Attackers could use the flaw to steal credentials with no authentication required

Attackers could use the flaw to steal credentials with no authentication required

Developers have patched a critical vulnerability in Snipe-IT that could be exploited to send users malicious password reset requests.

Grokability’s Snipe-IT is a cloud-based, open source project for user asset management.

The popular system has been designed to replace sometimes clunky and ineffective Excel spreadsheets and accounts for roughly 3.4 million users, as well as over 6.7 million managed assets.

**RECOMMENDED** Zero-day bug in uClibc library could leave IoT devices vulnerable to DNS poisoning attacks

Snipe-IT’s GitHub repository has over 200 contributors and over 2,100 forks at the time of writing. Adopters can choose to have their Snipe-IT builds hosted by Grokability or they can manage it themselves.

On May 2, the project disclosed CVE-2022-23064, a critical vulnerability that has been awarded a CVSS severity score of 8.8.

**Server-side woes**

The vulnerability is described as a host header injection bug. Host header issues occur when server communication is handled in an unsafe way and can lead to a variety of problems including web cache poisoning, server-side request forgery (SSRF), or SQL injection attacks.

In Snipe-IT’s case, CVE-2022-23064 allowed attackers to send crafted host headers to the reset password request functionality of the system.

Target users could be sent password reset links that would, once clicked, lead them to an attacker-controlled server rather than a trusted domain managed by Snipe-IT users.

Read more of the latest security research news from around the world

The developers say that it would then be possible to steal password reset tokens, leading to account hijacking.

According to White Source, an example attack scenario is an attacker selecting ‘I forgot my password’ and submitting the selected victim’s username.

The request would be intercepted after clicking ‘email password reset’, and the host header would then be modified. If the would-be victim clicks the email link, complete with a modified base URL, the reset token is then logged and compromised.

**Protect your targets**

While user interaction is required to trigger a cyber-attack, no authentication or privileges are required to exploit the flaw.

Snipe-IT versions 3.0-alpha to v5.3.7 are vulnerable. Users are urged to upgrade to at least version v5.3.8.

One of the latest builds available – v.5.4.3 (v.5.4.4 was released on May 4) – also includes a patch to resolve a potential cross-site scripting (XSS) vulnerability in user requestable results.

Speaking to _The Daily Swig_, Grokability CTO Brady Wetherington said there is no evidence of any in-the-wild exploits. Furthermore, “our hosted platform was never vulnerable to the exploit, due to its configuration”.

**YOU MIGHT ALSO LIKE** State Bar of Georgia reels from cyber-attack

Serious Snipe-IT bug exploitable to send password reset email traps

Unpatched flaw caused by the predictability of transaction IDs

Unpatched flaw caused by the predictability of transaction IDs

  

A zero-day vulnerability in uClibc and uClibc-ng, a popular C standard library, could enable a malicious actor to launch DNS poisoning attacks on vulnerable IoT devices.

The bug, tracked as ICS-VU-638779, which has yet to be patched, could leave users exposed to attack, researchers have warned.

**DNS poisoning**

In a DNS poisoning attack, the target domain name is resolved to the IP address of a server that’s under an attacker’s control.

This means at if a malicious actor were to send a ‘forgotten password’ request, they could direct it to their own email address and intercept it – allowing them to change the victim’s password and access their account.

For an IoT device, this attack could potentially be used to intercept a firmware update request and instead directing it to download malware.

Read more of the latest news about DNS security

The DNS poisoning vulnerability was discovered by researchers at Nozomi Networks, who revealed that the issue remains unpatched, potentially exposing multiple users to attack.

Nozomi Networks states that uClibc is known to be used by major vendors such as Linksys, Netgear, and Axis, or Linux distributions such as Embedded Gentoo. uClibc-ng is a fork specifically designed for OpenWRT, a common operating system for web routers.

The library maintainer was unable to provide a fix, according to Nozomi. The researchers said they would refrain from sharing technical details or listing vulnerable devices until a patch is available.

“It’s important to note that a vulnerability affecting a C standard library can be a bit complex,” the team wrote in a blog post this week.

