Candlelites

Everything from Everywhere

github paid 166 000 in bug bounties to security researchers in 2017 - Search

github paid 166 000 in bug bounties to security researchers in 2017 Searched between all the resources and sites across the web. To view the full text news click on the links searched. All links are displayed with the source site.



github paid $166,000 in bug bounties to security researchers in 2017


four years after starting a bug bounty program, github is still seeing benefits from rewarding security researchers for responsibly disclosing security vulnerabilities.for 2017, github reported that it received 840 bug submissions to its bug bounty program, which is run on the hackerone platform. a total of 121 reports were resolved by github, with an average reward payout to security researchers of $1,376. overall in 2017, github paid security researchers a total of $166,495 in bug bounty awards, up from $95,300 in 2016."the top payout for 2017 was for a bypass of saml authentication in github enterprise," greg ose, senior manager, security engineering at github told eweek. "this received our max payout at the time of $10,000."further readingthe security assertion markup language (saml) 






facebook continues to grow its bug bounty program


facebook is hardly a small organization, with large teams of engineers and security professionals on staff. yet even facebook has found that it can profit from expertise outside of the company, which is why the social networking giant has continued to benefit from its bug bounty program.in 2017, facebook paid out $880,000 to security researchers as part of its bug bounty program. the average reward payout in 2017 was $1,900, up from $1,675 in 2016.facebook launched its bug bounty program in 2011 in an effort to improve security. the company has paid out a total of $6.3 million in bug bounties since the program began, with varying amounts in each of the last six years.further readingback in 2014, facebook reported that it paid out $1.3 million in awards to 321 researchers around the world.






at $30,000 for a flaw, bug bounties are big and getting bigger


peshkova, getty images/istockphoto hackers are being paid as much as $30,000 for finding a single critical flaw in a company's systems, and the amount companies are willing to pay is increasing.while the use of such bug hunting programmes is still limited, some large organisations are offering hackers rewards for spotting flaws in their systems. according to data from hackerone, a company which sets up bug bounty programmes for businesses, the biggest spending companies are now paying out nearly $900,000 a year to people who report bugs. the data comes from bug bounty and vulnerability disclosure programmes run by hackerone for companies such as airbnb, github and the department of defense - in total accounting for 50,000 security vulnerabilities spotted and more than $17m in bounties awar






google’s bug bounty programs paid out almost $3m in 2017


bug bounty programs are designed to sic security researchers on software and pay them to find vulnerabilities and report back to the sponsor. in return, the researchers are richly rewarded for their findings. in fact, google’s bug bounty paid out a hefty $2.9 million in bug bounties in 2017.rewards can range from $500 to $100,000 or more depending on the type of bug and the amount of time spent. there are a number of programs, including the vulnerability research grants program and patch rewards program. the former paid out a total of $125,000 to 50 researchers around the world in 2017, while the latter paid a total of $50,000 to improve security in open-source software.the largest award of the year was $112,500, a nice chunk of change, for tracking down a pixel phone exploit as part of th






google reports paying close to $3 million in 2017 to bug hunters


google last year paid $2.9 million in total to bug hunters who found security vulnerabilities in its products and services.the amount is slightly less than the over $3 million the company paid out in bug bounties in 2016. it brings to over $12 million that google has paid in total for vulnerability discoveries since the company launched a formal bug bounty program in 2010.google's vulnerability reward program (vrp), like other crowd-sourced vulnerability hunting programs, is designed to help bolster the security of its growing product and service portfolio. the program rewards third-party security researchers who discover and responsibly report bugs in google developed apps on google play, the chrome web store and in itunes. also covered under the program are google-owned web services, inc






bug bounties under scrutiny as uber reveals breach payout


uber chief information security officer john flynn (pictured) appeared before a u.s. senate committee on feb. 6 to explain how a bug bounty was used to help cover up the company's 2016 data breach. flynn appeared alongside the ceos of hackerone and luta security.in november 2017, uber publicly admitted that it was victim of a data breach in 2016 that exposed personally identifiable information on its drivers and users. uber paid the attackers that breached its system a payment of $100,000 in a bid to keep the data safe. what was not initially publicly revealed was that uber paid the attackers via the hackerone bug bounty program in an effort to cover up the data breach."our primary goal in paying the intruders was to protect our consumers' data," flynn stated during his testimony. "this wa






