New eXtended Detection and Response Solution is 450X more efficient than typical SOCs at converting telemetry and logs into actionable alerts.

**SAN JOSE, Calif. March 1, 2023** **–** Forescout Technologies Inc., the global leader in automated cybersecurity, today unveiled Forescout XDR, to help enterprises better detect, investigate, and respond to the broadest range of advanced threats, across the extended enterprise.

A typical SOC is flooded with 450 alerts per hour1, and analysts waste precious time trying to correlate low fidelity alerts and chasing false positives, often at the expense of focusing on legitimate attacks. Until now, a security operations center’s (SOC) field of view for threat detection and response has excluded critical devices that are increasingly common points of attack, including operational technology (OT), industrial control systems (ICS), building management systems (BMS), and medical and IoT devices. In addition, the technology stack that SecOps teams have had to rely on has made it difficult to respond to these threats in a rapid and comprehensive manner.

"The true value of an XDR solution lies in its ability to ingest telemetry and data from across the entire enterprise: cloud, campus, remote and datacenter environments, and every managed and unmanaged connected device. This is what the X in XDR is all about, after all," said **Justin Foster, CTO, Forescout.** "Traditional XDR products lack this capability, or they only leverage data from the vendor’s own EDR or a few other security tools. This significantly limits the flexibility, scalability and effectiveness that an XDR solution must provide."

Through the advanced application of data science and automation, Forescout XDR generates one high-fidelity alert that truly warrants analyst investigation, from every 50 million logs ingested, per hour2. Because Forescout XDR is vendor- and EDR-agnostic, this ingestion includes data from over 170 security, infrastructure, application, cloud/SaaS and enrichment sources, and dozens of leading vendors. And with over 70 sources of threat intelligence and 1500 verified detection rules and models, and data onboarding included, Forescout XDR customers can be operational within hours, actively detecting, investigating, and responding to threats.

"Forescout XDR, with the breadth and richness of its capabilities, particularly its dashboards and reporting, provides an out-of-the-box solution to SOC challenges that we spent 18-24 months trying to address," said **Samer Mansour, CISO, Panasonic Corporation of North America**. "It was easy to deploy, and fully operational in a matter of weeks. And with its tight integration to Forescout’s network security and visibility solutions, and our broader security tech stack, it gives us the ability to exert a lot more control across our IT and OT environments, and further elevate our overall security."

Seamless integration with Forescout’s industry-leading network access control solution, helps ensure that customers can:

1\.   Reduce the attack surface, and the risk of an attack in the first place, by preventing compromised or non-compliant devices from connecting to their networks. This proactive approach to XDR further elevates the effectiveness and performance of a modern SOC.

2.  Automate response workflows that can immediately touch every managed and unmanaged connected device, across the enterprise. This reduces an attack's blast radius in real-time, allowing proper mitigation or remediation measures to be completed. 

Because Forescout XDR has a multi-tenant architecture and supports local data storage while also being able to provide an aggregated global view of threats and SOC performance, it is ideally suited to large enterprises, multi-nationals, organizations with regional SOCs and managed security service providers (MSSPs).

**Pricing**

SaaS licensing is based on the total number of endpoints in the enterprise. As such, customers have the flexibility to leverage the data sources needed to fully support the use cases important to them, and help ensure better detection, without concern for escalating or fluctuating costs associated with cloud log storage.

**About Forescout**

Forescout Technologies, Inc. delivers automated cybersecurity across the digital terrain, maintaining continuous alignment of customers’ security frameworks with their digital realities, including all asset types- IT, IoT, OT, IoMT, and cloud environments. The Forescout Platform provides complete asset visibility, continuous compliance, network segmentation and a strong foundation for Zero Trust. For more than 20 years, Fortune 100 organizations and government agencies have trusted Forescout to provide automated cybersecurity at scale. Forescout arms customers with data-powered intelligence to accurately detect risks and quickly remediate cyberthreats without disruption of critical business assets. www.forescout.com

Forescout Addresses Modern SecOps Challenges With Launch of Forescout XDR

** DISPUTED ** In the Linux kernel before 6.2, mm/memory-tiers.c misinterprets the alloc_memory_type return value (expects it to be NULL in the error case, whereas it is actually an error pointer). NOTE: this is disputed by third parties because there are no realistic cases in which a user can cause the alloc_memory_type error case to be reached.

