Differences in how the National Vulnerability Database (NVD) and vendors score bugs can make patch prioritization harder, study says.

A new study this week is sure to raise more questions for enterprise security teams on the wisdom of relying on vulnerability scores in the National Vulnerability Database (NVD) alone to make patch prioritization decisions.

An analysis by VulnCheck of 120,000 CVEs with CVSS v3 scores associated with them shows almost 25,000 — or some 20% — had two severity scores. One score was from NIST, which maintains the NVD, and the other from the vendor of the product with the bug. In many cases, these two scores differed, making it hard for security teams to know which to trust.

**High Rate of Conflict**

Approximately 56%, or 14,000, of the vulnerabilities with two severity scores had conflicting scores, meaning the one assigned by NIST and the score from the vendor did not match. Where a vendor might have assessed a particular vulnerability to be of moderate severity, NIST might have assessed it as severe.

As one example, VulnCheck pointed to CVE-2023-21557, a denial-of-service vulnerability in the Windows Lightweight Directory Access Protocol (LDAP). Microsoft assigned the vulnerability a "high" severity rating of 7.5 on the 10-point CVSS scale. NIST gave it a score of 9.1, making it a "critical" vulnerability. Information on the vulnerability in the NVD provided no insight on why the scores differed, VulnCheck said. The vulnerability database is peppered with numerous other similar instances.

That high conflict rate can set back remediation efforts for organizations that are resource-strapped in vulnerability management teams, says Jacob Baines, vulnerability researcher at VulnCheck. "A vulnerability management system that heavily relies on CVSS scoring will sometimes prioritize vulnerabilities that aren't critical," he says. "Prioritizing the wrong vulnerabilities will squander vulnerability management teams' most critical resource: time."

VulnCheck researchers found other differences in the way NIST and vendors included specific information about flaws in the database. They decided to look at cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities in the NVD.

The analysis showed the primary source — typically NIST — assigned 12,969 of the 120,000 CVEs in the database as an XSS vulnerability, while secondary sources listed a much smaller 2,091 as XSS. VulnCheck found that secondary sources were much less likely to indicate that an XSS flaw requires user interaction to exploit. CSRF flaw scores showed similar differences.

"XSS and CSRF vulnerabilities always require user interaction," Baines says. "User interaction is a scoring element of CVSSv3 and is present in the CVSSv3 vector." Examining how often XSS and CSRF vulnerabilities in NVD include that information provides insight into the scale of scoring mistakes in the database, he says.

**Severity Scores Alone Not the Answer**

Severity scores based on the Common Vulnerability Severity Scale (CVSS) are meant to give patching and vulnerability management teams a straightforward way to understand the severity of a software vulnerability. It informs the security professional whether a flaw presents a low, medium, or severe risk, and often provides context around a vulnerability that the software vendor might not have provided when assigning a CVE to the bug.

Numerous organizations use the CVSS standard when assigning severity scores to vulnerabilities in their products, and security teams commonly use the scores to decide the order in which they apply patches to vulnerable software in the environment.

Despite its popularity, many have previously cautioned against solely relying on CVSS reliability scores for patch prioritization. In a Black Hat USA 2022 session, Dustin Childs and Brian Gorenc, both researchers with Trend Micro's Zero Day Initiative (ZDI), pointed to multiple issues like the lack of information around a bug's exploitability, its pervasiveness, and how accessible it might be to attack as reasons why CVSS scores alone are not enough.

"Enterprises are resource constrained, so they typically have to prioritize which patches they roll out," Childs told Dark Reading. "However, if they get conflicting information, they can end up spending resources on bugs that are unlikely to ever be exploited."

Organizations often rely on third-party products to help them prioritize vulnerabilities and decide what to patch first, Childs notes. Often, they tend to give preference to the CVSS from the vendor rather than another source like NIST.

"But vendors can't always be relied on to be transparent on the real risk. Vendors don't always understand how their products are deployed, which can lead to differences in the operational risk to a target," he says.

Childs and Bains advocate that organizations should consider information from multiple sources when making decisions around vulnerability remediation. They should also consider factors such as whether a bug has a public exploit for it in the wild, or whether it is being actively exploited.

"To accurately prioritize a vulnerability, organizations need to be able to answer the following questions," Baines says. "Does this vulnerability have a public exploit? Has this vulnerability been exploited in the wild? Is this vulnerability being used by ransomware or APT? Is this vulnerability likely to be Internet-exposed?"