“Not only would there be hundreds or thousands of calls to the vulnerable function in multiple points of a single program, but the vulnerability would affect an indefinite number of other programs from multiple vendors configured to use that library.”

CATCH UP TLStorm 2.0: Millions of Aruba and Avaya network switches affected by RCE flaws

Zero-day bug in uClibc library could leave IoT devices vulnerable to DNS poisoning attacks

Bar suspends website after mystery assault

John Leyden 04 May 2022 at 13:01 UTC

Bar suspends website after mystery assault

The State Bar of Georgia in the US has suspended the normal operation of its website following “unauthorized access to its network”.

The authorized access by as-yet unidentified, or at least unnamed attackers is under investigation.

While it awaits the results of this investigation, the professional association for lawyers in the southern US state has shored up the security of its systems and hired external incident response consultants, as a holding page on its website explains:

Upon learning of the unauthorized access, we immediately took steps to secure the network, a cybersecurity firm was engaged and a thorough investigation is being conducted.

An endpoint detection and response system is being deployed throughout our network, which includes real-time continuous monitoring, analysis and response capabilities.

We are still investigating the incident and have not determined what information, if any, the unauthorized actor may have accessed. Updates will be posted on www.gabar.org as additional information is available.

**Breaking the law**

At the time of writing, the normal content of the Georgia Bar website has been replaced with this holding statement along with contact telephone numbers for its various divisions.

The holding statement was also published in updates to the State Bar of Georgia official Twitter account on Tuesday (May 3).

Read about more of the latest cyber-attacks

The type of intrusion, much less who carried it out, remains unclear. A hack exploiting vulnerabilities on the State Bar of Georgia’s website, or some form of malware\-based attack, are among the many possible exploitations for the incident.

The Daily Swig asked the State Bar of Georgia for comment on the nature of the breach it had suffered, as well as on whether or not personal information might have been exposed.

We’ll update this story as and when more information comes to hand.

RELATED Data breach at US energy supplier Riviera Utilities

State Bar of Georgia reels from cyber-attack

Patches issued for vulnerabilities arising from misuse of NanoSSL TLS library

Patches issued for vulnerabilities arising from misuse of NanoSSL TLS library

Critical security vulnerabilities in the implementation of TLS encryption in a raft of popular network switches have put millions of devices deployed in enterprise and critical infrastructure environments at risk.

Security researchers unearthed five remote code execution (RCE) vulnerabilities affecting various Aruba and Avaya devices that could result in the exfiltration of network traffic or sensitive information, as well as breakage of network segmentation and lateral movement to additional devices.

The vulnerable models are deployed in a variety of contexts, including airports, hospitals, and hotels.

Researchers from IoT security firm Armis said they had found no indication that the vulnerabilities have been exploited.

**TLStorm brewing**

Collectively dubbed ‘TLStorm 2.0’, the flaws arise from the misuse of Mocana’s NanoSSL TLS library, which accounted for another three vulnerabilities in other networking devices documented by Armis a few weeks ago.

Disclosed back in March, the ‘TLStorm 1.0’ flaws could enable attackers to cause physical damage to Schneider Electric’s APC Smart-UPS devices, which provide emergency backup power to network devices, as well as to connected devices.

DON’T MISS Security bug in VMWare Workspace ONE could allow access to internal, cloud networks

Several Aruba switch models – series 5400R, 3810, 2920, 2930F, 2930M, 2530, 2540 – are said to be vulnerable to two of the latest flaws.

Tracked as CVE-2022-23677, and with a near-maximum CVSS score of 9.0, an RCE issue arises from mishandled TLS connections on the RADIUS authentication client and captive portal, a login web page governing access to network resources.

Consequently, an attacker could potentially intercept the RADIUS connection via a manipulator-in-the-middle (MitM) attack to gain RCE over the switch with no user interaction.

Read more of the latest hardware security news

With a CVSS of 9.1, CVE-2022-23676 relates to two memory corruption vulnerabilities in the RADIUS client that lead to heap overflows of attacker-controlled data.

