Security Affairs
Ryuk Ransomware Member Pleads Guilty Over Attacks on U.S. Organizations|Progress Told ShareFile Customers to Pull the Plug on Their Servers. Here’s What We Know.|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 105|Security Affairs newsletter Round 585 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. CISA adds iCagenda and Balbooa Forms flaws to its Known Exploited Vulnerabilities catalog|Critical U-Boot Bugs Undermine Secure Boot on Millions of Devices|Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes|Ransomware Never Stopped: Over 9,000 Confirmed Attacks Since 2018|222 GitHub Repositories Linked to Fake Go Package Malware Operation|Former Ransomware Negotiator Sentenced to 70 Months in Prison for Secretly Helping BlackCat Gang|GigaWiper Merges Three Malware Families Into One Destructive Backdoor|INTERPOL Operation First Light Nets 5,811 Arrests and Seizes $293 Million|Ryuk Ransomware Member Pleads Guilty Over Attacks on U.S. Organizations|Progress Told ShareFile Customers to Pull the Plug on Their Servers. Here’s What We Know.|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 105|Security Affairs newsletter Round 585 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. CISA adds iCagenda and Balbooa Forms flaws to its Known Exploited Vulnerabilities catalog|Critical U-Boot Bugs Undermine Secure Boot on Millions of Devices|Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes|Ransomware Never Stopped: Over 9,000 Confirmed Attacks Since 2018|222 GitHub Repositories Linked to Fake Go Package Malware Operation|Former Ransomware Negotiator Sentenced to 70 Months in Prison for Secretly Helping BlackCat Gang|GigaWiper Merges Three Malware Families Into One Destructive Backdoor|INTERPOL Operation First Light Nets 5,811 Arrests and Seizes $293 Million|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Skyscanner launches a public bug bounty program

The popular travel search website Skyscanner is going to launch a bug bounty program, the company will pay up to $2,000 per vulnerability. The travel search website Skyscanner announced a public bug bounty program that will pay up to $2,000 per vulnerability. Skyscanner has been running a private bug bounty program that according to the […]

Skyscanner

The popular travel search website Skyscanner is going to launch a bug bounty program, the company will pay up to $2,000 per vulnerability.

The travel search website Skyscanner announced a public bug bounty program that will pay up to $2,000 per vulnerability.

Skyscanner has been running a private bug bounty program that according to the company allowed it to discover and address over 200 flaws in its systems. Now Skyscanner is opening the bug bounty program to the public.

“For the past few years, we’ve run a successful private Bug Bounty program, and are excited to announce that we are now extending this to a public program, to further strengthen our security posture, improve our services, and most importantly, to keep our travellers safe when using Skyscanner.” reads the announcement of the bug bounty program published on Bugcrowd.

“We invite researchers to test the Skyscanner website and mobile apps in line with the process and principles set out in this brief.”

Skyscanner

The bug bounty program covers the official skyscanner.net website, regional domains, the gateway.skyscanner.net API, both the iOS and Android apps, and the partnerportal.skyscanner.net website.

The company will pay for vulnerabilities affecting the profile, booking and partner portal sections.

Participants to the bug bounty program cannot access or modify travelers’ data, without explicit prior permission of the owner.

“Only interact with your own accounts or provided test accounts for security research purposes.” continues the announcement.

  • add the following header to all HTTP requests: Skyscanner-Security: Bugcrowd
  • use your username@bugcrowdninja.com email address for accounts
  • not access or modify our, or our travellers’ data, without explicit prior permission of the owner. Only interact with your own accounts or provided test accounts for security research purposes
  • contact us immediately if you inadvertently encounter traveller data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Skyscanner
  • perform testing and research only within the areas that are in scope
  • follow the Bugcrowd Coordinated Disclosure rules

Researchers risk a 10% penalty if their submission is valid, but the rules haven’t been followed, Skyscanner said.

Skyscanner will pay up rewards up to $1,500/$2,000 per vulnerability such as security misconfigurations, server-side injection issues, broken authentication issues, sensitive data exposure, and cryptography-related bugs.

PRIORITYREWARDFOCUS AREA
P1$1500$2000
P2$900$1200
P3$300$400
P4$100$150

“It is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact.” Skyscanner added. “In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher – along with the opportunity to appeal, and make a case for a higher priority,”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Skyscanner, bug bounty)

[adrotate banner=”5″] [adrotate banner=”13″]