Permalink

Browse files

mm/demotion: fix NULL vs IS\_ERR checking in memory\_tier\_init

alloc\_memory\_type() returns error pointers on error instead of NULL.  Use
IS\_ERR() to check the return value to fix this.

Link: https://lkml.kernel.org/r/20221110030751.1627266-1-linmq006@gmail.com
Fixes: 7b88bda ("mm/demotion/dax/kmem: set node's abstract distance to MEMTIER\_DEFAULT\_DAX\_ADISTANCE")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Reviewed-by: "Huang, Ying" <ying.huang@intel.com>
Cc: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
Cc: Wei Xu <weixugc@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

*   Loading branch information

CVE-2023-23005: mm/demotion: fix NULL vs IS_ERR checking in memory_tier_init · torvalds/linux@4a625ce

More cyberattackers are targeting organizations' cloud environments, but some cloud services, such as Google Cloud Platform's storage, fail to create adequate logs for forensics.

Major cloud platforms, such as Google Cloud Platform (GCP), fail to adequately log the event data that could facilitate the detection of compromises and the forensic analysis during post-compromise response, according to an analysis. 

Cloud security firm Mitiga stated in an advisory published on March 1 that the Google Cloud Platform allows customers to turn on storage access logs, but faced with an attacker that successfully compromises a legitimate user's identity, the logs fail to provide enough detail, creating forensic visibility gaps.

The security issues include failing to generate dedicated log information for critical actions related to exfiltration, failing to collect detailed information about changes to data, and a general lack of visibility that would give a picture of what happened, the advisory stated.

A variety of events, for example, are included under a single type of access — such as reading a file or downloading data — leaving analysts unclear as to what actually happened, says Veronica Marinov, an incident response investigator with Mitiga and author of the advisory.

"Google Cloud storage logging is missing granular log events," she says. "In the case of interacting with bucket objects, you can’t really differentiate between downloading the object, viewing its content, and just looking at the metadata of the said object."

As companies move their infrastructure and operations to the cloud, attackers have followed. For instance, the company faced an opportunistic attacker that moved laterally inside a cloud environment to successfully steal sensitive data, only to be stopped by rigorous permissions, according to a report earlier this week.

In its latest annual "Global Threat Report", cybersecurity services firm CrowdStrike noted that cloud exploitation incidents had increased by 95% in 2022, compared with the previous year, while cloud-conscious threat actors — which the firm defined as those who use "a variety of tactics, techniques, and procedures (TTPs) to exploit cloud environments" — nearly tripled. The increase in cloud-focused attacks means that companies need to focus on visibility and really understanding the changes being made to cloud environments, says Adam Meyers, head of intelligence at CrowdStrike.

"For years, cloud threats have been concerning, but it was pretty low tech, and they generally resulted in a cryptominer being deployed," he says. "Cloud is clearly in the sights of the threat actors now."

**Logs Need More Detail**

A key to understanding what happened during a compromise is having adequate visibility through detailed logging of events in cloud services. Forensics investigators rely on logs to determine what happened, what data may have been at risk, and what threat actors accomplished, Mitiga stated in the advisory.

While attackers often turn off logging as part of their compromise of cloud services, a knowledgeable attacker could also skip that and construct an attack chain that results in very little detail being revealed in Google Cloud Platform log files, Mitiga stated.

"Unfortunately, GCP does not provide the level of visibility in its storage logs that is needed to allow any effective forensic investigation, making organizations blind to potential data exfiltration attacks," Mitiga said in its advisory. "This prevents organizations from efficiently responding to incidents, as they have no chance to correctly assess what data has been stolen or whether it has been stolen at all."

Google Cloud acknowledged the issues, while stressing that it does not consider the lack of visibility to impact the security of its platform. The company maintained that there is no risk of data infiltration, that the issue is not a vulnerability, and that customer data is secure (all assertions also made by Mitiga). Google Cloud plans to further investigate the forensics gap, however.

"While improving log forensics hasn't been an issue raised by our customers, we are continually evaluating ways to improve customers' insight into their storage," the company said in a statement sent to Dark Reading. "The highlighted forensics gap in the blog is one of those areas we are examining."