google hands over $3m in bug bounties as payouts soar for new android flaws


the $1m paid out for android issues is a significant increase on 2015's figure of $200,000. image: google google paid researchers over $3m last year for their contributions to its vulnerability rewards programs.payouts in 2016 take google's total payments under its bug bounty schemes to $9m since it started rewarding researchers in 2010. in 2015 it paid researchers $2m, which brought its total then to $6m. android bugs made up 10 percent of google's $2m bounty payouts - in just five months android is shaping up to become one of the more lucrative sources of payments for security researchers in google's bounty scheme.it's not uncommon for tech companies to run bug bounties these days, but while many rely on third-party platforms, google has been responsible for verifying bugs for over six y






automotive bug bounty payouts far exceed other industries: bugcrowd


1 of 9bug bounties becoming increasingly popular, with payouts rising paying out a bug bounty—that is, rewarding a security researcher for responsibly disclosing a security vulnerability—is an increasingly popular and lucrative endeavor, according to bugcrowd's "2017 state of bug bounty" report. bugcrowd offers its customers a managed bug bounty program that engages a "crowd" of researchers to help find software vulnerabilities. across all industries served by bugcrowd, the average bug payout last year was $451, up 53 percent year-over-year. among bugcrowd's customer base, automotive clients reported the highest average bug bounty payout at $1,514, while those in retail and e-commerce paid an average of $403 per bug. in this slide show, eweek takes a look at some of the highlights of bugcr






github rolls out new business option


github on wednesday is rolling out a new option for its paying customers.the github.com plan is similar to the github enterprise offering, but it is geared for teams that want to host code on github.com rather than on their own servers or a private cloud. like the github enterprise plan, the github.com option costs $21 a month, per user. both plans offer saml single sign-on, automated provisioning and deprovisioning and 24/5. the new option includes 99.95 percent guaranteed uptime to github.com. the enterprise option has also been updated for performance, reliability, and pull request efficiency, github announced. the online code sharing and development platform now has four paid plans that offer unlimited private repositories. microsoft continues its pivot to being all about cloud service






github rolls out new business option


github on wednesday is rolling out a new option for its paying customers.the github.com plan is similar to the github enterprise offering, but it is geared for teams that want to host code on github.com rather than on their own servers or a private cloud. like the github enterprise plan, the github.com option costs $21 a month per user. both plans offer saml single sign-on, automated provisioning and deprovisioning and 24/5. the new option includes 99.95 percent guaranteed uptime to github.com. the enterprise option has also been updated for performance, reliability, and pull request efficiency, github announced. the online code sharing and development platform now has four paid plans that offer unlimited private repositories.video: ransomware is getting worse: it'll now hold your system h






​google: we're hiking bug bounties because finding security flaws is getting tou


after the android bug bounty, chinese researchers now receive the most rewards and the most cash from google. image: google google has raised its top reward for remote code execution bugs in its google, blogger and youtube domains from an even $20,000 to $31,337, marking a 50 percent rise plus a bonus $1,337 or 'leet' reward. it's also bumped up its 'unrestricted file system or database access' reward by 30 percent plus 'leet' to $13,337. "because high-severity vulnerabilities have become harder to identify over the years, researchers have needed more time to find them. we want to demonstrate our appreciation for the significant time researchers dedicate to our program," security program manager josh armour wrote.as previously reported, google in 2016 paid about $3m to security researchers






bugcrowd looks to expand bug bounty platform reach with new funding


bug bounty platform vendor bugcrowd announced on march 1 that it raised $26 million in a series c round of funding. the company will use the funding to grow its go to market efforts and expand what its crowdsourced bug bounty platform is able to do for organizations.the new funding round was led by triangle peak partners and brings bugcrowd's total funding to $50 million. the company's last funding round occurred in april 2016, when it raised $15 million. "there has been a lot of validation for the whole bug bounty industry over the last year," casey ellis, founder and cto of bugcrowd, told eweek. "we're looking to capitalize on that and expand the good word of bug bounties to the broader market and not just tech companies."further readingwith a bug bounty program, security researchers are






github desktop download


download download github is a development platform inspired by the way you work. from open source to business, you can host and review code, manage projects, and build software alongside millions of other developers. github desktop is a seamless way to contribute to projects on github and github enterprise.






