It’s been a busy month for bug bounties, with the US Department of Defense (DoD) announcing the launch of the second ‘Hack the Army’ challenge.

Launched in partnership with the Defense Digital Service and HackerOne, the invite-only, four-week program invites hackers to discover and disclose vulnerabilities in more than 60 publicly accessible DoD web assets.

The first Hack the Army challenge in November 2017 resulted in the discovery of 118 unique and valid vulnerabilities and $100,000 being awarded in monetary rewards.

From military assets to election security, Microsoft has launched a bug bounty program for its previously announced ElectionGuard software development kit (SDK).

First unveiled in May, ElectionGuard is free and open source software that’s designed to make voting more secure and transparent. Rewards of up to $15,000 are available to researchers who discover vulnerabilities in the SDK.



Elsewhere, the organizers of the Pwn2Own hacking contest have unveiled a new event that places industrial control systems in the firing line for the first time.

Trend Micro’s Zero Day Initiative said the third Pwn2Own competition will take place at the S4 industrial security conference in Miami South Beach on January 21-23, joining the organization’s established live hacking events in Canada and Japan.

In payout news, security researcher lucash-dev has been handed a $50,000 bug bounty for discovering a critical vulnerability in cryptocurrency firm MakerDAO’s planned Multi-Collateral Dai (MCD) upgrade.

The bug could have allowed an attacker to steal collateral stored in the new MCD system, possibly within a single transaction.

Staying in the blockchain, the DDEX team awarded $10,000 to researcher samczsun, who notified the crypto-exchange of a potential vulnerability on a contract used to beta-test margin and lending functionality.

In other news this month, The Daily Swig’s Catherine Chapman sat down with Rodolphe Harand, manager at YesWeHack, to discuss the ongoing growth of bug bounties in Europe.

“If you are a company you already have most of your IT in US hands: cloud services, providers, all those as-a-service providers, so it would be nice, at least, that the security of this environment maintains some form of balance.”

Outline:Aelf is pegged as a decentralized cloud computing blockchain network. Running until November 5, this program rewards the discovery of security bugs found in the Aelf mainchain and applications running on the platform, such as wallets or explorers.

Notes:The Singapore-based company is auditing its latest blockchain before full launch. Per-bug rewards of up to $1,500 are split into four tiers – major, moderate, general, and Aelf external application – depending on factors such as risk, vulnerability impact, likelihood of exploitation, and quality of report.

Outline:Identity-as-a-Service (IDaaS) provider Auth0 is expanding its responsible disclosure program, appointing Bugcrowd to find 25 researchers with the right skillset, with more to be invited later.

Notes:“Our security program is maturing rapidly, and the launch of this bug bounty program reinforces our dedication to our customers and the highest level of security we offer them,” said Joan Pepin, CISO and VP of operations at Auth0, which authenticates more than 2.5 billion logins for web, mobile, IoT, and internal applications every month.

Outline:Microsoft has launched a bug bounty program for its previously announced ElectionGuard software development kit (SDK). First unveiled in May, ElectionGuard is free and open source software that’s designed to make voting more secure and transparent. Rewards of up to $15,000 are available to researchers who discover vulnerabilities in the SDK.

Notes:“The ElectionGuard bounty program invites security researchers to partner with Microsoft to secure ElectionGuard users, and is a part of Microsoft’s broader commitment to preserving and protecting electoral processes under the Defending Democracy Program,” said the Microsoft Security Response Center.

Outline:Facebook is expanding the reach of several bug bounty programs, with rare vulnerabilities landing bonus payouts, plus more opportunities for reporting flaws in third-party apps. “This change significantly increases the scope of the security research that our bug bounty community can share with us and get rewarded for,” said Dan Gurfinkel, head of Facebook’s bug bounty program.

Notes:Researchers can only probe third-party apps for vulnerabilities with the blessing of their developers. Facebook has suffered considerable reputational damage from the data protection-flouting activities of third parties, most notably Cambridge Analytica.

The social network has raised the bounty for hard-to-find native code bugs, while a verified zero-click flaw report for Facebook Messenger on iOS will secure researchers the full bug bounty and a $15,000 bonus.

Outline:Bounties for breaching FaceTec’s ZoOm 3D face authentication system will be awarded for success across three categories. According to FaceTech, ZoOm is the only biometric authentication system with level one and two certifications for iBeta’s Presentation Attack Detection evaluation.

Notes:A level one breach, which entails the use of hi-resolution photos and video to spoof the biometric authentication system, will net $15,000; level two, related to latex and silicone masks, adds another $10,000; and level three, entailing 3D masks and sculptures, delivers a final bonus of $5,000.

ZoOm-protected cryptocurrency wallet ZenGo launched a bug bounty program in July. The bounty went unclaimed.

Outline:Nervos, an open source public blockchain ecosystem, is being audited in advance of its mainnet launch – with an initial rewards pot of $1 million earmarked.

Notes:The program includes, among other things, protocols like cell, consensus, and economic models, P2P protocols and PoW algorithms; the security and integrity of protocol implementation; cryptographic primitives; and account management flaws.

Since the launch of Nervos testnet in May, the team has “made every effort to eliminate bugs, but there is always the chance we may have missed one”.

Outline:Launched as part of a campaign to secure its code and platform, legal software firm Relativity is inviting researchers to find vulnerabilities in its latest version of its SaaS case-management software, RelativityOne. About 700 documents of test data will be subject to evaluation.

Notes:With customers including Tesla, EA, and BSI, Relativity’s case management solutions help corporations, governments, and law firms manage litigation, investigations, and FOIA requests.

To be featured in this list next month, email dailyswig@portswigger.net with ‘Bug Bounty Radar’ in the subject line.

Bifold Wallet

Women Wallet, Men Wallet, Leather Belt, PU Belt, Handmade Wallet - Benshang,http://www.benshangcn.com/