Among Google Cloud's recommendations are turning on and configuring VPC Service Controls and organization restriction headers, to limit access and produce additional log events.

**Not Just Google**

The ability to access detailed logs is part of the shared-responsibility compact between cloud providers and customers. To take responsibility for their infrastructure in the cloud, organizations need to have detailed insight into activity. While the advisory specifically calls out GCP, other cloud providers have similar issues, Marinov says, without naming names.

"We had seen, in other cloud providers, cases where we can't really understand what happened only by seeing the logs," she says. "We are in touch with vendors on such specific gaps. Only after completing our responsible disclosure process are we able to share details with the media."

Amazon's Simple Storage Service (S3) buckets, for example, collect the right level of detail, the advisory stated: "It is important to note that this deficiency is not inherent to cloud services and could be easily addressed by providing more detailed information in the logs. An example can be seen with AWS S3 access logs, which distinguish each of the event types with its own event log name."

Mitiga did not say whether AWS's other services are among those the company is investigating for gaps in forensics information.

What Happened in That Cyberattack? With Some Cloud Services, You May Never Know

Categories: News
Tags: AI

Tags:  voice

Tags:  generated

Tags:  synthetic

Tags:  bank

Tags:  banking

Tags:  telephone

Tags:  login

Tags:  account

Now that we have freely available artificial intelligence happily replicating people’s voices, could it be a security risk?



(Read more...)




The post AI voice cracks telephone banking voice recognition appeared first on Malwarebytes Labs.

Posted: February 28, 2023 by

Voice ID is slowly rolling out across various banks worldwide as a way to perform user authentication over the phone. However, questions remain about just how secure it is. Now that we have freely available artificial intelligence (AI) happily replicating people’s voices, could it be a security risk?

Some recent research suggests that it could.

Vice reporter Joseph Cox put it to the test, with surprising results. All it took was five minutes of recorded speech and a site that can learn to synthesise the voice in the recording.

At first the banking website refused to verify Cox's synthesized voice as genuine. But with a few tweaks, it soon allowed Cox into his account.

From here, he had access to account information, recent transactions, transfers, and balances. You’ll note from the video below that an additional piece of information is required here in the form of date of birth.

Thankfully, you can’t just use the voice on its own and log straight in to this bank. However, while dates of birth are often use as a form of authentication they are not secret. If an attacker is determined enough to find or create five minutes of your voice recordings, they are unlikely to be deterred by the (probably much easier) task of finding out your birth date.

The bank used for the test claims that criminals would rather use other more common methods of attack than AI voice recordings, and that deploying voice ID has led to “a significant dip in fraud with phone banking”. This may well be true, but that dip presumably occurred before the wide availability of AI tools like ChatGPT.

The stunt is a useful reminder that unlike passwords, which are either right or wrong, all forms of biometric authentication are analogue. Voice, fingerprint, face, and iris recognition all rely on a judgement of similarity, which creates opportunities for enterprising criminals who can produce realistic facsimiles. It's why your iPhone fingerprint recognition is backed up by a passcode, and why the bank in the test also included a birth date in its authentication process.

**What's  next for voice AI?**

The AI genie is most definitely out of the bottle, with AIs being used for all manner of good things, like additional voice lines in video game mods, and all sorts of bad things too.

If you’re deploying voice recognition as part of your business, it would be wise move to pay close attention to the rapidly improving area of voice synthesis. Don’t let the words “My voice is my password” come back to haunt you in the worst way imaginable.

Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

**RELATED ARTICLES**

AI voice cracks telephone banking voice recognition

Six different law firms were targeted in January and February 2023 as part of two disparate threat campaigns distributing GootLoader and FakeUpdates (aka SocGholish) malware strains.
GootLoader, active since late 2020, is a first-stage downloader that's capable of delivering a wide range of secondary payloads such as Cobalt Strike and ransomware.
It notably employs search engine optimization (

Threat Intelligence / Malware

Six different law firms were targeted in January and February 2023 as part of two disparate threat campaigns distributing **GootLoader** and **FakeUpdates** (aka SocGholish) malware strains.

GootLoader, active since late 2020, is a first-stage downloader that's capable of delivering a wide range of secondary payloads such as Cobalt Strike and ransomware.