cash isn't everything when bug bounties compete with the black market


hackerone sint maarten -- bug bounties, where security experts are credited and paid for disclosing vulnerabilities in software and systems to vendors, can be lucrative. there is a common mentality that not only does every bug have a set price, but the black market has sway and influence on how much vendors are willing to pay. but, according to hackerone chief technology officer alex rice, this couldn't be further from the truth.more security newsspeaking to zdnet, rice said that illegal trading in bugs and exploits doesn't dictate the price vulnerabilities demand in the white hat market. vendors are offering less cash than what the bugs would get on the black market, and yet they are still "winning" the battle to secure the reports.why? because there needs to be a balance between cash rew






how companies should plan for, and respond to, security breaches / boing boing


troy hunt, proprietor of the essential have i been pwned (previously) sets out the hard lessons learned through years of cataloging the human costs of breaches from companies that overcollected their customers' data; undersecured it; and then failed to warn their customers that they were at risk. of real interest in hunt's excellent primer is the section on dealing with security researchers: setting up dedicated bug-reporting forms with bug bounties, pgp keys, and other enticements to do the right thing. it's advice that more companies could stand to take, but alas, things are going in the other direction. security researchers normally have the right to choose the time and manner of their revelations about defects in products (telling the truth about security vulnerabilities is covered by






github awards researcher $18,000 for remote code execution flaw discovery


markus fenske github has awarded a researcher $18,000 for disclosing a security flaw in github enterprise which could have lead to remote code execution.according to independent german researcher markus fenske, the code repository awarded him the amount for disclosing a serious security vulnerability in github enterprise, an on-premise version of github designed for businesses looking to collaborate on coding but retain strict control of permissions and access to projects.in a blog post, fenske said that github enterprise runs the same general code base as the original github, but a combination of two bugs allowed him to break the management console and would theoretically allow attackers to execute code remotely, leading to everything from data theft to session hijacking.more security new






atlassian launches public bug bounty with bugcrowd


atlassian is partnering with bugcrowd, the crowdsourced security testing platform, to launch a public bug bounty program, the company announced wednesday.the enterprise software company says its private bug bounty program has been successful. even so, "the economics of bug bounties are too overwhelming to ignore," daniel grzelak, atlassian's head of security, said in a statement. "our traditional application security practice produces great results early in the lifecycle and deep in our services, but the breadth and depth of post-implementation assurance provided by the crowd really completes the secure development lifecycle," he said. "multiplying the specialization of a single bounty hunter by the size of the crowd creates a capability that just can't be replicated by individual organiza






github awards researcher $18,000 for remote code execution flaw discovery


markus fenske github has awarded a researcher $18,000 for disclosing a security flaw in github enterprise which could have lead to remote code execution.according to independent german researcher markus fenske, the code repository awarded him the amount for disclosing a serious security vulnerability in github enterprise, an on-premise version of github designed for businesses looking to collaborate on coding but retain strict control of permissions and access to projects.in a blog post, fenske said that github enterprise runs the same general code base as the original github, but a combination of two bugs allowed him to break the management console and would theoretically allow attackers to execute code remotely, leading to everything from data theft to session hijacking.the first bug was






github will soon warn developers of insecure dependencies, adds news feed, team


github, the online code repository, is hosting its annual user conference this week. following long-standing tradition in the tech industry, the company used the event to announce a number of new features for its service. the announcements center around two topics: security and discoverability.given the number of hacks we’ve seen in recent years, it’s no surprise that github, too, wants to do its part to ensure that the code its users work on is as a secure as possible. the basic idea here is that most projects these days rely on a wide variety of third-party libraries and other dependencies.so in a first step, github is launching the “dependency graph,” which gives developers an easy way to see all the other packages and applications their own code uses (this currently only works for ruby






