Hackers Offered $1k for Vulnerabilites Found in Drupal 8

Uploaded on 2015-06-16 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

drupal-8.jpg

The Drupal security team announced this week that it’s prepared to offer up to $1,000 for vulnerabilities found in Drupal 8, the latest version of the popular open source content management system (CMS).
Drupal 8, which will be released soon, brings major architectural changes. The developers said they want to ensure that this version upholds the same level of security as previous releases, and they’re turning to white hat hackers for help in achieving this goal.
The Drupal 8 bug bounty program, funded with money from the Drupal Association D8 Accelerate program, is open until August 31, 2015, but the period might be extended.
As part of the program, powered by the crowd sourced security bug-finding platform Bugcrowd, Drupal is prepared to offer between $50 and $1,000 for cross-site scripting (XSS), SQL Injection, cross-site request forgery (CSRF), access bypass, and other flaws.
“The more serious the issue, the more the security team will be paying. The security issues must first, be confirmed by a security team member before being approved for payment. You must provide a detailed explanation of the issue and steps to reproduce the issue. The quality of your report will be taken into account when assigning a value to it,” Drupal said.
SSL and HTTP security issues, click jacking, error messages, logout CSRF, disclosure of known public files or folders, and username enumeration are not in the scope of the bug bounty program. Drupal developers have also pointed out that attacks requiring the attacker to have elevated privileges will not be taken into consideration.
Researchers who identify vulnerabilities in Drupal 7 or contributed projects are urged to report them to the developer, but they should not expect to get paid.
Experts interested in hacking Drupal 8 are instructed to install a copy of the CMS from Git and report their findings through Bugcrowd.
Drupal is not the only organization to launch a bug bounty program through Bugcrowd this week. Electric vehicle company Tesla Motors announced that researchers can earn between $25 and $1,000 for each of the bugs they find on teslamotors.com and other official domains. The shop.teslamotors.com, ir.teslamotors.com and feedback.teslamotors.com websites are not included in the program as they are third-party sites hosted by non-Tesla entities.
The bug bounty program covers only Tesla’s web application. Those who uncover security issues in other services and products, such as vehicles, are advised to report them to vulnerability (at) teslamotors.com.
Tesla is prepared to offer $200-$500 for XSS, $100-$500 for CSRF, $500-$1,000 for SQL injection and vertical privilege escalation, and $1,000 for command injection.
Security Week: http://bit.ly/1G7P9FJ

 

« Flash Player Attacked in Latest Cyber-Crime
Australia is 'one of most aggressive' in Mass Surveillance »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Cynet

Cynet

Cynet simplifies security by providing a rapidly deployed, comprehensive platform for detection, prevention and automated response to advanced threats with near-zero false positives.

Spiceworks

Spiceworks

Spiceworks provide a range of free apps for IT professionals including network inventory, network monitor, and help desk.

LogmeOnce

LogmeOnce

LogmeOnce provides users with solution to multiple Password problems, Single Sign-On (SSO), and Identity Management.

Brit

Brit

Brit PLC is a market-leading global specialty insurer and reinsurer, focused on underwriting complex risks including cyber, privacy and technology.

Praetorian

Praetorian

Praetorian is an offensive cybersecurity company whose mission is to prevent breaches before they occur.

PakCERT

PakCERT

PakCERT is the national Computer Emergency Response Team for Pakistan.

Tessian

Tessian

Tessian (formerly CheckRecipient) is a next-generation email security platform that helps enterprises counteract human error and significantly reduce the risk of data loss.

Cycura

Cycura

Cycura provide advanced, customized, and confidential cyber security services, cyber investigation services, and digital forensic services to governments, companies, and organizations.

DataViper

DataViper

Data viper is a threat intelligence platform designed for organizations, investigators, and law enforcement.

Transmit Security

Transmit Security

The Transmit Security Platform provides a solution for managing identity across applications while maintaining security and usability.

SecureStream Technologies

SecureStream Technologies

SecureStream Technologies have built the IoT SafetyNet - the Network Security Analytics platform to Eliminate Security Threats, Guarantee Privacy, Ensure Compliance, Simply & Easily.

MindWise

MindWise

MindWise is a comprehensive global threat monitoring solution with implementations for fraud prevention and enterprise threat intelligence.

Halcyon

Halcyon

Halcyon is the industry’s first dedicated, adaptive security platform focused specifically on stopping ransomware attacks.

Sweet Security

Sweet Security

Sweet Security delivers Runtime Attack Security for Cloud Workloads.

Redpoint Cybersecurity

Redpoint Cybersecurity

Redpoint Cybersecurity is a human-led, technology-enabled managed cybersecurity provider specializing in Digital Forensics, Incident Response and proactive cyberattack prevention.

Xmore AI

Xmore AI

Xmore AI, an emerging disruptor in our incubation, is building AI models to optimize and secure IT with the mission of increasing efficiency and reducing costs.