Discrepancies Discovered in Vulnerability Severity Ratings

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via embedding videos in the language component.

Zoho offers this Vulnerability Reward Program (VRP) to continuously improve the security of our products. If you believe you have discovered a potential security vulnerability in any of Zoho's products or assets, let us know immediately, and we will make every effort to get the issues addressed as quickly as possible.

Please ensure you understand the program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules. Zoho provides monetary rewards to vulnerability reporters at its discretion and the reward may vary based upon metrics including (but not limited to) vulnerability severity, impact, and exploitability.

You can share details of the suspected vulnerability with Zoho by clicking below;

Submit Bug

These Bug Bounty Terms and Conditions ("Bug Bounty Terms") govern your participation in the Zoho Bug Bounty Program ("Bug Bounty Program") and are a legally binding contract between you or the company you represent and Zoho. By submitting a vulnerability or participating in the program, you agree to be bound by the Terms.

The Bug Bounty Program enables you to submit security bugs or vulnerabilities discovered by you in eligible Zoho Services and earn rewards for your submissions. Service-specific terms of use that are applicable to specific Zoho Services ("Service-Specific Terms") shall be applicable to you in addition to the Bug Bounty Terms. In the event of a conflict between Bug Bounty Terms and Service-specific Terms, the Bug Bounty Terms shall prevail.

Participation in the Bug Bounty Program is open to all individuals unless:

*   You are below 14 years of age. If you are 14 years old or above, but you are considered a minor in your place of residence, you must obtain your parent's or legal guardian's permission prior to your participation in the Bug Bounty Program after having read the Bug Bounty Terms;
    
*   You are a resident of any US sanctioned countries;
    
*   You are currently an employee of Zoho or you were employed by Zoho within six (6) months prior to your participation in the Bug Bounty Program; or
    
*   You are a family member of a Zoho employee.
    

You will follow the rules specified hereunder, failing which your participation in the Bug Bounty Program will be immediately terminated.

*   You will make all efforts to avoid privacy violations, degradation of user experience, degradation of Zoho Services, disruptions to Zoho's infrastructure and systems, and destruction of both Zoho's and users' data in the course of your security bug research.
    
*   You will report any security bug discovered by you ("Security Bug") to Zoho and provide Zoho with reasonable time to identify and mitigate the security bug before publicly disclosing it to others.
    
*   During your security bug research, if you have any inadvertent access to Zoho's or users' information, including sensitive, personal, or any other unauthorized information ("Unauthorized Information"), you must cease your Security Bug research to prevent further access to any Unauthorized Information by you and notify Zoho of any Unauthorized Information you accessed. Upon notifying Zoho of such access, delete all Unauthorized Information from your systems or devices.
    
*   You will always use your account, or an account for which you have explicit consent from the account owner, for testing the Security Bug.
    
*   You will use any security bug discovered by you only for testing, and you will not exploit the Security Bug in any manner.
    

If you have discovered an eligible security bug as specified in the scope, you may submit the bug through the website provided to you for submission.

Your submission shall include details such as vulnerability description, clear reproduction steps, and a proof-of-concept.

Upon receipt of your submission, Zoho will review and validate the submission within three (3) days from the date of your submission and will prioritize based on the severity of the vulnerability submitted and resolve the vulnerability accordingly. Zoho will notify you once the vulnerability is resolved and you may confirm whether the remedy resolves the vulnerability. If there is more than one submission for the same vulnerability from different parties, bounty will be paid to the first submission.

Zoho will pay a reward for your eligible submissions ("Bounty"). Bounties will be determined and granted only at Zoho's discretion. You can find the reward tiers here.

Zoho will fulfill the Bounty payments through the following payment modes:

*   For Indian participants, in INR through wire transfer;
    
*   For participants from outside India, in USD through PayPal; or
    
*   As an Amazon gift card in USD.
    

You understand that you are responsible for paying the taxes associated with Bounty payments. Bounties for Indian participants will be paid only after deducting TDS of 10% (Tax Deducted at Source).

Bounties shall be claimed by you within a period of three (3) months from the date of your entitlement to the reward.

You grant Zoho non-exclusive, irrevocable, worldwide, perpetual, and royalty-free license to review, assess, and use your submission to analyze and resolve the vulnerability submitted by you and for other related purposes.

