Search the Community
Showing results for tags 'bounty'.
-
Nu stiu daca am nimerit categoria care trebuie, dar m-am gandit ca e mai degraba ceva pentru incepatori(in bug bounty). Am vazut in ultimul mai multe exemple de oameni/useri care spuneau ca isi castiga existenta si ca traiesc doar din bug bounty si chiar vroiam sa va intreb daca e posibil sa ai un venit bun din bug bounty si daca conteaza foarte mult cat timp dedici pentru asta. Chiar este ceva din care poti trai, daca faci asta sa zicem constant ca si cum ai avea un job de 40 ore/sapt? Si ma refer in special la modul de sa traiesti asta nu sa faci din pasiune/curiozitate/interes. As aprecia foarte mult daca ati da si exemple de care stiti, sau eventual prieteni/cunostinte/chiar voi care au facut/fac asta. Mersi!
-
Salutare, Vreau sa fac share la un playlist pe care l-am urmarit in ultima vreme, legat de bug bounty hunting. Recomand atat incepatorilor cat si celor cu exprienta, pentru ca oricand se poate invatat ceva nou, sau pot aparea alte idei. Peter Yaworski, autorul cartii Web Hacking 101(o "culegere" cu cele mai intalnite tipuri de vunerabilitati explicate mai pe scurt, insotite de exemple descoperite "in the wild" in ultimii ani), face o serie de interviuri cu unii dintre cei mai buni bug bounty hunters la ora actuala, regasiti in topul HackerOne sau Bugcrowd. In aceste interviuri aflam cum a inceput fiecare, ce metode si procedee folosesc, si multe altele. Fiecare interviu e diferit, fiecare invitat are stilul si modalitatile lui, asa ca sunt multe lucruri de invatat. Avand in vedere ca majoritatea tintelor pe care le abordeaza au deja o echipa de securitate in spate care gasesc majoritatea problemelor, abilitatea de a construi atacuri creative si "outside the box" e esentiala pentru a gasi probleme critice in sisteme. Playlist-ul aici:
-
Foxing the holes in the code Mozilla has more than doubled the cash rewards under its dusty bug bounty to beyond $10,000. The browser baron has increased the reward for high-severity bugs such as those leading to remote code execution without requiring other vulnerabilities. Engineer Raymond Forbes says the bounty had not been updated in five years and had fallen out of step. "The amount awarded was increased to $3000 five years ago and it is definitely time for this to be increased again," Forbes says. "We have dramatically increased the amount of money that a vulnerability is worth [and] we are moving to a variable payout based on the quality of the bug report, the severity of the bug, and how clearly the vulnerability can be exploited. "Finally, we looked into how we decide what vulnerability is worth a bounty award." Mozilla previously awarded $3000 for critical vulnerabilities that could seriously endanger users. It paid small amounts for only some moderate vulnerabilities that will under the revamp now attract up to $2000. The Firefox forger also launched its security bug hall of fame which is a common and important component of bug bounty programs, and will open a version for web and services. Bug bounties are enjoying a boom of late with many large organisations opening in-house and outsourced programs to attract security vulnerability researchers. The schemes promise to increase the security profile of organisations while providing hackers with an opportunity to practice their skills and earn cash or prizes without the threat of legal ramifications. Programs must be properly set up prior to launch including clear security policies and contact details posted to an organisation's web site, and strong communication between IT staff and bug hunters. Hackers will often drop unpatched vulnerabilities to the public domain if an organisation fails to respond or refuses to fix the bugs. Source
-
Less than two months into the year and Facebook said it has already validated more than 100 submissions to its bug bounty, demonstrating a consistently growing interest in such programs industry wide. “Report volume is at its highest levels, and researchers are finding better bugs than ever before,” said Colin Greene, security engineer at Facebook. Today, the social network reported its final bug bounty submission and payout numbers for 2014. Most notable: 61 percent of eligible vulnerability submissions were rated high severity by Facebook; that number eclipses 2013’s numbers by 49 percent. Overall, Facebook said it received 17,011 submissions, a 16 percent jump year over year, resulting in more than $1.3 million paid out to 321 researchers worldwide, an average payout of $1,800. Of the $1.3 million paid out, more than $250,000 went to the top five participants. Since the bounty program began in 2011, Facebook said it has paid out more than $3 million. Last week at the Kaspersky Lab Security Analyst Summit, HackerOne chief policy officer Katie Moussouris said it’s important that vulnerability disclosure programs directly feed an organization’s software development lifecycles. She also stressed the importance of strategic thinking with regard to bounty programs, for example, concentrate not only on finding and fixing one-off bugs, but also focus on eliminating classes of vulnerabilities and the development of mitigations as well. For its part, Facebook said its bounty program helped uncover a number of potentially serious vulnerabilities, including the discovery of hidden input parameters causing downstream issues. “After we fixed the instance from this report, we also fixed a few other spots and made improvements around duplicate parameters so that issues like this shouldn’t happen again,” Greene said. Greene also provided another example where legacy REST API calls were allowed to be made on behalf of any Facebook user because of a misconfiguration issue. An attacker would need only the user ID which could be obtained from the user’s profile or Graph API, Green said. Facebook has invested continuously in its bounty program. Last fall, it announced that it was adding an incentive for researchers to find bugs in its ads code. In particular, Facebook was hoping for some additional eyeballs on its ads code user interface, which includes the Ads Manager and Power Editor tools that enable users to edit and upload bulk ads—a number of permissions-based security issues arose in both of those areas, Facebook said. Also, its Ads API is an area Facebook said was also in scope. More than a year ago, Facebook paid out its largest bounty to date, $33,500 to Brazilian researcher Reginaldo Silva for a remote code execution vulnerability he reported in the OpenID implementation in Facebook that paved the way for attackers to pull of XXE attacks. Source
-
The U.S. Department of State's Transnational Organized Crime Rewards Program has put a $3 million bounty on Russian hacker Evgeniy Mikhailovich Bogachev for a number of cyber crimes he allegedly committed using Zeus malware. This is the largest bounty the U.S. has offered for information on a cybercriminal. The FBI had launched an investigation into Bogachev's activities and a notice on the Transnational Organized Crime Rewards Program page said it wants the cybercriminal, who went by the online names of lucky12345 and slavik, “for his alleged involvement in a wide-ranging racketeering enterprise that installed, without authorisation, malicious software known as ‘Zeus' on victims' computers." The agency and others have stepped up efforts to nab those behind Zeus and GameOver Zeus. The reward will be paid for information that leads to the arrest and/or conviction of Bogachev, who is believed to be living in Russia. Source