ZDNet: Facebook launches bug bounty ‘loyalty program’

ZDNet: Facebook launches bug bounty ‘loyalty program’. “Designed after the loyalty programs used by airlines and hotels, Facebook said Hacker Plus would provide extra bonuses and special perks to bug hunters based on their past reports. Any researcher who submitted or submits bugs to Facebook’s bug bounty program is automatically included and ranked inside the Hacker Plus loyalty program.”

BetaNews: Security researcher discovers vulnerabilities in iOS and macOS that could be exploited to hack webcams

BetaNews: Security researcher discovers vulnerabilities in iOS and macOS that could be exploited to hack webcams. “Ryan Pickren, a former Amazon Web Services (AWS) security engineer, found a series of security flaws in Apple’s web browser, some of which could be exploited to hijack the camera of a Mac or iPhone to spy on users. The webcam hacking technique combined a total of three zero-day bugs.”

ZDNet: Apple opens public bug bounty program, publishes official rules

ZDNet: Apple opens public bug bounty program, publishes official rules. “Apple has formally opened its bug bounty program today to all security researchers, after announcing the move earlier this year in August at the Black Hat security conference in Las Vegas. Until today, Apple ran an invitation-based bug bounty program for selected security researchers only and was accepting only iOS security bugs.”

Neowin: Google’s bug bounty program for Android can now pay up to $1.5 million for a single exploit

Neowin: Google’s bug bounty program for Android can now pay up to $1.5 million for a single exploit. “Google’s Android Security Rewards Program has been around since 2015, and resulted in millions of dollars paid to security researchers who exploit issues on the mobile operating system. Today, the company is expanding the rewards researchers can get, and the most notable addition is a new reward that can be worth as much as $1.5 million.”

TechCrunch: Google to pay security researchers who find Android apps and Chrome extensions misusing user data

TechCrunch: Google to pay security researchers who find Android apps and Chrome extensions misusing user data. “Google said it will pay security researchers who find ‘verifiably and unambiguous evidence’ of data abuse using its platforms. It’s part of the company’s efforts to catch those who misuse user data collected through Android apps or Chrome extensions — and to avoid its own version of a scandal like Cambridge Analytica, which saw millions of Facebook profiles scraped and used to identify undecided voters during the U.S. presidential election in 2016.”

Lifehacker: Earn Thousands of Dollars for Finding Bugs in Facebook’s Libra Cryptocurrency

Lifehacker: Earn Thousands of Dollars for Finding Bugs in Facebook’s Libra Cryptocurrency. “While we’re still waiting on a specific release date for Facebook’s upcoming cryptocurrency, Libra, the company is aiming for an early 2020 release. That gives you plenty of time to find bugs in the currency’s infrastructure—a project that could reward you handsomely.”

CNET: Instagram will pay researchers to uncover abuse of users’ personal data

CNET: Instagram will pay researchers to uncover abuse of users’ personal data. “Instagram will pay a bounty to security researchers who find evidence that third-party apps are misusing your personal data. The program aims to encourage experts outside of Instagram and its parent company Facebook to tackle a major problem the social network faces: apps that scrape user data or try to trick you into sharing passwords and other sensitive information.”

Mashable: FaceTime bug teenager is eligible for bug bounty payout

Mashable: FaceTime bug teenager is eligible for bug bounty payout. “The rather serious FaceTime bug widely reported about last week left Apple a little red-faced and one 14-year-old (and his mother) hoping Apple would give him some credit for discovering it. Now it looks like he’s going to get a big payout from Apple’s bug bounty program.”

Ubergizmo: Hyatt Hotels Launches Its Own Bug Bounty Program

Ubergizmo: Hyatt Hotels Launches Its Own Bug Bounty Program. “It’s common for tech companies to have a bug bounty program. That allows them to tap into the incredible talents of whitehat hackers who disclose vulnerabilities in their systems in exchange for a reward. Hyatt Hotels isn’t a tech company, it’s a major hospitality chain. However, in light of the recent card-skimming attacks against its properties, the hotel chain has launched its own bug bounty program.” Considering how many hotels and hospitality businesses get hacked, I think this is a great idea.

Julia Reda: In January, the EU starts running Bug Bounties on Free and Open Source Software

Julia Reda: In January, the EU starts running Bug Bounties on Free and Open Source Software. “In January the European Commission is launching 14 out of a total of 15 bug bounties on Free Software projects that the EU institutions rely on. A bug bounty is a prize for people who actively search for security issues. The amount of the bounty depends on the severity of the issue uncovered and the relative importance of the software.”

eWeek: Facebook Boosts Bug Bounty Payouts for Account Takeover Flaws

eWeek: Facebook Boosts Bug Bounty Payouts for Account Takeover Flaws. “In an effort to improve user account security and mitigate hijacking threats, Facebook announced on Nov. 20 that it is increasing the awards it pays out to security researchers for responsibly disclosing flaws. The increases come via Facebook’s bug bounty program, which provides financial rewards for researchers who report issues to the social networking giant.”

TechCrunch: Facebook expands bug bounty program to include third-party apps and websites

TechCrunch: Facebook expands bug bounty program to include third-party apps and websites. “Facebook announced this morning it’s expanding its bug bounty program – which pays researchers who find security vulnerabilities within its platform – to now include issues found in third-party apps and websites. Specifically, Facebook says it will reward valid reports of vulnerabilities that relate to the improper exposure of Facebook user access tokens.”

MIT Technology Review: Crowdsourcing the hunt for software bugs is a booming business—and a risky one

MIT Technology Review: Crowdsourcing the hunt for software bugs is a booming business—and a risky one. “This cybersecurity gig economy has expanded to hundreds of thousands of hackers, many of whom have had some experience in the IT security industry. Some still have jobs and hunt bugs in their spare time, while others make a living from freelancing. They are playing an essential role in helping to make code more secure at a time when attacks are rapidly increasing and the cost of maintaining dedicated internal security teams is skyrocketing .”

CNET: HP will pay hackers up to $10,000 to break its printers

CNET: HP will pay hackers up to $10,000 to break its printers. “HP isn’t asking people to smash its printers to pieces, but the company is willing to pay people to break its software apart. On Tuesday, HP announced its first bug bounty program that specifically targets its printers, offering as much as $10,000 to hackers who can find vulnerabilities on its machines.”