of blogs o

Microsoft Offers $100,000 Bounty for Finding Bugs in Its Identity Services

Microsoft Offers $100,000 Bounty for Finding Bugs in Its Identity Services
July 18, 2018Mohit Kumar
Microsoft today launched a new bug bounty program for bug hunters and researchers finding security vulnerabilities in its "identity services." Hacking into networks and stealing data have become common and easier than ever but not all data holds the same business value or carries the same risk. Since new security today depends on the collaborative communication of identities and identity data within, and across domains, digital identities of customers are usually the key to accessing services and interacting across the Internet. Microsoft said the company has heavily invested in the "creation, implementation, and improvement of identity-related specifications" that encourage "strong authentication, secure sign-on, sessions, API security, and other critical infrastructure tasks." Therefore, to further bolster its customers' security, the tech giant has launched an all-new, and independent bug bounty program. Dubbed Microsoft Identity Bounty

Uber Paid 20-Year-Old Florida Hacker $100,000 to Keep Data Breach Secret

Uber Paid 20-Year-Old Florida Hacker $100,000 to Keep Data Breach Secret
December 06, 2017Swati Khandelwal
Last year, Uber received an email from an anonymous person demanding money in exchange for the stolen user database. It turns out that a 20-year-old Florida man, with the help of another, breached Uber's system last year and was paid a huge amount by the company to destroy the data and keep the incident secret. Just last week, Uber announced that a massive data breach in October 2016 exposed personal data of 57 million customers and drivers and that it paid two hackers $100,000 in ransom to destroy the information. However, the ride-hailing company did not disclose identities or any information about the hackers or how it paid them. Now, two unknown sources familiar with the incident have told Reuters that Uber paid a Florida man through HackerOne platform, a service that helps companies to host their bug bounty and vulnerability disclosure program. So far, the identity of the Florida man was unable to be obtained or another person who helped him carry out the hack.

Google Play Store Launches Bug Bounty Program to Protect Popular Android Apps

Google Play Store Launches Bug Bounty Program to Protect Popular Android Apps
October 19, 2017Swati Khandelwal
Better late than never. Google has finally launched a bug bounty program for Android apps on Google Play Store, inviting security researchers to find and report vulnerabilities in some of the most popular Android apps. Dubbed " Google Play Security Reward ," the bug bounty program offers security researchers to work directly with Android app developers to find and fix vulnerabilities in their apps, for which Google will pay $1000 in rewards. "The goal of the program is to further improve app security which will benefit developers, Android users, and the entire Google Play ecosystem," the technology giant says in a blog post published today. Google has collaborated with bug bounty platform, HackerOne, to manage backend for this program, like submitting reports and inviting white-hat hackers and researchers. White-hat hackers who wish to participate can submit their findings directly to the app developers. Once the security vulnerability has been resolved, th

Samsung Launches Bug Bounty Program — Offering up to $200,000 in Rewards

Samsung Launches Bug Bounty Program — Offering up to $200,000 in Rewards
September 11, 2017Swati Khandelwal
With the growing number of cyber attacks and data breaches, a number of tech companies and organisations have started Bug Bounty programs for encouraging hackers, bug hunters and researchers to find and responsibly report bugs in their services and get rewarded. Samsung is the latest in the list of tech companies to launch a bug bounty program, announcing that the South Korean electronics giant will offer rewards of up to $200,000 to anyone who discovers vulnerabilities in its mobile devices and associated software. Dubbed Mobile Security Rewards Program , the newly-launched bug bounty program will cover 38 Samsung mobile devices released from 2016 onwards which currently receive monthly or quarterly security updates from the company. So, if you want to take part in the Samsung Mobile Security Rewards Program, you have these devices as your target—the Galaxy S, Galaxy Note, Galaxy A, Galaxy J, and the Galaxy Tab series, as well as Samsung's flagship devices, the S8, S8+, a

