Hackers Offered $1k for Vulnerabilites Found in Drupal 8

Uploaded on 2015-06-16 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

drupal-8.jpg

The Drupal security team announced this week that it’s prepared to offer up to $1,000 for vulnerabilities found in Drupal 8, the latest version of the popular open source content management system (CMS).
Drupal 8, which will be released soon, brings major architectural changes. The developers said they want to ensure that this version upholds the same level of security as previous releases, and they’re turning to white hat hackers for help in achieving this goal.
The Drupal 8 bug bounty program, funded with money from the Drupal Association D8 Accelerate program, is open until August 31, 2015, but the period might be extended.
As part of the program, powered by the crowd sourced security bug-finding platform Bugcrowd, Drupal is prepared to offer between $50 and $1,000 for cross-site scripting (XSS), SQL Injection, cross-site request forgery (CSRF), access bypass, and other flaws.
“The more serious the issue, the more the security team will be paying. The security issues must first, be confirmed by a security team member before being approved for payment. You must provide a detailed explanation of the issue and steps to reproduce the issue. The quality of your report will be taken into account when assigning a value to it,” Drupal said.
SSL and HTTP security issues, click jacking, error messages, logout CSRF, disclosure of known public files or folders, and username enumeration are not in the scope of the bug bounty program. Drupal developers have also pointed out that attacks requiring the attacker to have elevated privileges will not be taken into consideration.
Researchers who identify vulnerabilities in Drupal 7 or contributed projects are urged to report them to the developer, but they should not expect to get paid.
Experts interested in hacking Drupal 8 are instructed to install a copy of the CMS from Git and report their findings through Bugcrowd.
Drupal is not the only organization to launch a bug bounty program through Bugcrowd this week. Electric vehicle company Tesla Motors announced that researchers can earn between $25 and $1,000 for each of the bugs they find on teslamotors.com and other official domains. The shop.teslamotors.com, ir.teslamotors.com and feedback.teslamotors.com websites are not included in the program as they are third-party sites hosted by non-Tesla entities.
The bug bounty program covers only Tesla’s web application. Those who uncover security issues in other services and products, such as vehicles, are advised to report them to vulnerability (at) teslamotors.com.
Tesla is prepared to offer $200-$500 for XSS, $100-$500 for CSRF, $500-$1,000 for SQL injection and vertical privilege escalation, and $1,000 for command injection.
Security Week: http://bit.ly/1G7P9FJ

 

« Flash Player Attacked in Latest Cyber-Crime
Australia is 'one of most aggressive' in Mass Surveillance »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

TBG Security

TBG Security

TBG provides a portfolio of services including cyber security, compliance and continuity solutions.

Capita

Capita

Capita is a consulting, digital services and software business, providing end-to-end enterprise IT services and solutions focused around digital transformation and innovation.

PeCERT

PeCERT

PeCERT is the national Computer Emergency Response Team for Peru.

Federation of Finnish Technology Industries

Federation of Finnish Technology Industries

The Federation of Finnish Technology Industries is the lobbying organisation for technology industry companies in Finland.

SQNetworks

SQNetworks

SQNetworks provides a full range of cybersecurity consultancy, services and solutions.

Secucloud

Secucloud

Secucloud GmbH is a provider of high-availability cyber-security solutions, offering a cloud-based security-as-a-service platform, particularly for providers.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

Cyber Wales

Cyber Wales

Cyber Wales provides a focus and forum for everyone in the industry, helping businesses come together and collaborate both within Wales and internationally.

OurCrowd

OurCrowd

OurCrowd is a leading equity crowdfunding platform for investing in global startups.

AppOmni

AppOmni

AppOmni is the only SaaS CSPM solution that gives teams all the tools they need to be successful – from security posture management to monitoring and detection to continuous compliance.

Redhorse

Redhorse

Redhorse provides top-tier consulting to help clients address mission-critical government problems in National Security, Networking Technology, Energy and the Environment.

NVISIONx

NVISIONx

NVISIONx data risk governance platform enables companies to gain control of their enterprise data to reduce data risks, compliance scopes and storage costs.

PolySwarm

PolySwarm

PolySwarm is a crowdsourced threat intelligence marketplace that provides a more effective way to detect, analyze and respond to the latest threats.

Radius Technologies

Radius Technologies

Radius Technologies is trusted by progressive SMEs to deliver world-class cloud, IT solutions, IT and data security, and telecoms systems.

Systal Technology Solutions

Systal Technology Solutions

Systal is a global managed network and security service and transformation specialist. We help enterprise-level businesses maximise the security and business value of their complex IT infrastructure.

Yarix

Yarix

Yarix is the leading company in Var Group’s Digital Security division and one of the most recognised, innovative and authoritative Italian companies in the IT security sector.