It notably employs search engine optimization (SEO) poisoning to funnel victims searching for business-related documents toward drive-by download sites that drop the JavaScript malware.

In the campaign detailed by cybersecurity company eSentire, the threat actors are said to have compromised legitimate, but vulnerable, WordPress websites and added new blog posts without the owners' knowledge.

"When the computer user navigates to one of these malicious web pages and hits the link to download the purported business agreement, they are unknowingly downloading GootLoader," eSentire researcher Keegan Keplinger said in January 2022.

The disclosure from eSentire is the latest in a wave of attacks that have utilized the Gootkit malware loader to breach targets.

GootLoader is far from the only JavaScript malware targeting business professionals and law firm employees. A separate set of attacks have also entailed the use of SocGholish, which is a downloader capable of dropping more executables.

The infection chain is further significant for taking advantage of a website frequented by legal firms as a watering hole to distribute the malware.

Another standout aspect of the twin intrusion sets in the absence of ransomware deployment, instead favoring hands-on activity, suggesting that the attacks could have diversified in scope to include espionage operations.

"Prior to 2021, email was the primary infection vector used by opportunistic threat actors," Keplinger said. From 2021 to 2023, browser-based attacks \[...\] have steadily been growing to compete with email as the primary infection vector."

"This has been largely thanks to GootLoader, SocGholish, SolarMarker, and recent campaigns leveraging Google Ads to float top search results."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Cybercriminals Targeting Law Firms with GootLoader and FakeUpdates Malware

As more businesses shift away from running workloads on dedicated virtual machines to running them inside containers using workload orchestrators like Kubernetes, adversaries have become more interested in them as targets. Moreover, the benefits Kubernetes provides for managing workloads are also extended to adversaries. As adversaries leverage Kubernetes to run their workloads, their understanding of how these platforms work and can be exploited increases.

Azure Kubernetes Service (AKS) Threat Hunting

In Dataiku DSS 11.2.1, an attacker can download other Dataiku files that were uploaded to the myfiles section by specifying the target username in a download request.

 Watch Video

**The Single Platform For Everyday AI**

Dataiku is one central solution for the design, deployment, and management of AI applications.

**Designed for the Enterprise**

Dataiku is for teams who want to deliver advanced analytics using the latest techniques at big data scale.

**Data-Driven Decision Making for Everyone**

*   Tech Experts
    
*   Business Experts
    
*   Enterprise
    

Dataiku is for everyone, whether technical and working in code or on the business side and low- or no-code.

 

**Tech Experts**

 

**Spend more time on high-impact AI projects**

*   Use the same languages and tools you already know and love with additional efficiency.
*   Speed through tedious work and automate repetitive tasks to focus on high impact projects.
*   Get buy-in from all stakeholders by sharing your model insights visually, in a single click.
*   Deploy and monitor data science projects without relying on other teams.

Learn More

**Business Experts**

 

**The power of AI + your business expertise = unlimited opportunity**

*   Generate deeper intelligence faster from seamless data access, smart data preparation and repeatable, transparent data transformation.
*   Uplevel your machine learning skills and experiment with AutoML.
*   Effectively communicate insights with dashboards and customizable apps.
*   Collaborate with technical gurus to bring your business insights to life.

Learn More

**Enterprise**

 

**Leverage the power of AI in every business decision for transformative impact**

*   Respond quickly to rapidly changing market conditions with the power of AI in the hands of everyone regardless of technical expertise.
*   All-in-one data science platform seamlessly integrates into existing infrastructure to lower overall costs without compromising security.
*   Full transparency and governance for confidence in every business decision and stress-free audits.

Learn More

**Discover Dataiku for Your Industry**

Tackle thousands of use cases with Dataiku. Get started and deliver value immediately with a catalog of pre-built solutions.

**Get Started with Dataiku**

Start Your Dataiku 14-Day Free Trial  
or Install the Free Edition of Dataiku

Get Started

**Haven’t Made Your Resolutions Yet? Now’s Your Chance**

The year for all things AI and data is 2023.

Read this ebook to learn about the solutions to the main challenges businesses face (think AI talent, data quality concerns, costly infrastructure, and more) that will help accelerate productivity and efficiency in 2023 and beyond.