Microsoft Is Paying Up To $250,000 With Its New Bug Bounty Program

 Microsoft Is Paying Up To $250,000 With Its New Bug Bounty Program
July 26, 2017Wang Wei
Microsoft has finally launched a new dedicated bug bounty program to encourage security researchers and bug hunters for finding and responsibly reporting vulnerabilities in its latest Windows versions of operating systems and software. Being the favourite target of hackers and cyber criminals, every single zero-day vulnerability in Windows OS—from critical remote code execution, mitigation bypass and elevation of privilege to design flaws—could cause a crisis like recent WannaCry and Petya Ransomware attacks. In past five years the tech giant has launched multiple time-limited bug bounty programs focused on various Windows features, and after seeing quite a bit of success, Microsoft has decided to continue. "Security is always changing, and we prioritise different types of vulnerabilities at different points in time. Microsoft strongly believes in the value of the bug bounties, and we trust that it serves to enhance our security capabilities." With its latest bu

Tor Launches Bug Bounty Program — Get Paid for Hacking!

Tor Launches Bug Bounty Program — Get Paid for Hacking!
July 20, 2017Mohit Kumar
With the growing number of cyber attacks and breaches, a significant number of companies and organisations have started Bug Bounty programs for encouraging hackers, bug hunters and researchers to find and responsibly report bugs in their services and get rewarded. Following major companies and organisations, the non-profit group behind Tor Project – the largest online anonymity network that allows people to hide their real identity online – has finally launched a " Bug Bounty Program ." The Tor Project announced on Thursday that it joined hands with HackerOne to start a public bug bounty program to encourage hackers and security researchers to find and privately report vulnerabilities that could compromise the anonymity network. HackerOne is a bug bounty startup that operates bug bounty programs for companies including Yahoo, Twitter, Slack, Dropbox, Uber, General Motors – and even the United States Department of Defense for Hack the Pentagon initiative. Bug bo

18-Byte ImageMagick Hack Could Have Leaked Images From Yahoo Mail Server

18-Byte ImageMagick Hack Could Have Leaked Images From Yahoo Mail Server
May 23, 2017Swati Khandelwal
After the discovery of a critical vulnerability that could have allowed hackers to view private Yahoo Mail images, Yahoo retired the image-processing library ImageMagick. ImageMagick is an open-source image processing library that lets users resize, scale, crop, watermarking and tweak images. The tool is supported by PHP, Python, Ruby, Perl, C++, and many other programming languages. This popular image-processing library made headline last year with the discovery of the then-zero-day vulnerability, dubbed ImageTragick , which allowed hackers to execute malicious code on a Web server by uploading a maliciously-crafted image. Now, just last week, security researcher Chris Evans demonstrated an 18-byte exploit to the public that could be used to cause Yahoo servers to leak other users' private Yahoo! Mail image attachments. 'Yahoobleed' Bug Leaks Images From Server Memory The exploit abuses a security vulnerability in the ImageMagick library, which Evans dubbed

Hack'em If You Can — U.S. Air Force launches Bug Bounty Program

Hack'em If You Can — U.S. Air Force launches Bug Bounty Program
April 27, 2017Mohit Kumar
With the growing number of data breaches and cyber attacks, a significant number of companies and organizations have started Bug Bounty programs for encouraging hackers and bug hunters to find and responsibly report vulnerabilities in their services and get rewarded. Now, following the success of the " Hack the Pentagon " and "Hack the Army" initiatives, the United States Department of Defense (DoD) has announced the launch of the "Hack the Air Force" bug bounty program. Hacking or breaking into Defense Department networks was illegal once, but after " Hack the Pentagon " initiative, the DoD started rewarding outsiders to finding and reporting weaknesses in its private networks. "This is the first time the AF [Air Force] has opened up...networks to such a broad scrutiny," Peter Kim, the Air Force Chief Information Security Officer said in a statement. "We have malicious hackers trying to get into our systems every day.&quo
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.