github makes its developer program free, adds new benefits


githubgithub on monday is launching a more robust version of its developer program, adding a new range of benefits and making the whole program free for effectively any developer.launched in 2014, the developer program was previously only open to developers with a paid account. through purely organic growth, it's built a community of around 17,000 developers. what's hot on zdnetjoe wadcan, github's head of business development, said the company is "doubling down" on the program. he called it "a first step in a longer path we're taking to focus on developers who are building on the github api, extending the tools they'd want to use and having github be at the core of that."github as a whole supports more than 20 million developers and hosts more than 50 million projects. while it's popular,






yelp’s bug bounty improves security and attracts talent


since yelp opened its bug bounty to the public six months ago, the company has paid out more than $17,000 to hackers who have discovered vulnerabilities in its products. but the bug bounty program doesn’t just improve security, yelp executives say, but also helps attract security talent to join yelp full-time.bug bounty programs give hackers an avenue to report vulnerabilities to tech companies in exchange for cash, incentivizing them to disclose problems instead of exploiting them. larger companies like google and facebook have been running public bug bounty programs for years, but smaller companies are now launching their own programs to secure their products.hacking the armygoogle's bug bounty program pays out $3 million, mostly for android and chrome exploitshackerone scores $40 millio






github brings its enterprise service to the cloud


github is expanding its offering for large companies today. the service, which allows developers to more effectively collaborate and share their source code, already offered an enterprise version of its tools that large companies could host in their own data centers, aws or azure. now, it is launching a new hosted service of github that, just like the enterprise version, will cost $21 per month and user.the company still offers a free tier for public and open source projects, as well as paid plans (starting at $7) for small teams and individual developers. just like the existing enterprise version, the new hosted business plan will come will support saml-based single sign-on solutions like ping identity, okta and azure ad. it will also allow admins to provision user accounts and manage per






github brings its enterprise service to the cloud


github is expanding its offering for large companies today. the service, which allows developers to more effectively collaborate and share their source code, already offered an enterprise version of its tools that large companies could host in their own data centers, aws or azure. now, it is launching a new hosted service of github that, just like the enterprise version, will cost $21 per month and user.the company still offers a free tier for public and open source projects, as well as paid plans (starting at $7) for small teams and individual developers. just like the existing enterprise version, the new hosted business plan will come will support saml-based single sign-on solutions like ping identity, okta and azure ad. it will also allow admins to provision user accounts and manage per






github brings its enterprise service to the cloud


github is expanding its offering for large companies today. the service, which allows developers to more effectively collaborate and share their source code, already offered an enterprise version of its tools that large companies could host in their own data centers, aws or azure. now, it is launching a new hosted service of github that, just like the enterprise version, will cost $21 per month and user.the company still offers a free tier for public and open source projects, as well as paid plans (starting at $7) for small teams and individual developers. just like the existing enterprise version, the new hosted business plan will come will support saml-based single sign-on solutions like ping identity, okta and azure ad. it will also allow admins to provision user accounts and manage per






report: 10 trends in application security that will impact your cyberdefense str


on tuesday at infosecurity europe 2017, web and mobile application security testing company high-tech bridge released a first-quarter report on application security trends. the report drew from data collected on the immuniweb application security testing platform and high-tech bridge's free web security services, as well as other open sources.here are the main findings:1. no end in sight for "bug bounty fatigue"according to the report, "9 out of 10 web applications in the scope of a private or public bug bounty program, running for a year or longer, contained at least two high-risk vulnerabilities undetected by the crowd security testing." because understanding these bugs involves thorough research from crowd security testing platforms, which are paid for catching flaws, attackers often lo






github open sources octodns, new tool for managing dns records


the frailty of the dns system became all too evident last year, when dns host dyn was hit by a major distributed denial of service (ddos) attack that brought down large swaths of the internet. with the threat of ddos attacks only expected to grow, experts urge organizations to build redundancy into their dns services.github, the online code sharing and development platform, is introducing a new open source tool to make it easier to create that redundancy. octodns is the system github has been using for a few months now to manage its own dns records, explained ross mcfarland, the lead github engineer behind the tool. "we have many, many domains we use for different purposes at github, some of those may have hundreds of records in them," he told zdnet. "it's a relatively complex process mana