The other three RCE vulnerabilities are ‘zero-click’ issues affecting the web management portal of Avaya Series ERS3500, ERS3600, ERS4900, and ERS5900.

They include a pair of CVSS-9.8 rated issues, including a heap overflow (CVE-2022-29860) and stack overflow (CVE-2022-29861).

The third flaw, another heap overflow issue, affects a discontinued Avaya product line and therefore won’t be patched, although data allegedly shows that these devices can still be found in the wild, according to Armis.

**Patches and mitigations**

Most of the vulnerabilities have been patched, said Armis. A spokesperson for HPE, which owns Aruba, told The Daily Swig:

“HPE is aware of this issue, which impacts a limited number of switch models and firmware versions, and is working on a firmware update to address it. In the interim, we are advising customers using affected products to implement firewall controls to protect themselves. We are not aware of any exploitation of this vulnerability involving Aruba customers.

“For additional information, please see the security advisory.”

The Daily Swig has also invited Avaya researchers to comment. We will update this story if they respond.

**‘Yet to be found’**

Barak Hadad, head of research at Armis, told The Daily Swig that it was noteworthy that developers from three vendors, “working on completely different codebases, made the same mistake” in implementing NanoSSL incorrectly.

“We believe that other devices that misuse the NanoSSL library in the same way are yet to be found.”

He added that the TLStorm 2.0 flaws contradict the widely-held belief that network segmentation is “a bulletproof security mechanism”.

Armis researchers will discuss the TLStorm vulnerabilities at Black Hat Asia 2022 next week.

YOU MIGHT ALSO LIKE Path traversal flaw found in OWASP enterprise security testing library

<span>TLStorm 2.0: Millions of Aruba and Avaya network switches affected by RCE flaws</span>

Difficult-to-exploit ESAPI vulnerability offers best practice lessons

Difficult-to-exploit ESAPI vulnerability offers best practice lessons

The Open Web Application Security Project (OWASP) has fixed a vulnerability in its Enterprise Security API (ESAPI) that, if left unresolved, might have been abused to run path traversal attacks.

The issue, which involved the ESAPI validator interface and had a security severity rating of 7.5 out of 10, can be resolved by applying the patched 2.3.0.0 release.

OWASP ESAPI offers a utility that can help enterprise software developers to write more secure code by offering an interface that flags potential coding errors.

Although the vulnerable component would be hard to exploit, an update is nonetheless recommended since the potential impact is high, as an advisory by OWASP explains:

The default implementation of may incorrectly treat the tested input string as a child of the specified parent directory. This could potentially allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the ‘input’ path.

**Limited impact**

OWASP ESAPI project co-leader Kevin Wall told _The Daily Swig_ that “most applications using ESAPI likely don’t even use the affected method” so the potential impact of the vulnerability is application specific.

“With all library vulnerabilities, it is hard to gauge how exposed a generic application is to exploit a vulnerability in a library.”

Wall added: “Even when that is used within an application, that still does not mean that it is exploitable within your application itself. You really have to analyze it on a case-by-case basis.”

Read more of the latest secure development news

According to Wall, in most use cases the vulnerable ESAPI would be used in conjunction with a web application firewall (WAF) or intrusion Detection software – factors further limiting the scope for harm.

On the question of severity, the software developer concluded: “I don’t think this is really a ‘high’ vulnerability, but that’s what we go have with because that’s what CVSSv3.1 spits out.”

**Lessons to learn**

While the vulnerability in play is unlikely to be exploited, and even less likely to cause much harm, the bug offers lessons for software developers, according to Wall.

For one thing, application developers using libraries should use a software composition analysis (SCA) tool and know its limits.

“Some SCA tools only find vulnerabilities reported in direct dependencies, but not in transitive dependencies,” Wall explained.

“And if you decide not to patch, then you need to do a deep-dive analysis to see exactly how the vulnerability in some library impacts your application and what types of mitigating controls you can put up (e.g., maybe ‘virtual patching’ via a WAF) to reduce the risk.”

