Hackers Offered $1k for Vulnerabilites Found in Drupal 8

Uploaded on 2015-06-16 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

drupal-8.jpg

The Drupal security team announced this week that it’s prepared to offer up to $1,000 for vulnerabilities found in Drupal 8, the latest version of the popular open source content management system (CMS).
Drupal 8, which will be released soon, brings major architectural changes. The developers said they want to ensure that this version upholds the same level of security as previous releases, and they’re turning to white hat hackers for help in achieving this goal.
The Drupal 8 bug bounty program, funded with money from the Drupal Association D8 Accelerate program, is open until August 31, 2015, but the period might be extended.
As part of the program, powered by the crowd sourced security bug-finding platform Bugcrowd, Drupal is prepared to offer between $50 and $1,000 for cross-site scripting (XSS), SQL Injection, cross-site request forgery (CSRF), access bypass, and other flaws.
“The more serious the issue, the more the security team will be paying. The security issues must first, be confirmed by a security team member before being approved for payment. You must provide a detailed explanation of the issue and steps to reproduce the issue. The quality of your report will be taken into account when assigning a value to it,” Drupal said.
SSL and HTTP security issues, click jacking, error messages, logout CSRF, disclosure of known public files or folders, and username enumeration are not in the scope of the bug bounty program. Drupal developers have also pointed out that attacks requiring the attacker to have elevated privileges will not be taken into consideration.
Researchers who identify vulnerabilities in Drupal 7 or contributed projects are urged to report them to the developer, but they should not expect to get paid.
Experts interested in hacking Drupal 8 are instructed to install a copy of the CMS from Git and report their findings through Bugcrowd.
Drupal is not the only organization to launch a bug bounty program through Bugcrowd this week. Electric vehicle company Tesla Motors announced that researchers can earn between $25 and $1,000 for each of the bugs they find on teslamotors.com and other official domains. The shop.teslamotors.com, ir.teslamotors.com and feedback.teslamotors.com websites are not included in the program as they are third-party sites hosted by non-Tesla entities.
The bug bounty program covers only Tesla’s web application. Those who uncover security issues in other services and products, such as vehicles, are advised to report them to vulnerability (at) teslamotors.com.
Tesla is prepared to offer $200-$500 for XSS, $100-$500 for CSRF, $500-$1,000 for SQL injection and vertical privilege escalation, and $1,000 for command injection.
Security Week: http://bit.ly/1G7P9FJ

 

« Flash Player Attacked in Latest Cyber-Crime
Australia is 'one of most aggressive' in Mass Surveillance »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

F5 Networks

F5 Networks

F5 products ensure that network applications are always secure and perform the way they should—anywhere, any time, and on any device.

Infiltrate

Infiltrate

INFILTRATE is a deep technical conference that focuses entirely on offensive security issues.

NATO Communications and Information Agency (NCIA)

NATO Communications and Information Agency (NCIA)

The NCIA Cyber Security Service Line is responsible for planning and executing all life cycle management activities for cyber security.

Protectimus

Protectimus

Affordable two factor authentication (2FA) provider. Protect your data from theft with multi factor authentication service from Protectimus.

Bounga Informatics

Bounga Informatics

Bounga Informatics provides Digital Forensics, E-Discovery, and Endpoint Security software, hardware, and training in Singapore and other countries in Asia Pacific.

NSIDE Attack Logic

NSIDE Attack Logic

NSIDE Attack Logic simulates real-world cyber attacks to detect vulnerabilities in corporate networks and systems.

Sphonic

Sphonic

Sphonic provides regulated institutions of any size a powerful compliance & risk platform to quickly and securely onboard new customers and manage ongoing AML and Fraud & Risk trends.

Blancco Technology Group

Blancco Technology Group

Blancco Technology Group is a leading global provider of mobile device diagnostics and secure data erasure solutions.

Visium Technologies

Visium Technologies

Visium Analytics provides innovative data visualization, cybersecurity technologies and solutions to businesses to protect and secure their data assets.

Conference on Applied Machine Learning in Information Security (CAMLIS)

Conference on Applied Machine Learning in Information Security (CAMLIS)

CAMLIS is a venue for discussing applied research on machine learning, deep learning and data science in information security.

Constella Intelligence

Constella Intelligence

Constella Intelligence provides digital risk protection services to quickly and efficiently disrupt cyber attacks and data breaches before they occur.

Proximity

Proximity

Proximity is a leading professional services organisation providing consulting, legal and commercial advisory solutions with a focus on government and regulated industries.

DTS Systeme

DTS Systeme

DTS Systeme is an IT service provider with a focus on the core areas of datacenter, technologies and IT security.

BigBear.ai

BigBear.ai

BigBear.ai delivers high-end analytics capabilities across the data and digital spectrum to deliver information superiority and decision support.

BastionZero

BastionZero

BastionZero is leveraging cryptography to reimagine the tools used to manage remote access to servers, containers, clusters, applications and databases across cloud and on-prem environments.

Blue Bastion

Blue Bastion

Don’t give cybercriminals the chance to find weaknesses in your company’s cyber security system. Defend your institution from all attacks from all directions with Blue Bastion.