12 notable bug bounty programs launched in 2023

In May, LayerZero Labs, the team that launched the leading cross-chain messaging protocol LayerZero, announced the launch of a new bug bounty program in partnership with Immunefi, the bug bounty and security services platform for Web3.

The pair called the program the “largest in the history” of the software industry and shows a commitment to security as well as the developers and users in the LayerZero ecosystem. LayerZero Labs revealed it would be offering a maximum reward of $15 million for each new vulnerability found by participants who uncover vulnerabilities at the highest severity level.

“Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.2. This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported,” wrote Immunefi.

Third edition of The Good Catch program protects Democratic tech vendors

In June, three political tech organizations — Higher Ground Labs, Trestle Collaborative, and Zinc Collective — opened applications for the third edition of The Good Catch, a bug bounty program dedicated to Democratic tech vendors. The program ran during the 2020 and 2022 election cycles, and this cycle’s program will run up until next year’s US presidential election, Matt Hodges, executive director at Zinc Collective’s Democrat-focused political tech lab, told Axios.

Participating tech vendors create an account on Federacy, an online program that manages bug bounty programs for organizations. Each company signed up keeps its program private by default, meaning only vetted researchers will be invited to participate. Participating vendors can also decide to open their bug bounty programs to the entire platform. Once their programs are up and running, vendors receive reports of potentially exploitable security flaws on their systems, which they’ll need to verify on their own.

If requested, the program can provide vendors with general advice about how to stand up their security programs and can recommend other consultancy firms to help with more nuanced questions.

SquareX invites bug hunters to hack-test browser-based cybersecurity product

In June, endpoint security vendor SquareX announced a bug bounty program to invite hackers, security researchers, technologists, and students to hack-test its browser-based cybersecurity product and find security vulnerabilities in it before its launch.

To incentivize and reward bug hunters, SquareX offered rewards totalling up to $25,000 for successfully discovered, reported, and qualified vulnerabilities. The program spanned six weeks from June 15, 2023, to July 27, 2023, with hunters encouraged to help battle-test and harden the product.

“We invite the global hacker community to participate in this bug bounty program and help us discover vulnerabilities. I hope in doing so, we will be able to launch a world-class cybersecurity product that consumers can use and be fearless online,” said Vivek Ramachandran, founder of SquareX.

Upon closure of the program, SquareX said it witnessed an impressive influx of hunters, particularly from India, the USA, and Germany, who launched thousands of automated scans and targeted attacks on its product. However, even with the incentives in place and the doubling of the prize money, SquareX reported that zero critical bugs were discovered during the process.

Swisstronik offers up to $31,000 per discovered bug

In August, Swisstronik, the layer-1 network for building regulatory-compliant dApps with enhanced data privacy, announced the launch of its first bug bounty program with rewards reaching $31,000 per bug.

Swisstronik said that participants will help the firm become a secure bridge between the traditional world with its regulatory requirements and the Web3 world with its high privacy and decentralization standards. “As a result, developers can contribute to a more balanced Web3 in which KYC and other user verifications do not result in personal data loss or reliance on centralized parties, and help boost the overall blockchain adoption.”

Protect AI launches huntr AI/ML bug bounty platform

In August, Protect AI announced the launch of the “world’s first” AI and machine learning bug bounty platform, huntr. The firm said the launch enables the cultivation of a robust community of security researchers dedicated to uncovering vulnerabilities and providing remediations within AI/ML packages, libraries, frameworks, and models.

“As part of our program, it is important that all contributors receive the recognition they deserve. Once a vulnerability has been fully disclosed, acknowledged by the maintainer, and subsequently patched, we credit all contributors involved for their crucial work in the process,” Protect AI said.

The platform hosts monthly contests providing researchers opportunities to showcase their skills and earn rewards. The inaugural contest on the huntr AI/ML bug bounty platform focused on Hugging Face Transformers, presenting a reward of up to $50,000.

Free bug hunting program for NGOs, nonprofits expands across Europe

In July, Hack4Values announced the expansion of its free bug-hunting program for NGOs and nonprofits across Europe. First launched in France in 2022, the Hack4Values platform is an online community comprised of ethical hackers and security researchers committed to creating a safer digital world for all NGOs and their beneficiaries.

The program offers NGOs and nonprofits a free platform audit to help identify the security risks they face, with the Hack4Values community also providing solutions to help these companies keep their data secure from cyber threats.

Since launching, over 50 ethical hackers who have volunteered for Hack4Values have provided bug bounty programs for 10 NGOs including Amnesty International and Action Against Hunger.

Yahoo picks Intigriti to run crowdsourced security program

In September, Yahoo announced a partnership with global crowdsourced security firm Intigriti to launch a new public bug bounty program. The program covers Europe and is open to the 75,000 ethical hackers who are registered on the Intigriti platform, along with anyone else who wishes to take part.

Payout rates are on a scale that’s proportional to potential impact, Yahoo and Intigriti said. Researchers can earn between $100-$500 for low-ranked vulnerabilities, up to $10,000 for high-rated flaws, and between $10,000-$15,000 for any critical issues discovered. The program also offers ethical hacking teams generous cash rewards for topping the leaderboard in select Capture The Flag (CTF) competitions, a move that aims to attract top cybersecurity talent and foster collaboration among ethical hackers.

“Expanding our bug bounty program with Intigriti gives us a bigger outreach to the global ethical hacker community. We want to cater to as many people as possible and provide the best service possible to our users,” commented Arjun Govindaraju, technical principal security engineer at Yahoo.

Nearly 70 assets are in scope under the program, including Yahoo’s high-value web domains, APIs, and Search services, along with Yahoo Shopping, Yahoo Mail, and media brands Yahoo News, and Yahoo Sports.

Cryptocurrency exchange Uniswap unveils four-tier program

In September, decentralized cryptocurrency exchange Uniswap initiated a new bug bounty program featuring a four-tier severity scale that is critical, high, medium, and low/informational. Uniswap said it would be offering rewards of up to 2,250,000 USD Coin, depending on the severity of identified bugs and assets at risk, according to The Crypto Times.

The program covers vulnerabilities and bugs in smart contracts that are deployed by Uniswap, which can be found in various GitHub repositories including the Universal Router Contract Code, Permit2 Contract Code, V3 Contract Code, and UniswapX Contract Code.

Google expands program to include generative AI security issues

In October, Google announced that it is expanding its bug bounty program to include generative AI-specific security issues. Expanding to reward for attack scenarios specific to generative AI will “incentivize research around AI safety and security, and bring potential issues to light that will ultimately make AI safer for everyone,” said Laurie Richardson, VP of trust and safety, and Royal Hansen, VP of privacy, safety and security engineering at Google.

The tech giant also announced it would be expanding its open-source security work to make information about AI supply chain security universally discoverable and verifiable.

Google’s engineering team posted a list of AI attack scenarios that are eligible for rewards. These include prompt attacks, training data extraction, manipulating models, adversarial perturbation, and model theft/exfiltration.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button