ZOHO SHALL IN NO EVENT BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR OTHER LOSS OR DAMAGE WHATSOEVER OR FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, COMPUTER FAILURE, LOSS OF BUSINESS INFORMATION, OR OTHER LOSS ARISING OUT OF THE BUG BOUNTY PROGRAM.

*   All Zoho branded products and applications listed at zoho.com
    
*   All ManageEngine branded products and applications listed at manageengine.com (except SupportCenter Plus)
    
*   Site24x7
    
*   Qntrl
    
*   TrainerCentral
    
*   Zoho Corporation owned assets
    

*   Missing any best security practice that is not a vulnerability
    
*   Self XSS
    
*   Username or email address enumeration
    
*   Email bombing
    
*   HTML injection
    
*   XSS vulnerabilities on sandbox or user-content domains
    
*   Unvalidated or open redirects or tabnabbing
    
*   Clickjacking in unauthenticated pages or in pages with no significant state-changing action
    
*   Logout or unauthenticated CSRF
    
*   Missing cookie flags on non-sensitive cookies
    
*   Missing security headers that do not lead directly to a vulnerability
    
*   Unvalidated findings from automated tools or scans
    
*   "Back" button that keeps working after logout
    
*   Issues that do not affect the latest version of modern browsers or platforms
    
*   Attacks that require physical access to a user device
    
*   Social engineering
    
*   Hosting malware/arbitrary content on Zoho and causing downloads
    
*   Use of a known-vulnerable library (without evidence of exploitability)
    
*   Low-impact descriptive error pages and information disclosures without any sensitive information
    
*   Invalid or missing SPF/DKIM/DMARC/BIMI records
    
*   Password and account policies, such as (but not limited to) reset link expiration or password complexity
    
*   Non-critical issues in blog.zoho.com or other product blogs
    
*   CSV injection
    
*   Phishing risk via Unicode/Punycode or RTLO issues
    
*   Missing rate limitations on endpoints (without any security concerns)
    
*   Presence of EXIF information in file uploads
    
*   Ability to upload/download executables
    
*   Bypassing pricing/paid feature restrictions
    
*   0-day vulnerabilities in any third parties we use within 10 days of their disclosure
    
*   Any other issues determined to be of low or negligible security impact
    
*   Issues that do not affect the latest version of applications, modern browsers, or platforms
    
*   Vulnerabilities that resulted from implementation that does not follow our deployment guidelines
    
*   Usage of known vulnerable components without actual working exploit
    
*   Our intended features or accepted risks (including but not limited to the following) are not vulnerabilities and are thus excluded from our program:
    
*   Applications running as SYSTEM user
    
*   Features to execute queries, scripts, or workflows by privileged users
    
*   Usage of UDP-based unauthenticated protocols (which can be disabled by the user)
    

Severity

Bounty in USD (Up to)

Low

$ 50

Medium

$ 200

High

$ 800

Critical

$ 3000

We would like to truly thank the people listed in the Hall of Fame for their participation in the program and for making a responsible disclosure of the vulnerabilities.

Hall Of Fame for

CVE-2023-23074: BugBounty

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via PO in the purchase component.

CVE-2023-23073: BugBounty

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13 via the comment field when adding a new status comment.

CVE-2023-23077: BugBounty

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via the comment field when changing the credentials in the Assets.

CVE-2023-23078: BugBounty

OS Command injection vulnerability in Support Center Plus 11 via Executor in Action when creating new schedules.

CVE-2023-23076: BugBounty

Printer exploit chain could be weaponized to fully compromise more than 100 models

Charlie Osborne 01 February 2023 at 12:18 UTC  
Updated: 01 February 2023 at 13:26 UTC

Printer exploit chain could be weaponized to fully compromise more than 100 models

A security researcher dropped a zero-day remote code execution (RCE) chain of vulnerabilities affecting Lexmark printers after claiming the disclosure reward he was offered was “laughable”.

Independent researcher Peter Geissler (@bl4sty) said that public disclosure of the bug, a zero-day flaw at the time of release but now patched, was preferable to the report being sold “for peanuts”.

In a tweet dated January 10, Geissler published a link to a GitHub repository containing information on the vulnerability chain.

The exploit was tested against firmware version CXLBL.081.225, and while entered into Pwn2Own Toronto 2022 – ran by the Zero Day Initiative (ZDI) – the attack was unsuccessful during demonstrations.

**‘Seemingly harmless’ functions**

However, according to the researcher’s writeup, several isolated or “seemingly harmless” functions could be exploited to “eventually fully compromise the device”.