**DON’T FORGET TO READ** NPM developer reputations could be leveraged to legitimize malicious software

The flaw may also be instructive for library developers because it illustrates the utility of static application security testing (SAST) tools.

“For library developers, run SAST tools of some sort and review the results, but also try to have adequate test coverage and at least do manual code reviews of the ‘git diffs’ when PRs are submitted but before they are merged,” Wall advised.

Although coding mistakes made in developing ESAPI led to the flaw, these were understandable mistakes, according to Wall.

He concluded: “I think the place where ESAPI dropped the ball is that there was no specific test that would have brought this to our attention and that’s on us, although I think in our defense, it was mostly the unawareness of everyone who previously touched that code that acts differently when a value for a directory is not ‘/’ terminated. I think that’s a bit unintuitive.”

**RECOMMENDED** Security bug in VMWare Workspace ONE could allow access to internal, cloud networks

Path traversal flaw found in OWASP enterprise security testing library

Difficult-to-exploit ESAPI vulnerability offers best practice lessons

The Open Web Application Security Project (OWASP) has fixed a vulnerability in its Enterprise Security API (ESAPI) that, if left unresolved, might have been abused to run path traversal attacks.

The issue, which involved the ESAPI validator interface and had a security severity rating of 7.5 out of 10, can be resolved by applying the patched 2.3.0.0 release.

OWASP ESAPI offers a library of security controls that can help enterprise software developers to write more secure code. The technology is designed to be embedded in (mostly web) applications as a proactive set of security measures.

Although the vulnerable component would be hard to exploit, an update is nonetheless recommended since the potential impact is high, as an advisory by OWASP explains:

The default implementation of may incorrectly treat the tested input string as a child of the specified parent directory. This could potentially allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the ‘input’ path.

**Limited impact**

OWASP ESAPI project co-leader Kevin Wall told _The Daily Swig_ that “most applications using ESAPI likely don’t even use the affected method” so the potential impact of the vulnerability is application specific.

“With all library vulnerabilities, it is hard to gauge how exposed a generic application is to exploit a vulnerability in a library.”

Wall added: “Even when that is used within an application, that still does not mean that it is exploitable within your application itself. You really have to analyze it on a case-by-case basis.”

Read more of the latest secure development news

According to Wall, in most use cases the vulnerable ESAPI would be used in conjunction with a web application firewall (WAF) or intrusion Detection software – factors further limiting the scope for harm.

On the question of severity, the software developer concluded: “I don’t think this is really a ‘high’ vulnerability, but that’s what we go have with because that’s what CVSSv3.1 spits out.”

**Lessons to learn**

While the vulnerability in play is unlikely to be exploited, and even less likely to cause much harm, the bug offers lessons for software developers, according to Wall.

For one thing, application developers using libraries should use a software composition analysis (SCA) tool and know its limits.

“Some SCA tools only find vulnerabilities reported in direct dependencies, but not in transitive dependencies,” Wall explained.

“And if you decide not to patch, then you need to do a deep-dive analysis to see exactly how the vulnerability in some library impacts your application and what types of mitigating controls you can put up (e.g., maybe ‘virtual patching’ via a WAF) to reduce the risk.”

**DON’T FORGET TO READ** NPM developer reputations could be leveraged to legitimize malicious software

The flaw may also be instructive for library developers because it illustrates the utility of static application security testing (SAST) tools.

“For library developers, run SAST tools of some sort and review the results, but also try to have adequate test coverage and at least do manual code reviews of the ‘git diffs’ when PRs are submitted but before they are merged,” Wall advised.

Although coding mistakes made in developing ESAPI led to the flaw, these were understandable mistakes, according to Wall.

He concluded: “I think the place where ESAPI dropped the ball is that there was no specific test that would have brought this to our attention and that’s on us, although I think in our defense, it was mostly the unawareness of everyone who previously touched that code that acts differently when a value for a directory is not ‘/’ terminated. I think that’s a bit unintuitive.”

**RECOMMENDED** Security bug in VMWare Workspace ONE could allow access to internal, cloud networks

Path traversal flaw found in OWASP enterprise library of security controls

Jessica Haworth 03 May 2022 at 12:45 UTC

Unknown actor accessed employee emails

  

A data breach at Riviera Utilities, a utility company serving Baldwin County in Alabama, has exposed the personal details of customers after employee email accounts were accessed.