READ 2023 TRENDS EBOOK

**Watch AI & Us, a New Dataiku Web Series**

_Rather than asking, "Where do you think AI is going to be in 30 years?" it's better to say, "What society do we want in 35 years and how can we use AI to get us there?"_

WATCH THE NEW EPISODES NOW

**TechCrunch x NXP**

In this TechCrunch webinar, hear from Dataiku and NXP on how they're building a data organization that performs while also elevating the individual.

WATCH NOW

**The Dataiku AI Maturity Survey**

Answer 13 questions to get scored along the six drivers behind AI maturity — vision, data, system, talent, governance, and value — and get personalized recommendations to take your business to the next level.

TAKE THE SURVEY

**Rabobank's Data Journey, Revealed**

In the past year and a half, Rabobank has completed more than 100 AI projects and has reduced time to onboard data team members — in particular data scientists — from months to weeks.

GET THE FULL EBOOK

**Watch a Demo of Dataiku**

Dive in to a real-life data project built in Dataiku to see all the features of the platform - from data ingestion to deployment in production - in less than 15 minutes.

GET STARTED

**Dataiku Series F**

Dataiku’s latest investment of $200 million from Wellington Management will allow the company to cement its leadership position and prepare for its next phase of strong, sustainable growth.

DATAIKU'S INVESTORS

CVE-2023-24045: Dataiku | Everyday AI, Extraordinary People

Platform uniquely designed to facilitate automated compliance, security behavior change.

**MINNEAPOLIS****,** **Feb. 28, 2023** **/PRNewswire/ --** Hoxhunt, the leading cybersecurity behavior change software company, today announced the availability of the industry's foremost Human Risk Management Platform and three new products. For the first time, cybersecurity leaders can now focus on true visibility and measurable outcomes, not just regulatory and audit compliance.

According to the World Economic Forum, 95 percent of data breaches can be traced back to human error, mostly from clicking on targeted phishing attacks. Hoxhunt delivers high-ROI resilience with minimal resources by automating the transition of employees from being the greatest security risk to the most valuable resource. Hoxhunt's Human Risk Management Platform enables human threat intelligence—which is the only way to catch the millions of sophisticated phishing attacks that evade technical filters each year--into the security stack.

The AI-enabled platform offers three new products that can be aligned with an organization's security maturity state.

*   The new Comply product enables security awareness programs to be delivered automatically. From choosing the curriculum to customizing training content, Hoxhunt Comply enables security leaders to build a comprehensive program at the click of a button.
*   The Hoxhunt Change product adds capabilities to the market leading security behavior change solution. The advanced AI engine and machine learning algorithms transform employees into a global network of threat detection sensors that protect themselves and their organizations from threats that have infiltrated the perimeter. The AI platform delivers individualized, adaptive training experiences for employees at the edge of their skill levels at scale, resulting in lasting and measurable improvement. Even real phishing attacks are transformed into vital learning experiences when employees detect them. The platform assesses and expands individual abilities with quick micro-training nudges based on in-the-moment responses to both real and simulated phishing attacks, which in turn creates long-term engagement and optimal online behavior for employees.
*   Respond helps make sense of the threat feed to the SOC and automatically pinpoints the incidents that need attention. The Hoxhunt platform analyzes over 93,000 newly reported threats every day that have bypassed traditional security technology layers. Now organizations can harness the power of a global network of 1.5M human threat sensors to prevent the most malicious ransomware and BEC attacks.

Hoxhunt was established to take a people-first approach, going beyond traditional, compliance-based security awareness training and enabling a risk-based security strategy via measurable security behavior change.

"As bad actors refine their tactics, searching for gaps in security controls, employees have become the largest attack vector for cybercriminals looking to penetrate into corporate networks," said Mika Aalto, Co-Founder and CEO at Hoxhunt. "Employees are often overlooked as a part of an organization's security posture and attackers continue to exploit this. In most organizations, at best, employees receive generic awareness training in order to meet corporate compliance goals, initiatives which fail to alter employee cyber behavior or create the ability to detect and respond to social engineering attacks. Hoxhunt was established to solve this uncontrolled issue. With our human risk platform, organizations can significantly alter their employees' security skill levels to create a strong human detection engine when attackers surpass technical layers."

