Articles about Bug Bounty

Bug bounty and penetration testing programs are often grouped as interchangeable, but they perform distinct functions.

To determine whether both deserve a place within a cybersecurity strategy, it is important to understand their specific qualities and how they have matured over recent years. We spoke to Chris Campbell, lead solutions engineer at HackerOne, to learn more.

Continue reading →

Microsoft has added yet another bug bounty program to its growing portfolio. With the launch of the Microsoft Defender Bounty Program, the company is offering financial rewards to researchers who "uncover significant vulnerabilities" in its range of security products and services.

The program is focused solely on vulnerabilities of Critical or Important severity, and Microsoft is putting up rewards of between $500 to $20,000 for eligible submissions. Starting off somewhat limited in focus, the aim is to open up the program to have a wider scope further down the line.

Continue reading →

It is only a couple of weeks since the debut of the Microsoft AI Bounty Program, and now Google has launched its own bug bounty program specific to generative AI.

Google has announced the expansion of its existing Vulnerability Rewards Program to reward for attack scenarios that relates to generative AI. The company says that it wants to incentivize research around AI safety and security, highlight potential issues, and make artificial intelligence safer for everyone.

Continue reading →

Bug bounty programs have become a common way for companies to track down issues with software before they start to cause security concerns for users. While Google has various existing programs of this nature, the company has just launched the Mobile Vulnerability Rewards Program.

Google Mobile VRP is a bug bounty program that focuses on the company's own software. It lets security researchers and software detectives submit reports about Google's Android apps, earning financial rewards for discovering security flaws.

Continue reading →

New research from cybersecurity company Naoris Protocol finds 48 percent of people surveyed think criminals who break into computer networks with malicious intent should be paid a percentage of the funds they steal and face no prosecution if they return the majority of their spoils.

The survey of over 500 people working in the cybersecurity and web arenas found just 38 percent saying they disagreed with not prosecuting malicious hackers, while 13 percent were unsure.

Continue reading →

Google is not alone in offering so-called bug bounty programs which give financial incentives to contributors to track down vulnerabilities and security issues in its software. Now the company has launched a new initiative called the Open Source Software Vulnerability Rewards Program (OSS VRP).

As the name suggests, this new program focuses on Google's open source projects. The company is offering rewards of between $100 and $31,337, depending on the severity of the vulnerability.

Continue reading →

Password manager company 1Password is increasing its top bug bounty reward to $1 million, making it the highest bounty in Bugcrowd history and one of the largest rewards in cybersecurity.

Since beginning the bug bounty program in 2017, 1Password has paid out $103,000 to Bugcrowd researchers, averaging $900 per reward. While all detected bugs have been minor, showing no threat to the secrecy of sensitive customer data, 1Password was able to resolve them quickly to reduce the risk of attacks.

Continue reading →

Microsoft is no stranger to using bug bounty programs to track down security problems and other issues with its software and services. Now the company has launched an Xbox bug bounty program, offering payouts of up to $20,000 to anyone finding vulnerabilities.

The particular aim of this bounty program is to find issues with the Xbox Live network and services. Microsoft says the amounts it will pay gamers and security researchers who report problems will depend on the severity and impact of the vulnerability, as well as the quality of the submission.

Continue reading →

Organizations face a greater range of cyber threats than ever before. The key to dealing with these threats is better intelligence about the latest vulnerabilities.

We spoke to Jay Prassl, CEO of cyber hygiene startup Automox, which has recently launched an open community to foster cyber hygiene best practices, to find out more about how crowdsourcing and information sharing can help reduce the corporate attack surface.

Continue reading →

According to a new study 90 percent of IT professionals believe disclosing vulnerabilities serves a broader purpose of improving how software is developed, used and fixed.

The survey from application security testing specialist Veracode finds more than a third of companies received an unsolicited vulnerability disclosure report in the past 12 months, representing an opportunity to work together with the reporting party to fix the vulnerability and then disclose it, improving overall security.

Continue reading →

Bug bounty programs have become a popular way for developers to track down security issues in software, but big pay-outs are not something that every company can afford.

In a bid to keep its Android platform secure, Google has announced that its own bug bounty program is being expanded to include all big Android apps, regardless of who develops them. The company will reward security researchers who find bugs in any app in the Google Play Store with 100 million or more installs.

Continue reading →

Facebook's plans to venture into the world of cryptocurrencies has proved highly controversial, but the social media giant is plowing on regardless. The company and the partners it is working with on Libra have launched a public bug bounty program, offering pay-outs of up to $10,000 per bug.

Announced by the Libra Association, the aim of the Libra Bug Bounty Program is to "strengthen the security of the blockchain". The association wants to track down " security and privacy issues and vulnerabilities".

Continue reading →

With a new beta of the Chromium-based version of Edge now available, Microsoft has unveiled details of a new bug bounty program for the browser.

Through the Microsoft Edge Insider Bounty it is possible to earn a maximum payout of $30,000 for discovering vulnerabilities in the Dev and Beta builds of Edge. Microsoft says that it intends to complement the Chrome Vulnerability Reward Program, meaning that any report that affects the latest version of Microsoft Edge but not Chrome will be eligible.

Continue reading →

Bug bounty programs are a common way for companies to learn about problems with their hardware and software, while giving people the chance to get paid for finding them. Apple is one of the big names to run such a program, and it has at long last expanded it to included macOS.

The iPhone-maker made the announcement at the Black Hat security conference, where it also revealed that not only will its bug bounty program spread to tvOS, watchOS and iCloud as well, but also that the maximum reward is increasing to a cool $1 million.

Continue reading →

Version 3.0.7 of VLC has been released, and while it may seem like a minor x.x.x update, it includes more security fixes than any other previous release -- including two high security issues.

Jean-Baptiste Kemp, the president of VLC-maker VideoLAN, says the number of fixes included in this version is due to the EU-FOSSA bug bounty program, funded by the European Commission.

Continue reading →