All articles tagged with #bug bounty
Daniel Stenberg, lead developer of cURL, is ending the project's bug bounty program at the end of January due to a flood of low-quality AI-assisted submissions he dubs "AI slop." While AI can aid bug discovery, the volume and quality of reports have overwhelmed maintainers, prompting the move even as genuine issues are still welcome under strict AI usage rules.
Open-source tool curl is scrapping its vulnerability-bounty program after a surge of low-quality, AI-generated submissions, with founder Daniel Stenberg saying the team needs to protect their mental health; the move, effective at the end of the month, aims to stop the AI “slop” from flooding reports and distracting from real issues, though critics fear it reduces essential security disclosures.
Apple has significantly increased its bug bounty rewards, offering up to $5 million for discovering critical vulnerabilities in iOS or Safari's Lockdown Mode, aiming to incentivize security researchers to find and report serious flaws before malicious actors do.
Apple has increased its bug bounty reward to $2 million for the most dangerous exploits that could be used for spyware, with the potential total reward reaching $5 million including bonuses, as part of its ongoing efforts to improve security and combat the spyware industry.
Apple is increasing its bug bounty payouts, with some reaching up to $2 million, to incentivize security researchers to find vulnerabilities in iPhones and Macs, especially in new security features like Memory Integrity Enforcement and Lockdown Mode, amid rising threats from spyware and nation-state hackers.
AI-generated low-quality reports, known as AI slop, are flooding cybersecurity bug bounty programs, leading to false positives and wasted resources. Experts suggest investing in AI-powered filtering systems to improve report accuracy, with some companies developing hybrid human-AI triage solutions. The problem highlights the challenges of AI hallucinations in critical security processes.
Meta fixed a security vulnerability that could have allowed users to access others' AI prompts and responses, with the bug being privately disclosed by security researcher Sandeep Hodkasia who received a $10,000 bounty. The flaw involved predictable prompt identifiers that could be manipulated to view private data, but Meta confirmed it was fixed in January with no evidence of exploitation.
A 13-year-old hacker named Dylan discovered critical vulnerabilities in Microsoft Teams, leading Microsoft to revise its bug bounty program to include younger researchers and recognizing him as a valuable contributor, which highlights the growing role of young talent in cybersecurity.
Microsoft has announced Zero Day Quest, an in-person hacking event aimed at enhancing AI and cloud security, with $4 million in potential awards for identifying high-impact security flaws. This initiative builds on Microsoft's bug bounty program and offers researchers direct access to Microsoft AI engineers and the AI Red Team. The event, set for 2025 at Microsoft's Redmond headquarters, is part of Microsoft's broader security transformation efforts, emphasizing transparency and collaboration in addressing vulnerabilities.
Apple declined to pay a bug bounty to Kaspersky Lab after the Russian cybersecurity firm disclosed four zero-day vulnerabilities in iPhone software, which were allegedly used to spy on Kaspersky employees and Russian diplomats. Kaspersky suggested the vulnerabilities might have been state-sponsored, but Apple denied any collaboration with governments for spying purposes. The refusal comes amid heightened tensions between the US and Russia following the invasion of Ukraine.
Bugcrowd, a platform that connects organizations with a database of over 500,000 hackers for bug bounty programs, has secured $102 million in equity funding led by General Catalyst, with previous backers Rally Ventures and Costanoa Ventures also participating. The company plans to use the funding to expand operations in the U.S. and beyond, potentially through M&A, and to enhance its platform's functionality, which includes bug bounty programs, penetration testing, and attack surface management. Bugcrowd has seen significant growth, with over 40% annual revenue increase and now has over 1,000 customers and "well over" 500,000 hackers.
Google is inviting hackers to participate in a capture the flag (CTF) competition, with the top eight teams qualifying for the Hackceler8 competition in Tokyo later this year, where a prize pot of over $32,000 is up for grabs. The CTF will consist of various challenges, with points awarded for each successful completion. Google has also launched a new ethical hacking program, the Mobile Vulnerability Reward Program (VRP), aimed at uncovering vulnerabilities in Android 'first party' applications, with rewards ranging from $750 to $30,000.
OpenAI CEO Sam Altman confirmed that the company is not currently training GPT-5 and is instead focusing on improving GPT-4. Reddit forums are being flooded with spam generated by ChatGPT bots, leaving moderators struggling to deal with the rising volume of spam. OpenAI has launched a bug bounty program, offering up to $20,000 to developers who discover vulnerabilities, bugs, and security flaws in its AI products. Twitter has reportedly purchased around 10,000 GPUs to develop generative AI models, and Elon Musk has hired engineers from DeepMind to build a rival ChatGPT product that will generate text considered less politically correct.
Google has released an emergency update for Chrome to fix a zero-day vulnerability that can be exploited by a malicious webpage to run arbitrary code in the browser. The vulnerability is present in Chrome for desktop versions prior to 112.0.5615.121. Meanwhile, Western Digital is being extorted by miscreants who claim to have stolen around 10 terabytes of internal data from the company, including customer and employee information. In response, Google and other tech industry actors have announced a project to create a legal environment that's more favorable for good-faith security researchers, plus another to help fund legal representation for researchers caught in a lawsuit.
OpenAI has launched a bug bounty program for its AI services, including ChatGPT, offering rewards ranging from $200 to $20,000 for vulnerabilities found. However, the program excludes rewards for jailbreaking ChatGPT or causing it to generate malicious code or text. OpenAI notes that such "model safety issues" require broader approaches and should be submitted via the company's model feedback page. Last month, a hacker revealed 80 "secret plugins" for the ChatGPT API, prompting some to suggest that a paid bug bounty program could help catch such vulnerabilities in the future.