In a statement released last night (May 2), the company confirmed that an unknown actor had gained access to internal data.

Exposed details include the personal information of a “limited number of individuals”, such as names, Social Security numbers, driver’s license or state identification numbers, passport numbers, medical information, health insurance information, credit or debit card numbers, card expiration dates, and card CVVs.

The elements of personal information varied for different customers, Riviera Utilities added.

Read more of the latest data breach news

A forensic investigation carried out on March 28, 2022, determined that the email accounts were accessed on or about October 17, 2021. Those affected in the breach were notified on April 26.

Riviera Utilities said in a statement: “This access did not include the systems storing auto-pay, bank draft data, or other personal information. Additionally, any personal information entered and submitted through Riviera’s website was unaffected by this security incident.

“We have no evidence that any personal information was misused as a result of this incident. However, out of an abundance of caution, we notified individuals whose information may have been included in the files present in the impacted employee email accounts.”

Those affected by the breach are being offered free credit monitoring services.

YOU MAY ALSO LIKE Data breach at US healthcare provider ARcare impacts 345,000 individuals

Data breach at US energy supplier Riviera Utilities exposes customer information

Faulty invitation mechanism enabled ‘package planting’ attacks

Faulty invitation mechanism enabled ‘package planting’ attacks

Open source software developers’ reputations could be abused to spread malicious NPM packages without their knowledge or consent, security researchers have revealed.

On April 26, the cybersecurity team at Aqua’s Team Nautilus published a security advisory on the issue, which “allowed threat actors to masquerade a malicious package as legitimate and trick unsuspecting developers into installing it”.

Until recently, GitHub’s NPM platform allowed any developer to be added to a project as a maintainer without their permission – a potential blind spot that threat actors could readily weaponize.

YOU MAY ALSO LIKE IBM database updates address critical vulnerabilities in third-party XML parser

If an attacker “carefully handpicks” trusted and popular maintainers, then adds them – without their approval – to a malicious package, this could make a package appear legitimate and encourage users to download it, said the researchers.

This technique has been dubbed “package planting” by Team Nautilus.

**Logic flaw**

“For instance, the package lodash is highly popular and credible,” the researchers say. “If we add its owners Mathias, jdalton, and bnjmnt4n to a new, malicious package, many developers may be tricked into thinking that this package is legitimate and even appealing.”

Lodash, a JavaScript library for utility functions, has been downloaded over 42 million times and has more than 154,000 dependents.

Developers whose reputations are exploited in this way would not be made aware that they were added as package maintainers due to a logic flaw in NPM’s invitation mechanism.

Furthermore, a threat actor could, in theory, add a popular maintainer to a malicious package and then report them for illicit activities – potentially undermining their reputation.

The logic issue was reported to GitHub’s bug bounty platform via HackerOne on February 10, and a fix was deployed on April 26 in the form of a new confirmation mechanism.

Read more of the latest software supply chain attack news

Adding a new maintainer to an NPM project without their approval is no longer possible.

“It’s important to use reliable sources for any third-party components and to secure your environment with solutions that can detect software supply chain threats such as package planting,” the researchers commented.

“NPM users should check that all the packages that are listed under their name truly belong to them, to make sure they weren’t added to any projects without their consent.”

**Package Analysis project**

In related news, on April 28, Google announced its support for the Open Source Security Foundation's (OpenSSF) Package Analysis project, a prototype scheme for clamping down on the propagation of malicious NPM packages.

The Package Analysis program is being developed to dynamically scan uploaded NPM packages for malicious signatures and to “identify when previously safe software begins acting suspiciously”.

Google is a member of OpenSSF. The tech giant conducted a study of 200 malicious NPM packages uploaded over the course of a month and found that most attacks are based on typosquatting and dependency confusion techniques.

