2018-02-08 | Fancy bears’ focus, Google’s $12M in bounty payouts, and Cyber Bureau to the rescue

Thursday, February 8

TOP STORY

• ‘Fancy Bear’ hackers took aim at US defense contractors, and BREAKING NEWS (not really), Russians hacked voter registration rolls in several states prior to 2016 election.

HACKTIVITY

• Ability to bypass partner email confirmation to take over any store given an employee email [92 upvotes] - $15,000 bounty + $250 bonus for this report to Shopify by @itscachemoney.  

• Unsafe Query Generation (CVE-2012-2660, CVE-2012-2694 and CVE-2013-0155) mitigation bypass [3 upvotes] - $1,500 bounty for this report to Ruby on Rails by @joernchen.

You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity  

OTHER ARTICLES WE’RE READING

• 2017 saw a record number of exposed records (7.8 billion to be exact)

• And it shall be called “Cyber Bureau” Secretary of State Rex Tillerson’s re-org plan

• Google vulnerability reward program has paid out $12M to date ($2.9M in 2017)

• Active Cyber Defence: one year on: paper written by Dr Ian Levy, Technical Director of the NCSC, following a year of the Active Cyber Defence programme.

ABOUT ZERO DAILY

Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.

Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?

Have a news tip / story to highlight? We’d love to hear about it. Email: zerodaily@hackerone.com

Get this email forwarded to you? Click here to subscribe to the Zero Daily

We’ve almost gone back in time to use stand-alone systems if we’re processing client proprietary data — we’re FedEx’ing hard drives around.

Keven Gambold