These functions included file upload and file copy primitives, alongside a daemon related to SOAP web services that could be abused to make an HTTP callback to an attacker’s selected endpoint, resulting in server-side request forgery (SSRF).

DON’T MISS Deserialized roundup: ‘Catastrophic cyber events’ and T-Mobile, LastPass troubles

“When the callbacks are being made the software does not do any sanity-checking on the destination of the callbacks, thus it is possible to send callbacks to arbitrary hosts, including the printer itself,” Geissler explained.

Furthermore, a process called /auto-fwdebugd could be exploited due to a failure to sanitize inputs from a first-in, first-out system, causing a command injection bug.

By chaining the above, it was possible to achieve RCE.

**Patch available**

In a security advisory released on January 23, Lexmark said the issue, tracked as CVE-2023-23560 (CVSSv3 9.0) and released under one CVE assignment, impacts over 100 models but has now been patched.

The company said there is no evidence of malicious use in the wild. When approached for comment, Lexmark said: “Lexmark became aware of details of this vulnerability when it was publicly disclosed. We have provided a patch to our customers.

“We encourage anyone who identifies a vulnerability which may affect a Lexmark product to report it to Lexmark Security Advisories. This vulnerability management approach is one reason Lexmark is consistently named a leader in print security by industry analysts.”

Geissler says that while the exploit chain didn’t fully function during the competition – potentially due to different configurations on the test printer – ZDI did offer to purchase the security flaws. However, the amount was “laughable” and Geissler “promptly forgot about their offer”.

Read more news about the latest web security vulnerabilities

Speaking to The Daily Swig, Geissler explained that the amount offered by ZDI was a “small fraction” of the original reward as someone else during the competition successfully targeted the printer with a different chain of bugs.

When asked for his motivation beyond securing a payout to release his findings, Geissler commented: “If you sell to them you cannot publish anything until the bug(s) have been fixed by \[the\] vendor, afaik \[as far as I know\] that’s the only real (reasonable) restriction for publication.”

**Disclosure**

According to the researcher, Lexmark was not notified before the zero-day’s release for two reasons.

First, Geissler wished to highlight how the Pwn2Own contest is “broken” in some regards, as shown when low monetary rewards are offered for “something with a potentially big impact” – such as an exploit chain that can compromise over 100 printer models.

Furthermore, he said that official disclosure processes are often long-winded and arduous.

“In my experience, patching efforts by the vendor are greatly accelerated by publishing turnkey solutions in the public domain without any heads up whatsoever,” Geissler noted.

“Lexmark might reconsider partnering with similar competitions in the future and opt to launch their own vulnerability bounty/reward program.”

YOU MAY ALSO LIKE Facebook two-factor authentication bypass bug earns researchers $27k

Researcher drops Lexmark RCE zero-day rather than sell vuln ‘for peanuts’

Security vulnerabilities in VMware's vRealize Log Insight platform can be chained together to offer a cybercriminals a gaping hole to access corporate crown jewels.

Three security vulnerabilities affecting VMware's vRealize Log Insight platform now have public exploit code circulating, offering a map for cybercriminals to follow to weaponize them. These include two critical unauthenticated remote code execution (RCE) bugs.

The vRealize Log Insight platform (which is transitioning its name to Aria Operations) provides intelligent log management "for infrastructure and applications in any environment," according to VMware, offering IT departments access to dashboards and analytics that have visibility across physical, virtual, and cloud environments, including third-party extensibility. Usually loaded onto an appliance, the platform can have highly privileged access to the most sensitive areas of an organization's IT footprint.

"Gaining access to the Log Insight host provides some interesting possibilities to an attacker, depending on the type of applications that are integrated with it," said Horizon.ai researcher James Horseman, who did a deep dive into the public exploit code this week. "Often, logs ingested may contain sensitive data from other services and may allow an attack to gather session tokens, API keys, and personally identifiable information. Those keys and sessions may allow the attacker to pivot to other systems and further compromise the environment."

Organizations should take note of the risk, especially since the barrier to exploitation for the bugs — aka, the access complexity — is low, says Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative (ZDI), which reported the vulnerabilities.

"If you are doing centralized log management with this tool, it represents a significant risk to your enterprise," he tells Dark Reading. "We recommend testing and deploying the patch from VMware as soon as possible."