“This effort is meant to improve the security of open source software by detecting malicious behavior, informing consumers selecting packages, and providing researchers with data about the ecosystem,” OpenSSF says. “Though the project has been in development for a while, it has only recently become useful following extensive modifications based on initial experiences.”

The Daily Swig has reached out to GitHub and Aqua with additional queries and we will update this story if and when we hear back.

RELATED Socket: New tool takes a proactive approach to prevent OSS supply chain attacks

Poisoned packages: NPM developer reputations could be leveraged to legitimize malicious software

Users should patch immediately

A security vulnerability in a mobile device management software could allow attackers access to organizations’ internal and cloud networks, researchers warn.

Discovered by Assetnote, the server-side request forgery (SSRF) bug was found in VMWare Workspace One UEM.

Tracked as CVE-2021-22054, the vulnerability could risk credentials and other sensitive data falling into the hands of malicious attackers.

Read more of the latest news about security vulnerabilities

“We discovered a pre-authentication vulnerability that allowed us to make arbitrary HTTP requests, including requests with any HTTP method and request body,” the researchers wrote in a blog post.

“In order to exploit this SSRF, we had to reverse engineer the encryption algorithm used by VMWare Workspace One UEM.”

The team were able to breach “a number of” organizations using the software, accessing both their internal network and cloud services.

DON’T MISS VirusTotal debunks claims of a serious vulnerability in Google-owned antivirus service

Speaking to The Daily Swig, Assetnote’s Subham Shah said: “While I cannot share exact details about what companies were effected, there were a large number of enterprises that were vulnerable to this.

“In some cases, it was possible to use this vulnerability to breach the AWS accounts of the companies.”

Shah added: “The impact of this vulnerability is rather on the organization running the software, instead of the individual users that are using the products.

“Using the SSRF vulnerability, it is possible to reach arbitrary hosts on the internal network. On cloud networks such as AWS, it is possible to reach the metadata IP address and potentially steal security credentials.

“Using these security credentials, it is possible to escalate the vulnerability to gain access to other infrastructure belonging to a company.”

**Remediations**

The issue, which was first discovered in November 2021, has since been patched by the vendor.

Shah said that while VMware dealt with the issues “in a timely manner”, researchers agreed to the vendor’s request for more time to release more patches and allow customers to patch their instances before disclosure.

An advisory from VMWare contains details of fixes for the software.

Shah advised users of mobile management device software “if possible, do not expose the MDM solution to the external internet”.

YOU MAY ALSO LIKE IBM database updates address critical vulnerabilities in third-party XML parser

Security bug in VMWare Workspace ONE could allow access to internal, cloud networks

New web targets for the discerning hacker

New web targets for the discerning hacker

Bug Bounty hunters who’d like a little more financial predictability in their lives were given that option this month, with a new program from Intigriti offering payment by the hour.

A combination of bug bounty hunting and penetration testing models, there will be payment for the number of hours a participant spends searching for vulnerabilities, as well as a capped reward for individual bugs. In a pre-launch pilot, hackers collectively earned more than €100,000 ($106,000).

In payout news, a hacker who goes by the name ‘Stealthy’ netted $36,000 in bug bounties after uncovering critical HTTP request smuggling vulnerabilities affecting three of Apple’s core web applications.

Queue poisoning attacks enabled data disclosure and account takeover with no user interaction required, Stealth explained. The bugs affected servers for business.apple.com, school.apple.com, and mapsconnect.apple.com.

Two hacking contests earlier this month also saw researchers earn a bumper crop of rewards.

There were payouts totalling $400,000 at the second edition of Pwn2Own Miami for dozens of previously undiscovered exploits targeting industrial control systems, for instance.

Daan Keuper and Thijs Alkemade were crowned Masters of Pwn with 90 points and $90,000 accrued for their team, while rewards were given for previously unknown zero-day vulnerabilities in industrial control platforms.

Meanwhile, ‘Hack Me I’m Famous’, an overnight hackathon held by bug bounty platform YesWeHack, saw 40 bug bounty hunters compete to find vulnerabilities in French scale-ups or start-ups valued at more than $1 billion.

