image courtesy, threatpost
Several companies have established a deal where the individuals can earn or receive compensation just for reporting bugs before it is publicly discovered. In the past these programs have been administered by many companies like Mozilla, Google, Microsoft, Yahoo, etc.
Recently a company named chromium rewarded a researcher with USD 15000 for reporting a bug through that permitted code to be inserted in implanted sites, even though the target and goals endured on different domains.
Dating apps like bumble and OKcupid inherited also some vulnerabilities like in Bumble an automated script could extract a user’s home address, location, etc and In OKcupid the attackers could deceive them into liking or messaging some profiles.
image courtesy, softscripts.com
Some of recent Bug Bounty programs (BBP) in this month are (source: portswigger.net):
· Audiomack , a music streaming forum has announced a BBP provided by Bugcrowd in which the reward is open to the public. The reward has not been disclosed yet and will depend on the importance of the bug.
· Elastic has announced a BBP provided by HackerOne which is once again a public program and the reward is USD 7000.
· Xvideos announced a BBP with a public participation and a reward of USD 5000 with HackerOne.
· UK Ministry of Defence also announced a BBP with HackerOne. The program is private and the reward is also unknown.
· The Graph Foundation is giving a huge chunk of reward worth USD 2.5 million for locating the vulnerabilities that will disturb the full environment. The program provider is Immunefi and the reward is open to the public, but the reward can vary so it is suggested to explore the target for acquiring a bigger profit.
There are many more programs provided by companies as well as government officials. Aaron Portnoy, a chief scientist who works at attack surface management specialist Randori, believes that BBPs are essential which will provide a good break to countries where exploring tech space is not easy but also warns institutions about not making this their whole protection plan.