**Inside the VMware vRealize Log Insight Bugs**

The two critical issues carry severity scores of 9.8 out of 10 on the CVSS scale and could allow an "unauthenticated, malicious actor to inject files into the operating system of an impacted appliance which can result in remote code execution," according to the original VMware advisory.

One (CVE-2022-31706) is a directory traversal vulnerability; the other (CVE-2022-31704) is a broken access control vulnerability.

The third flaw is a high-severity deserialization vulnerability (CVE-2022-31710, CVSS 7.5), which could allow an unauthenticated malicious actor to "remotely trigger the deserialization of untrusted data, which could result in a denial of service."

**Creating a Bug Chain for Complete Takeover**

Horizon.ai researchers, after identifying the exploit code in the wild, discovered that the three issues could be chained together, prompting VMware to update its advisory today.

"This \[combined\] vulnerability \[chain\] is easy to exploit; however, it requires the attacker to have some infrastructure setup to serve malicious payloads," Horseman wrote. "This vulnerability allows for remote code execution as root, essentially giving an attacker complete control over the system."

That said, he offered a silver lining: The product is intended for use in an internal network; he noted that Shodan data turned up 45 instances of the appliances being publicly exposed on the Internet.

That does not, however, mean that the chain can’t be used from within.

"Since this product is unlikely to be exposed to the Internet, the attacker likely has already established a foothold somewhere else on the network," he noted. "If a user determines they have been compromised, additional investigation is required to determine any damage an attacker has done.”

The three bugs were first disclosed last week by the virtualization giant as part of a cache that also included one other, a medium-severity information-disclosure bug (CVE-2022-31711, CVSS 5.3) that could allow data harvesting without authentication. The latter doesn't yet have public exploit code, though that could quickly change, particularly given how popular of a target VMware offerings are for cybercriminals.

There could also soon be multiple ways to exploit the other issues, too. "We have proof-of-concept code available to demonstrate the vulnerabilities," ZDI's Childs says. "We would not be surprised if others figured out an exploit in short order."

**How to Protect the Enterprise**

To protect their organizations, admins are urged to apply VMware's patches, or apply a published workaround as soon as possible. Horizon.ai has also published indicators of compromise (IoCs) to help organizations track any attacks.

Also, "if you are using vRealize or Aria Operations for centralized log management, you need to check what type of exposure that system has," Childs advises. "Is it connected to the Internet? Are there IP restrictions for who can access the platform? These are additional items to consider beyond patching, which should be your first step. It's also a reminder that every tool or product in an enterprise represents a potential target for attackers to gain a foothold."

Critical VMware RCE Vulnerabilities Targeted by Public Exploit Code

New web targets for the discerning hacker

Adam Bannister 31 January 2023 at 15:13 UTC  
Updated: 31 January 2023 at 15:23 UTC

New web targets for the discerning hacker

A bypass of Facebook’s SMS-based two-factor authentication (2FA) made it into Meta’s most impressive bug bounty finds of 2022.

However, it seems Facebook’s parent company initially didn’t fully appreciate the vulnerability, offering a $3,000 bounty before eventually revising the reward upwards to $27,200.

“Since there was no rate limit protection at all while verifying any contact points – email or phone – an attacker just knowing the phone number could add the victim’s 2FA-enabled phone number in his or her Instagram-linked Facebook account,” security researcher Manoj Gautam told The Daily Swig.

In other bug bounty news this month, a hacker duo documented Google Cloud Platform (GCP) research that resulted in six payouts totalling more than $22,000.

The most lucrative find for Sreeram KL and Sivanesh Ashok led to a double $5,000 reward for a server-side request forgery (SSRF) bug and subsequent patch bypass in machine learning platform Vertex AI.

Outlined across four blog posts, their bug bounty exploits also included an SSH key injection issue in Google Cloud’s Compute Engine and flaws in Theia and Cloud Workstations.

Cross-origin resource sharing (CORS) misconfigurations were the focus of a third bug bounty writeup covered by The Daily Swig this month.

Exploits fashioned for multiple private programs – notably including Tesla – earned Truffle Security researchers a “few thousand dollars” and vindicated their hypothesis that “large internal corporate networks are exceedingly likely to have impactful CORS \[cross-origin resource sharing\] misconfigurations”.

Fresh hacking opportunities on the horizon, meanwhile, include The US Department of Defense (DoD)’s third annual Hack The Pentagon challenge and the Zero Day Initiative’s (ZDI’s) inaugural Pwn2Own Automotive, slated for January 2024.

