Hackers Offered $1k for Vulnerabilites Found in Drupal 8

drupal-8.jpg

The Drupal security team announced this week that it’s prepared to offer up to $1,000 for vulnerabilities found in Drupal 8, the latest version of the popular open source content management system (CMS).
Drupal 8, which will be released soon, brings major architectural changes. The developers said they want to ensure that this version upholds the same level of security as previous releases, and they’re turning to white hat hackers for help in achieving this goal.
The Drupal 8 bug bounty program, funded with money from the Drupal Association D8 Accelerate program, is open until August 31, 2015, but the period might be extended.
As part of the program, powered by the crowd sourced security bug-finding platform Bugcrowd, Drupal is prepared to offer between $50 and $1,000 for cross-site scripting (XSS), SQL Injection, cross-site request forgery (CSRF), access bypass, and other flaws.
“The more serious the issue, the more the security team will be paying. The security issues must first, be confirmed by a security team member before being approved for payment. You must provide a detailed explanation of the issue and steps to reproduce the issue. The quality of your report will be taken into account when assigning a value to it,” Drupal said.
SSL and HTTP security issues, click jacking, error messages, logout CSRF, disclosure of known public files or folders, and username enumeration are not in the scope of the bug bounty program. Drupal developers have also pointed out that attacks requiring the attacker to have elevated privileges will not be taken into consideration.
Researchers who identify vulnerabilities in Drupal 7 or contributed projects are urged to report them to the developer, but they should not expect to get paid.
Experts interested in hacking Drupal 8 are instructed to install a copy of the CMS from Git and report their findings through Bugcrowd.
Drupal is not the only organization to launch a bug bounty program through Bugcrowd this week. Electric vehicle company Tesla Motors announced that researchers can earn between $25 and $1,000 for each of the bugs they find on teslamotors.com and other official domains. The shop.teslamotors.com, ir.teslamotors.com and feedback.teslamotors.com websites are not included in the program as they are third-party sites hosted by non-Tesla entities.
The bug bounty program covers only Tesla’s web application. Those who uncover security issues in other services and products, such as vehicles, are advised to report them to vulnerability (at) teslamotors.com.
Tesla is prepared to offer $200-$500 for XSS, $100-$500 for CSRF, $500-$1,000 for SQL injection and vertical privilege escalation, and $1,000 for command injection.
Security Week: http://bit.ly/1G7P9FJ

 

« Flash Player Attacked in Latest Cyber-Crime
Australia is 'one of most aggressive' in Mass Surveillance »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Chatham House

Chatham House

Chatham House is an independent policy institute based in London. Topics cover foreign affairs and defence including cyber security.

Spiceworks

Spiceworks

Spiceworks provide a range of free apps for IT professionals including network inventory, network monitor, and help desk.

Konfidas

Konfidas

Konfidas provide high-level cybersecurity consulting and professional tailored solutions to meet specific cybersecurity operational needs.

DCIT

DCIT

DCIT is a specialist in providing comprehensive consulting and auditing services in the field of information technology, PROVYS development software and security system AuditSquare.

Telecommunications Industry Association (TIA)

Telecommunications Industry Association (TIA)

TIA works to secure trust in networks by advocating public policy positions on the security of ICT equipment and services related to critical infrastructure, supply chain and information sharing.

Templar Executives

Templar Executives

Templar Executives is a leading, expert and dynamic Cyber Security company trusted by Governments and multi-national organisations to deliver business transformation.

Virtru

Virtru

Virtru's Data Protection platform protects and controls sensitive information regardless of where it's been created, stored or shared.

Data Protection People

Data Protection People

Data Protection People are specialists in Data Privacy, Governance, and Information Security.

Swiss Cyber Think Tank (SCTT)

Swiss Cyber Think Tank (SCTT)

The Swiss Cyber Think Tank is a business network for Cyber Risk & Insurability, providing an industry-wide networking platform for insurers, technology and security firms.

Ksmartech

Ksmartech

Ksmartech provide services related to security and authentication in all areas where the connection of people to objects, and objects and objects is necessary.

Crypto International

Crypto International

Crypto International offers comprehensive services for the operation of our customers’ IT and communication infrastructure, with a focus on cybersecurity and encryption solutions.

Cyber Defense Networking Solutions (CDNS)

Cyber Defense Networking Solutions (CDNS)

CDNS is a global network infrastructure provider whose platforms are engineered for security, optimized for speed and designed for resiliency.

Financial Services Information Sharing and Analysis Center (FS-ISAC)

Financial Services Information Sharing and Analysis Center (FS-ISAC)

The Financial Services Information Sharing and Analysis Center is the only global cyber intelligence sharing community solely focused on financial services.

Rayzone Group

Rayzone Group

Rayzone Group offers a wide range of Cyber Security solutions and services, providing hollistic protection suitable for both enterprises and National cyber security centers.

Unified Solutions

Unified Solutions

Unified Solutions provide a full continuum of cyber security services, compliance, and technology solutions.

ESProfiler

ESProfiler

Enterprise Security Profiler. Empowering CISOs with clarity & confidence in their security programme by visualising capabilities, usage and spend against their key threat priorities.