The Most Recent Bug Bounty Programs For September 2022

Bounty hunting is still a popular business, according to a recent report, with the vast majority of ethical hackers wanting to do more.

According to a survey, 96 percent of respondents wanted to spend more time bounty hunting, with two-thirds considering it a full-time job. The biggest draw, according to nearly half of those polled, is the money, followed by the ability to work anywhere in the world, the ability to work alone, and the opportunity to outwit malicious hackers.

Currently, more than half of bug bounty hunters work full-time elsewhere, and roughly one-third are students. However, more than one in every five people receives more than a quarter of their total income from bounty payouts.

There were several notable payouts on existing Google VRPs, most notably when Alesandro Ortiz received $20,000 from the tech giant for discovering a bug in the Chromium project, with $4,000 going to a collaborator. Through iFrames and popup windows, attackers were able to circumvent site isolation protection and steal private information, read and modify cookies, and gain access to microphone and camera feeds, among other exploits.

Meanwhile, researcher ‘NDevT’ discovered two XSS flaws in Google Cloud, DevSite, and Google Play that could result in account hijacking. They received $3,000 and $5,000 in bug bounties for their efforts.

Abraxas VOTING

Program provider:
Bug Bounty Switzerland

Program type:
Semi-public

Max reward:
$10,000

Outline:
VOTING will be used to manage ballots and aggregate tallied votes in Swiss elections.

Notes:
The maximum reward is around 10,000 Swiss francs, which equates to roughly the same amount in US dollars.

Apply to hack on the program via Bug Bounty Switzerland

Airlock

Program provider:
Bug Bounty Switzerland

Program type:
Semi-public

Max reward:
Undisclosed

Outline:
Airlock’s Secure Access Hub, a web application firewall (WAF), protects more than 30,000 web applications worldwide.

Notes:
“This program is built in the style of a CTF competition,” said the company.

Apply to hack on the program via Bug Bounty Switzerland

Cornershop by Uber

Program provider:
HackerOne

Program type:
Public

Max reward:
$2,500

Outline:
Uber’s on-demand grocery delivery service is offering $2,500 for critical vulnerabilities and $1,000 for high severity flaws.

Notes:
Seven assets in scope: the .cornershopapp.com website, iOS and Android apps, source code, two domains containing internal assets, and QA environment.

Check out the Cornershop bug bounty page for more details

Ethereum – Enhanced

Program provider:
Independent

Program type:
Public

Max reward:
$1m

Outline:
Bug bounty rewards for the Ethereum blockchain have quadrupled for a two-week period – ending September 8 – when related to the network’s transition to proof-of-stake.

Notes:
The application of a fourfold multiplier to payouts means ethical hackers could earn up to $1 million for the submission of valid critical vulnerabilities.

Check out our earlier coverage for more details

Google OSS VRP

Program provider:
Independent

Program type:
Public

Max reward:
$31,337

Outline:
Google’s Open Source Software Vulnerability Rewards Program (OSS VRP) focuses on the public repositories of Google-owned GitHub organizations such as GoogleAPIs and GoogleCloudPlatform, as well as their third-party dependencies.

Notes:
Ranging from $100 to $31,337, rewards will typically be higher for particularly sensitive projects – such as Bazel, Angular, Golang, Protocol buffers, and Fuchsia – and vulnerabilities that can lead to supply chain compromise.

Check out the Google OSS VRP bug bounty page for more details

Pogo

Program provider:
HackerOne

Program type:
Public

Max reward:
$2,000

Outline:
Pogo is a mobile app that offers users a way to leverage their personal data online in order to access earn credits and discounts for shopping, finances, and more.

Notes:
In scope are the platform’s production Android and iOS apps and API endpoint used by the mobile apps.

Check out the Pogo bug bounty page for more details

Proton

Program provider:
Bug Bounty Switzerland

Program type:
Semi-public

Max reward:
$30,000

Outline:
If you are accepted onto the program, privacy-preserving email service Proton “will give you early and exclusive access to not published versions of the applications and their source code”.

Notes:
Swiss platform also promises attractive bounties, “a constructive dialogue, fair rules and a legal safe harbor”.

Apply to hack on the program via Bug Bounty Switzerland

Secure Open Source Rewards

Program provider:
Independent

Program type:
Public

Max reward:
$10,000

Outline:
Developers and security researchers have been invited to suggest ways to “harden critical open source projects” by the Linux Foundation, with Google’s open source security team providing initial sponsorship.

Notes:
Rewards range from $505 for minor improvements up to $10,000 or more for “complicated, high-impact, and lasting improvements that almost certainly prevent major vulnerabilities”.

Check out our earlier coverage for more details

Starbucks – Enhanced

Program provider:
HackerOne

Program type:
Public

Max reward:
$6,000

Outline:
Bug reports that include a unique Nuclei Template to validate the finding will now earn researchers a $250 bonus.

Notes:
Launched in 2016, the Starbucks program has 36 assets in scope, approaching 1,500 resolved reports, and average payouts of $250-$500 at the time of writing.

Check out the Starbucks bug bounty page for more details

Trendyol

Program provider:
HackerOne

Program type:
Public

Max reward:
$3,000

Outline:
Trendyol Group, Turkey’s largest ecommerce platform, has launched an ongoing bug bounty program after what it said was a successful, time-limited HackerOne Challenge.

Notes:
Critical bugs will command rewards ranging from $2,000-$3,000, while high severity issues will net bug hunters between $750-$1,250.

Check out the Trendyol bug bounty page for more details

ZOFixer.com security scan helps to find vulnerabilities in software and servers, you can easily use it by registering on our website and activating the 30-day trial.

Leave a Comment

Scroll to Top