**The latest bug bounty programs for February 2023**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**8x8**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$1,337

**Outline:  
**The US provider of business communication technologies has invited hackers to probe its websites, mobile apps, and services such as Jitsi, its open source video meeting software.

**Notes:  
**Despite the relatively modest top bounty on offer, 8x8 has already paid out more than $90,000 in bounties within a month of its launch.

Check out the 8x8 bug bounty page for more details

**Hedera Hashgraph**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$30,000

**Outline:  
**Hedera Hashgraph describes itself as “a responsibly governed decentralized network”, with the Hedera Governing Council comprising “enterprises, web3 projects, and prestigious universities”.

**Notes:  
**There are seven assets in scope including services and mirror node codebases, Java and JavaScript SDKs, testnet API endpoints, and testnet mirror node APIs.

Check out the Hedera Hashgraph bug bounty page for more details

**Hyperlane**

**Program provider:  
**Immunefi

**Program type:  
**Public

**Max reward:  
**$2.5 million

**Outline:  
**Hyperlane describes itself as a modular interoperability platform, empowering developers to build interchain applications, apps that can easily and securely communicate between blockchains.

**Notes:  
**The life-changing maximum reward is on offer for critical bugs on smart contracts, whereas application flaws can command payouts of up to $20,000.

Check out the Hyperlane bug bounty page for more details

**Kiwi.com**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$5,000

**Outline:  
**Czech online travel agency Kiwi.com provides a fare aggregator, metasearch engine, and booking function for airline tickets and ground transportation.

**Notes:  
**In-scope targets include the main website, kiwi.com; tequila.kiwi.com; jobs.kiwi.com; source code; APIs and internal tools; and mobile applications.

Check out the Kiwi.com bug bounty page for more details

**Net+**

**Program provider:  
**GObugfree

**Program type:  
**Mix of public and private

**Max reward:  
**CHF5,000 ($5,389)

**Outline:  
**Netplus.ch, which provides internet, telephony, and TV services to more than 220,000 users in Switzerland, is paying between CHF 2,000-5,000 for critical bugs.

**Notes:  
**New targets are initially restricted to the private program for a period of initial testing, before being opened up to the broader hacking community within the public program.

Check out the Net+ private and public bug bounty pages for more details

**Open-Xchange (OX) App Suite**

**Program provider:  
**YesWeHack

**Program type:  
**Public

**Max reward:  
**€5,000 ($5,430)

**Outline:  
**Open-Xchange’s OX App Suite is an open source email and productivity suite that purports to favor security by default rather than security through obscurity.

**Notes:  
**Open-Xchange, hitherto a HackerOne client, has migrated its bug bounty programs to YesWeHack. CISO Martin Heiland recently discussed the hacking opportunities on offer with the Paris-based platform.

Check out the OX App Suite bug bounty page for more details

**Open-Xchange Dovecot**

**Program provider:  
**YesWeHack

**Program type:  
**Public

**Max reward:  
**€5,000 ($5,430)

**Outline:  
**Dovecot is Open-Xchange’s IMAP, POP3, and submission server for email, used within multiple operating systems and by “millions of operators”.

**Notes:  
**Open-Xchange, hitherto a HackerOne client, has migrated its bug bounty programs to YesWeHack. CISO Martin Heiland recently discussed the hacking opportunities on offer with the Paris-based platform.

Check out the Dovecot bug bounty page for more details

**Open-Xchange PowerDNS**

**Program provider:  
**YesWeHack

**Program type:  
**Public

**Max reward:  
**€5,000 ($5,430)

**Outline:  
**PowerDNS is a DNS server that enables domain resolution and network security features.

**Notes:  
**Open-Xchange, hitherto a HackerOne client, has migrated its bug bounty programs to YesWeHack. CISO Martin Heiland recently discussed the hacking opportunities on offer with the Paris-based platform.

Check out the PowerDNS bug bounty page for more details

**S-Pankki**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$4,000

**Outline:  
**The Finnish bank is offering up to $4,000 for critical vulnerabilities, $2,000 for high severity flaws, and $1,000 for medium severity bugs.

**Notes:  
**There are 11 assets in scope, including nine domains plus iOS and Android mobile applications.

Check out the S-Pankki bug bounty page for more details

**Superbet**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$2,000

**Outline:  
**The Romanian online gaming company is offering a maximum of $2,000 for critical bugs, $1,000 for high severity issues, and $250 for medium impact vulnerabilities.

