Shhh! Have you heard about the secret program currently going through a recruitment process where recruits can earn rewards upwards of $250,000? Well in 2017, as you probably are already well aware, secrets aren't what they used to be. So, here's the info!
An unnamed company is starting an eight-week, invite-only bug bounty
program in September that offers a $250,000 payout for virtual machine
escape vulnerabilities tied to an as of yet unreleased product.
This announcement is another indicator that organizations are seeing the
value in bounty programs like this so that they can identify vulnerabilities early rather than waiting around for others to take advantage of them -- and ultimately costing them more one way or the other down the line.
What is this secret program?
"Private programs are open to a
select, vetted group of researchers while public ones are open to the
full breadth of the 60k+ crowd. This top secret program is a hybrid
approach. It allows the organization to recruit more top talent --
security experts that specialize in the company's unique attack surface
-- in a more controlled way. This means that while not just anyone can 'hack on' the program, anyone can apply to," said Casey Ellis, CEO of
Bugcrowd.
The not so "Super-Secret" Bugcrowd bounty program
is invite-only and requires participating researchers to submit a
report of their efforts, what was attempted, ideas for a potential
compromise, and any other relevant information (regardless of whether or
not they achieved the stated objectives), according to the company.
Areas of focus will include:
- Guest VM breakout/isolation failures
- Code execution beyond the confines of your guest VM
- Privilege escalation within the guest VM made possible by the underlying platform
- Any vulnerabilities which could lead to compromise or leakage of
data and directly affect the confidentiality or integrity of user data
of which affects user privacy (including memory corruption, cross guest
VM issues, persistent issues).
- Denial/degrading service to other customers, or of the underlying platform itself (excluding DDoS)
The program will last eight weeks, starting early September and lasting
through October. And according to the bounty website, 48 participants have
already joined the program as of this writing.
The top $250,000 bounty paid out by the unknown sponsoring company is for "guest
escape vulnerabilities that lead to code execution in the virtualization
platform itself" and a "guest escape vulnerabilities that lead to code
execution in another instance." The same program pays $100,000 for bugs tied to vulnerabilities that
leak memory contents and code from the virtualization platform. Additionally, a $25,000 bounty is paid to vulnerabilities related to
unintended network access to control-plane infrastructure issues. And the
top five reports at the end of the program that show demonstrated
effort and expertise will be rewarded $10,000, as a level of
compensation for work done.
Ready to get your white hat on and try your luck? Apply for the super secret program. But be prepared to undergo a background check and sign an NDA prior to participating.