May 29, 2024 at 05:24AM Netflix has paid out more than $1 million to over 5,600 researchers since starting its bug bounty program in 2016. The move to the HackerOne platform promises increased rewards and expanded coverage, with potential payouts between $300 and $20,000 per vulnerability. However, its response to a researcher’s findings about illegal … Read more
May 22, 2024 at 03:35AM GitHub patched a critical security flaw in its Enterprise Server software with the release of version p3.13.0, impacting instances using SAML SSO authentication. The bug, CVE-2024-4985, allows attackers to gain admin privileges when encrypted assertions are enabled. Microsoft-owned GitHub learned about the flaw through its bug bounty program, rewarding the … Read more
April 4, 2024 at 06:18AM Zoom’s bug bounty program has paid out over $10 million since its 2019 launch, with 2023 seeing $2.4 million in rewards for 1,000 vulnerability reports. The company published advisories for 58 vulnerabilities and introduced an open source Vulnerability Impact Scoring System to assess and prioritize vulnerabilities based on actual demonstrated … Read more
April 4, 2024 at 12:57AM Ivanti has released security updates to fix four flaws affecting Connect Secure and Policy Secure Gateways. These flaws could lead to code execution and denial-of-service attacks. The vulnerabilities include heap overflow, null pointer dereference, and XML entity expansion issues. Ivanti has been addressing security flaws and is working on improving … Read more
March 12, 2024 at 12:52PM Google awarded $10 million to 632 researchers from 68 countries in 2023 for finding and reporting security flaws in its products, a decrease from 2022’s $12 million. The highest reward for a vulnerability report was $113,337, totaling $59 million since 2010. Increased rewards were given for Android and Chrome vulnerabilities. … Read more
March 11, 2024 at 11:15AM High-severity vulnerability in Ultimate Member plugin (CVE-2024-2123) enables injection of malicious scripts into WordPress sites. Insufficient input sanitization and output escaping in the plugin’s members directory list functionality allow unauthenticated attackers to inject web scripts and potentially gain administrative user access. Patch released on March 6, impacting versions 2.8.3 and … Read more
January 16, 2024 at 05:23PM GitHub resolved vulnerabilities enabling attackers to access credentials in production containers by patching CVE-2024-0200. The update applies to GitHub Enterprise Server versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3. While potential exploitation requires an organization owner role, GitHub rotated exposed credentials and urges swift security update installation. Additionally, a command injection vulnerability … Read more