Hoxhunt's full-stack, AI-driven platform delivers:

*   **Increased Visibility:** Provides visibility into the true risk of an organization's human layer and the threats that have (or could have) infiltrated their systems.
*   **Measurable Risk Reduction:** Hoxhunt transforms employees into security assets, creating a global human threat sensor network to detect and eliminate email threats that slip past your technical protections. Hoxhunt drives the failure rate to just 2%, compared to 25% when using alternative phishing tools.
*   **Streamlined** **Reporting:** Maintains full control and visibility of employee training progress across departments, automatically generating reports that CISOs can utilize to translate improvements in organizational security posture.

Since its inception, Hoxhunt has helped some of the world's leading companies graduate from security awareness training into security behavior change and human risk management, including Airbus, DocuSign, Kaercher, and Victorinox. The company has also received numerous accolades in recent months. Hoxhunt was named a Best Software Company (EMEA) by G2 and received three awards from TrustRadius for security excellence.

To learn more about Hoxhunt and to request a demo, please visit: https://www.hoxhunt.com/.

**About Hoxhunt**

Hoxhunt helps security leaders and employees join forces to prevent data breaches. Hoxhunt is a Human Risk Management platform that goes beyond security awareness to drive behavior change and measurably lower risk. Data breaches start with people, so Hoxhunt does too. It combines AI and behavioral science to create individualized micro-training experiences people love. Employees learn to detect and report advanced phishing attacks. Operations teams respond fast with limited resources. And security leaders gain outcome-driven metrics to document reduced cybersecurity risk.

Hoxhunt Launches Human Risk Management Platform

New web targets for the discerning hacker

New web targets for the discerning hacker

Belgium became a haven for ethical hackers following the adoption of a nationwide safe harbor agreement last month.

The framework means that well-intentioned security researchers are free from legal jeopardy when they come to report computer security vulnerabilities in any system located in the European country – providing they follow a strict set of conditions and rules of conduct.

The guidelines, announced by the Centre for Cyber Security Belgium, apply to both private and public sector organizations. Belgium is further ahead on the curve, but it’s hoped that the scheme will inspire other countries to follow suit and companies to roll out vulnerability disclosure programs of their own.

In less congenial bug bounty-related news, independent researcher Peter Geissler publicly released the details of a set of vulnerabilities affecting Lexmark printers rather than accepting what he considered a derisory reward. The security bugs – which could be chained together to create a remote code execution attack – have since been fixed.

Another example of researchers baulking at bug bounty conditions came in the disclosure of a web security flaw in a marketing widget from analysts Gartner.

Security researcher Justin Steven wanted to write-up the technical details of a DOM-based cross-site scripting vulnerability in the Gartner Peer Insights widget, but the analyst firm warned the researcher that that it violated the rules of the private bug bounty program.

Steven publicly disclosed technical details of the vulnerability anyway, even though this meant he went without payment for the find.

There was drama aplenty when a new host of popular hacking tool XSS Hunter disclosed telemetry (anonymized statistics about the vulnerabilities unearthed) from security researchers using its version of the utility. Truffle Security faced a privacy backlash from security researchers upset that it was seemingly “peering over their shoulder” and going through their findings.

In response to the criticism, Truffle Security began offering end-to-end encryption as an option to security researchers using its version of XSS Hunter.

**The latest bug bounty programs for March 2023**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**ATG (Enhanced)**

**Program provider:  
**YesWeHack

**Program type:  
**Public

**Max reward:  
**$4,000

**Outline:  
**ATG has raised rewards for medium, high, and critical bugs, and broadened its scope to encompass .atg.se and its subdomains. ATG is a Swedish gaming company that specializes in horse racing.

Check out the ATG bug bounty page for more details

**Bybit**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$20,000

**Outline:  
**The cryptocurrency exchange is paying out between $5,000 and $20,000 for the highest tier of criticality. The sole target in scope is bybit.com.

Check out the Bybit bug bounty page for more details

**Grindr**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$4,000

**Outline:  
**The location-based social networking and dating application for the LGBTQ community cites RCE, arbitrary SQL queries on production databases, and significant authentication bypass flaws as potentially critical bugs.

Check out the Grindr bug bounty page for more details

**Linktree**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$7,500

**Outline:  
**Australian social media tool Linktree, which has 30 million users globally, has put “most” of its assets within the scope of the bug bounty program.