**Notes:  
**Just the one asset in scope: the.superbet.ro domain.

Check out the Superbet bug bounty page for more details

**Swiss Bankers**

**Program provider:  
**GObugfree

**Program type:  
**Private

**Max reward:  
**Undisclosed

**Outline:  
**Swiss Bankers is a financial services firm specializing in prepaid credit cards, mobile payment, and money transfer.

**Notes:  
**Hackers can participate by invitation only.

Check out the Swiss Bankers bug bounty page for more details

**Threema (Enhanced)**

**Program provider:  
**GObugfree

**Program type:  
**Public

**Max reward:  
**CHF10,000 ($10,778)

**Outline:  
**Swiss instant messenger service Threema has upped maximum payouts from CHF4,000 ($4,311) To CHF10,000 ($10,778) after launching the program in May 2022.

**Notes:  
**This news comes after the privacy-focused software disputed claims that there were several security flaws in its encrypted messaging platform.

Check out the Threema bug bounty page for more details

**TRON DAO**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$5,000

**Outline:  
**TRON DAO is an open source platform for creating decentralized applications, new financial primitives, and interoperable blockchains.

**Notes:  
**TRON’s Java source code is currently the sole asset in scope.

Check out the TRON DAO bug bounty page for more details

**Wato-soft**

**Program provider:  
**GObugfree

**Program type:  
**Private

**Max reward:  
**Undisclosed

**Outline:  
**Swiss IT services firm specializing in Enterprise resource planning (ERP) software.

**Notes:  
**Hackers can participate by invitation only.

Check out the Wato-Soft bug bounty page for more details

**Other bug bounty and VDP news this month**

*   An Amazon virtual hacking event with HackerOne was the platform’s highest paying virtual event ever, with more than 50 security researchers collectively earning $832,135. The 10-day hackathon’s overall winner was @jonathanbouman, while ‘Best Team Collaboration’ went to ‘spacebaffoons’ @the\_arch\_angel, @spaceraccoon, and (one time Daily Swig interviewee) @ajxchapman
*   As referenced in our latest Deserialized roundup, Intigriti has flagged a Belgium-wide safe harbor clause in the country’s proposed whistleblower law, and a New Scientist feature on a mathematical means of demonstrating valid exploits without risking public disclosure
*   Finally, YesWeHack has penned a how-to on using Burp Suite extension Highlighter And Extractor (HaE) to surface vulnerabilities via regular expressions

PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for January 2023

Bug Bounty Radar // The latest bug bounty programs for February 2023

Taiwanese company QNAP has released updates to remediate a critical security flaw affecting its network-attached storage (NAS) devices that could lead to arbitrary code injection.
Tracked as CVE-2022-27596, the vulnerability is rated 9.8 out of a maximum of 10 on the CVSS scoring scale. It affects QTS 5.0.1 and QuTS hero h5.0.1.
"If exploited, this vulnerability allows remote attackers to inject

Data Security / Vulnerability

Taiwanese company QNAP has released updates to remediate a critical security flaw affecting its network-attached storage (NAS) devices that could lead to arbitrary code injection.

Tracked as **CVE-2022-27596**, the vulnerability is rated 9.8 out of a maximum of 10 on the CVSS scoring scale. It affects QTS 5.0.1 and QuTS hero h5.0.1.

"If exploited, this vulnerability allows remote attackers to inject malicious code," QNAP said in an advisory released Monday.

The exact technical specifics surrounding the flaw are unclear, but the NIST National Vulnerability Database (NVD) has categorized it as an SQL injection vulnerability.

This means an attacker could send specially crafted SQL queries such that they could be weaponized to bypass security controls and access or alter valuable information.

"Just as it may be possible to read sensitive information, it is also possible to make changes or even delete this information with a SQL injection attack," according to MITRE.

The vulnerability has been addressed in versions QTS 5.0.1.2234 build 20221201 and later, as well as QuTS hero h5.0.1.2248 build 20221215 and later.

Zero-day vulnerabilities in exposed QNAP appliances have been put to use by DeadBolt ransomware actors to breach target networks, making it essential to update to the latest version in order to mitigate potential threats.

To apply the updates, users are advised to log in to QTS or QuTS hero as an administrator, navigate to Control Panel > System > Firmware Update, and select "Check for Update" under the "Live Update" section.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#zero_day