bug bounty


Hack the Pentagon, and you could win $150,000

The US Department of Defense is inviting hackers to find security vulnerabilities in some of its public websites, and is offering a bounty of up to $150,000 for those who find flaws.

Read more in my article on the Hot for Security blog.

Starbucks stays schtum, after patching critical website vulnerabilities

Starbucks has patched three critical security vulnerabilities on its website, but it still hasn’t respond to the security researcher who first found the bugs.

David Bisson reports.

Researcher demands FireEye pay up for zero-day vulnerabilities or suffer his ‘cold silence’

A security researcher has demanded that FireEye pay him for several zero-day vulnerabilities he found in the firm’s security products, and he has threatened that he will otherwise remain silent about the bugs’ details.

David Bisson reports.

Do bug bounties work?

Guest contributor Bob Covello discusses bug bounties. Do you think they’re doing a good job at helping vulnerabilities be found, and keeping users safe?


LinkedIn trumpets the success of its private bug bounty

It’s all very well having a bug bounty program, argues LinkedIn, but how is your organisation going to cope if it is bombarded with hundreds of meaningless and useless reports, that your security team cannot act upon?

Read more in my article on the Optimal Security blog.


United Airlines bug bounty – find vulnerabilities, win airmiles!

The latest high profile firm found running a bug bounty is United Airlines. And rather than offering the conventional cash rewards, United is offering airmiles instead.

But watch out, there are rules regarding what kind of vulnerabilities you can test for…

Read more on the Tripwire blog.

Serious security hole in Gmail password reset system found by security researcher

A security researcher has uncovered what Google has described as a “high impact” bug in its account recovery process, which could have potentially allowed hackers to trick users into handing over their passwords.

Yahoo admits its bug bounty goof, and stops offering free t-shirts

Sorry, in future you won’t be given a voucher for $12.50 to spend in the Yahoo Corporate Store if you find a critical vulnerability in a service used by hundreds of millions of internet users.

Serious Yahoo bug discovered. Researchers rewarded with $12.50 voucher to buy corporate T-shirt

Such a risible bug bounty is unlikely to win Yahoo any friends and could – if anything – make it less likely that the site will gain the assistance of white-hats in future.

Hackers raise over $12,000 for man who broke into Mark Zuckerberg’s Facebook page

Facebook may have refused to pay researcher Khalil Shreateh a bug bounty after he posted a message on Mark Zuckerberg’s Facebook page, but that doesn’t mean he’s going to go away empty-handed.

Critical Facebook vulnerability could have made it easy to hack accounts [VIDEO]

A critical vulnerability was recently found in Facebook that could allow an attacker to hijack, and take control over, accounts on the social network.

Watch the video and learn how it worked.

How to find the primary email address of any Facebook user. Privacy bug squashed

A security researcher has detailed how he found a way to find out *any* Facebook user’s primary email address, regardless of their privacy settings, by exploiting a weakness on the social network.