Check out the Linktree bug bounty page for more details

**Malwarebytes**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$2,000

**Outline:  
**The anti-malware firm is offering payouts of between $50 and $2,000 for confirmed vulnerabilities. Those posing an RCE risk to Malwarebytes’ web properties or customers running its endpoint protection software, or leading to the takeover of AWS cloud infrastructure, will attract the greatest rewards.

Check out the Malwarebytes bug bounty page for more details

**Miro**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$3,000

**Outline:  
**The collaborative whiteboarding platform is offering rewards of up to $3,000. Out of scope assets include Jira Cards by Miro, Miro for Confluence, and Miro for Jira Cloud.

Check out the Miro bug bounty page for more details

**Ninja Kiwi Games**

**Program provider:  
**Intigriti

**Program type:  
**Public

**Max reward:  
**$3,750

**Outline:  
**The New Zealand-based video game developer has launched a second bug bounty program after a successful 2021 forerunner. Ninja Kiwi Games has created the Bloons, Bloons TD, and SAS: Zombie Assault franchises.

Check out the Ninja Kiwi Games bug bounty page for more details

**QNAP**

**Program provider:  
**Independent

**Program type:  
**Public

**Max reward:  
**Undisclosed

**Outline:  
**QNAP, the Taiwanese manufacturer of network-attached storage appliances, has invited hackers to probe its operating systems, applications, and cloud services for vulnerabilities.

Check out the QNAP bug bounty page for more details

**Skinport**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$6,000

**Outline:  
**Skinport, a marketplace for digital in-game items, has launched a program with rewards for critical flaws that open the door to trading or purchase manipulations. Vulnerabilities that result in unauthorized access to project servers or the disclosure of confidential data are also within scope.

Check out the Skinport bug bounty page for more details

**Spin by OXXO**

**Program provider:  
**YesWeHack

**Program type:  
**Public

**Max reward:  
**$3,000

**Outline:  
**In scope are an API plus iOS and Android mobile applications of Spin, a fintech app and payment card from Mexican convenience store chain Oxxo.

Check out the Spin by OXXO bug bounty page for more details

**Xdefi Technologies**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$5,000

**Outline:  
**Xdefi, a cross-chain wallet extension for cryptocurrencies and NFTs, has included in the in-scope assets Xdefi Extension (Chromium web extension) and app, with rewards based on severity as per the CVSS (the Common Vulnerability Scoring Standard).

Check out the Xdefi bug bounty page for more details

**Zabbix**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$3,000

**Outline:  
**Zabbix, a vendor which provides open source infrastructure monitoring technologies, is offering up to $1,000 for high severity bugs and $3,000 for critical flaws.

Check out the Zabbix bug bounty page for more information

**Other bug bounty and VDP news this month**

*   Google has expanded its OSS Fuzz code testing service by upgrading its reward program and increasing the number of computing languages covered by the project
*   The search engine giant has also paid out its largest-ever bug bounty – worth a potentially life-changing £500,000 ($605,000) – for an Android\-related vulnerability. Google is staying tight-lipped about the details of the flaw but ITPro has narrowed down the list of possibilities
*   Intel reports that it paid out $935,000 in bug bounties last year. The chip giant’s Intel Product Security Report (pdf) said that it triaged 243 vulnerabilities in 2022, 90 of which were discovered by security researchers and reported through its bug bounty programs. The vendor “engaged 151 researchers last year, more than double compared to the previous three years”, Security Week reports.
*   An in-depth article on the YesWeHack blog by security researchers BitK and SakiiR offers a technical perspective on detecting and exploiting prototype pollution vulnerabilities in JavaScript. The research builds on earlier work by Portswigger’s Gareth Heyes on detecting server-side prototype pollution-type security flaws.
*   Security researcher Mike Takahashi has put together a Twitter thread on the so-hot topic of how AI-powered chatbots such as ChatGPT might be able to assist bug bounty hunters. The social media “brainstorm” by Takahashi is the second part in what might become an ongoing series.

Additional reporting by Adam Bannister

PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for February 2023

Bug Bounty Radar // The latest bug bounty programs for March 2023

Sudo before 1.9.13p2 has a double free in the per-command chroot feature.

Tag

#intel