google’s bug bounty program pays out $3 million, mostly for android and chrome e


if you’re willing to hunt for flaws within its vast array of software and services, google’s happy to pay up. over the course of its 2016 vulnerability rewards program, the company paid out $3 million—a third of the total $9 million that enthusiastic researchers have earned since the initiative, more colloquially known as a bug bounty program, launched in 2010.the latest round of bug bounties yielded 1,000 individual rewards to 350 participants, with the largest single reward totaling $100,000. last march, google doubled the bounty for a chromebook from $50,000 to $100,000, after no one managed to pull one off.the big reason for the jump in reward numbers? android. last year was the first that android had its own vulnerability reward program, or vrp. as google’s security blog explains:“on






facebook expands effort to better secure account, password resets


in february, facebook announced its initial plans for delegated account recovery, providing sites with an open-source protocol and method to securely retrieve and reset account and password information. at facebook's f8 conference today, the social networking giant expanded its delegated account recovery effort with software development kits and tools to help any site deploy the technology.delegated account recovery provides a more secure mechanism for resetting a lost or forgotten account password. many websites today provide email-based reset options, which are generally considered to be insecure. with delegated account recovery, rather than emailing a password or account reset link to a user, a site or service delegates the capability to recover an account to an account controlled by th






google’s bug bounty program pays out $3 million, mostly for android and chrome e


if you’re willing to hunt for flaws within its vast array of software and services, google’s happy to pay up. over the course of its 2016 vulnerability rewards program, the company paid out $3 million—a third of the total $9 million that enthusiastic researchers have earned since the initiative, more colloquially known as a bug bounty program, launched in 2010.the latest round of bug bounties yielded 1,000 individual rewards to 350 participants, with the largest single reward totaling $100,000. last march, google doubled the bounty for a chromebook from $50,000 to $100,000, after no one managed to pull one off.the big reason for the jump in reward numbers? android. last year was the first that android had its own vulnerability reward program, or vrp. as google’s security blog explains:“on






hackerone reports bug bounty payouts growing; xss remains top flaw


bug bounty platform vendor hackerone published its 28-page 2017 hacker-powered security report today, providing insight into the current state of the bug bounty marketplace. among the top-line findings in the report is that the average bug bounty paid for a critical vulnerability in now $1,923.with hackerone's bug bounty platform, vendors benefit from hackerone's community of researchers that look for security vulnerabilities and are rewarded financially when they report them. while the average bug bounty for a critical vulnerability in 2017 is $1,923, there is a high-degree of industry variability in the top amounts paid out by vendors. the top bounty awards on the hackerone platform is $30,000 which is paid by technology vendors. in contrast, the top bounty award from healthcare vendors






hackerone reports bug bounty payouts growing; xss remains top flaw


bug bounty platform vendor hackerone published its 28-page 2017 hacker-powered security report today, providing insight into the current state of the bug bounty marketplace. among the top-line findings in the report is that the average bug bounty paid for a critical vulnerability in now $1,923.through the bug bounty platform, vendors benefit from hackerone's community of researchers that look for security vulnerabilities and are rewarded financially when they report them. while the average bounty for a critical vulnerability in 2017 is $1,923, there is a high-degree of industry variability in the top amounts paid out by vendors. the top bounty awards on the hackerone platform is $30,000 which is paid by technology vendors. in contrast, the top bounty award from healthcare vendors is only $






appcanary shuts down its vulnerability scanning service as the team joins github


appcanary, a y combinator-incubated service that helps developers scan the third-party packages and libraries they use to write their code for potential security vulnerabilities, today announced that it will shut down its service on june 1 and that the team is joining github.the two companies did not disclose the financial details of the transaction, but our understanding is that this is primarily an acqui-hire.“from when we cofounded rubysec, to building (the now defunct) gemcanary, to starting appcanary, our goal from the beginning was to improve the world’s security by preventing the use of vulnerable software,” appcanary founders max veytsman and phill mendonça-vieira write in today’s announcement. “at the time, this required placing a bet on building a certain kind of business, and fo