Of 109 vulnerability reports, 30% were rated as either high or critical severity bugs, with one researcher netting the maximum payout of €10,000.

And finally, an access control vulnerability in open source scheduling platform Easy!Appointments was found to give unauthenticated attackers easy access to personally identifiable information. An unprotected API could expose names, places, and times of bookings made using the app.

The find earned Francesco Carlucci, founder of vulnerability notification platform OpenCIRT, a “small” reward.

**The latest bug bounty programs for May 2022**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**AEX**

Program provider:  
HackenProof

Program type:  
Public

Max reward:  
$5,000

Outline:  
Digital asset exchange AEX is looking to find critical bugs in its web, mobile, and API targets.

Notes:  
There is an extensive list of out-of-scope targets that must be avoided. As ever, it’s worth taking a look before you start hunting.

Check out the AEX bug bounty page at HackenProof for more details

**American Systems**

Program provider:  
HackerOne

Program type:  
Public

Max reward:  
$3,000

Outline:  
Management consulting services firm American Systems said it “looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe”.

Notes:  
Rewards are based on severity per CVSS. However, the company said these are “general guidelines, and reward decisions are up to the discretion of American Systems”.

Check out the American Systems’bug bounty page at HackerOne for more details

**ExpressVPN – enhanced**

Program provider:  
Bugcrowd

Program type:  
Public

Max reward:  
$100,000

Outline:  
ExpressVPN has increased its top reward – which is now 10 times higher than the previous highest bounty – with $10,000 now on offer for valid critical flaws unearthed in ExpressVPN’s TrustedServer.

Notes:  
ExpressVPN built TrustedServer to mitigate the risks posed by traditional server management and the elevated bug bounty reward supplements an independent security audit by PwC.

Read the related ExpressVPN press release for more details

**IoTex**

Program provider:  
HackenProof

Program type:  
Public

Max reward:  
$15,000

Outline:  
IoTeX is “the leading decentralized network powering the future of web3 and machine economy (MachineFi)”. It is asking researchers to find vulnerabilities in its web domains, mobile apps, and APIs.

Notes:  
The top three vulnerabilities in scope are business logic issues, payments manipulation, and remote code execution.

Check out the IoTex bug bounty page at HackenProof for more details

**KAYAK**

Program provider:  
HackerOne

Program type:  
Public

Max reward:  
$5,000

Outline:  
Travel company KAYAK is asking for reports related to vulnerabilities in its website, as well as a number of its subsidiaries.

Notes:  
Not all of KAYAK’s subsidiaries are in scope, so make sure to confirm before hacking.

Check out the KAYAK bug bounty page at HackerOne for more details

**Mastadon – enhanced**

Program provider:  
Intigriti

Program type:  
Public

Max reward:  
€20,000

Outline:  
Mastodon has increased its maximum payout bounty to €20,000.

Notes:  
The bug bounty platform announced on Twitter that the first hacker to claim the new maximum reward will also be gifted with a swag package. Don’t walk, run!

Check out the Mastodon bug bounty page at Intigriti for more details

**SHEIN**

Program provider:  
HackerOne

Program type:  
Public

Max reward:  
$2,000

Outline:  
Fast fashion retailer SHEIN has launched a bug bounty program that includes targets related to its sister company Romwe.

Notes:  
This program comes after a successful, limited program last year.

Check out the SHEIN bug bounty page at HackerOne for more details

**Sorare**

Program provider:  
HackerOne

Program type:  
Public

Max reward:  
$10,000

Outline:  
Sorare is a global fantasy football game where managers can trade official digital collectibles.

Notes:  
Three assets are in scope: Sorare.com plus Sorare’s API and WebSocket domain.

Check out the Sorare bug bounty page at HackerOne for more details

**Other bug bounty and VDP news this month**

*   Pfizer has launched a vulnerability disclosure program with HackerOne, because looking for “potential issues helps us ensure the security and privacy of customers and data”.
*   Love swag? Who doesn’t! Intigriti has been giving away monthly swag bags on Twitter – see here.

Additional reporting by Emma Woollacott.

PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for April 2022

Source

PortSwigger