hack the air force 2.0 bug bounty effort yields 106 vulnerabilities


the u.s. air force has once again engaged with hackers in a bid to help improve the security of the air force's public facing digital assets. the 20-day hack the air force 2.0 security initiative was operated by the hackerone bug bounty platform and involved security researchers from 26 countries that were all looking to find vulnerabilities. as part of the hack the air force 2.0 effort, 106 valid vulnerabilities were discovered, with the air force paying a total of $103,883 in award to security researchers. the first hack the air force program in june 2017 resulted in $133,400 in awards that were paid to security researchers. "this is the first time that we've had department of defense personnel on site in a live hacking program," alex rice, co-founder and cto of hackerone, told eweek. "w






trend micro awards $823,000 in prizes at pwn2own hacking competition


virtualization hypervisor technology is supposed to isolate virtual machines from the underlying operating system. yet on the final day of the 10th anniversary pwn2own hacking challenge on march 17, two teams of security researchers—360 security and tencent security team sniper—were each able to escape the security isolation that virtualization is supposed to provide.the three-day pwn2own 2017 event, which was once again held at the cansecwest conference in vancouver, was run by trend micro's zero day initiative (zdi), which pays security researchers for responsibly disclosing zero-day vulnerabilities. in total, trend micro awarded researchers $823,000 in prize money, with $233,000 awarded on the first day, $340,000 on the second day, and $250,000 on the third and final day of the event.as






air force launches bug bounty program


the air force announced today that it will launch a bug bounty next month for several of its public-facing websites, allowing hackers to seek out vulnerabilities in the sites and exchange them for cash rewards.over the past year, the federal government has slowly started to open up to the idea of bug bounty programs. hack the pentagon, which launched last april, was the government’s first foray into bug bounties, and the program has since been expanded to include army websites as well.the air force bug bounty will be the first federal government program that invites hackers from outside the united states to participate — the challenge will be open to hackers based in the u.k., canada, australia and new zealand as well as those based in the u.s. like other federal bug bounties before it, th






air force launches bug bounty program


the air force announced today that it will launch a bug bounty next month for several of its public-facing websites, allowing hackers to seek out vulnerabilities in the sites and exchange them for cash rewards.over the past year, the federal government has slowly started to open up to the idea of bug bounty programs. hack the pentagon, which launched last april, was the government’s first foray into bug bounties, and the program has since been expanded to include army websites, as well.the air force bug bounty will be the first federal government program that invites hackers from outside the united states to participate — the challenge will be open to hackers based in the u.k., canada, australia and new zealand, as well as those based in the u.s. like other federal bug bounties before it,






the world’s largest ddos attack took github offline for less than tens minutes


in a growing sign of the increased sophistication of both cyber attacks and defenses, github has revealed that it weathered the largest-known ddos attack in history this week.ddos — or distributed denial of service in full — is a cyber attack that aims to bring websites and web-based services down by bombarding them with so much traffic that their services and infrastructure are unable to handle it all. it’s a fairly common tactic used to force targets offline.github is a common target — the chinese government is widely-suspected to be behind a five-day-long attack in 2015 over its hosting of software to bypass its internet censorship system — and this newest assault tipped the scales at an incredible 1.35tbps at peak.a blog post retelling the incident, github said the attackers hijacked s






family of teen who died after wisdom teeth procedure sues edina dentist


the “negligent and dangerous” actions of an edina oral surgeon during a routine wisdom teeth extraction led to the death of an eden prairie teen, the ’s family is alleging in a lawsuit filed this week in hennepin county district court.the medical malpractice and wrongful death suit against dr. paul tompach, who continues to see patients under state licensing board restrictions, alleges that several missteps caused the death of sydney galleger in june 2015. the lawsuit’s allegations about what tompach did wrong early in the procedure mirror much of what the state board of dentistry investigation determined before it put him under indefinite restrictions starting in march 2016.those missteps range from incorrectly administering general anesthesia to failing to provide proper monitoring durin