On Software Liabilities

Over on Lawfare, Jim Dempsey published a really interesting proposal for software liability: "Standard for Software Liability: Focus on the Product for Liability, Focus on the Process for Safe Harbor." Section 1 of this paper sets the stage by briefly describing the problem to be solved. Section ...

Sorare: Mystery with a leaked token and Reusability of email confirmation link leading to Account Takeover

A vulnerability was discovered where leaked email confirmation links could be reused to gain access to a user's account without requiring a password. This was possible by modifying the token parameter in the URL of the expired confirmation link. An attacker who gains access to such a leaked link...

Bbrecon - Python Library And CLI For The Bug Bounty Recon API

Bug Bounty Recon bbrecon is a free Recon-as-a-Service for bug bounty hunters and security researchers. The API aims to provide a continuously up-to-date map of the Internet "safe harbor" attack surface, excluding out-of-scope targets. It comes with an ergonomic CLI and Python library. This...

Black Hat 2020: In a Turnaround, Voting Machine Vendor Embraces Ethical Hackers

Voting machine-maker Election Systems & Software ES&S has formally announced a vulnerability disclosure policy, Wednesday, during a Black Hat USA 2020 session. The move, which comes with the U.S. presidential elections looming in November, shows that voting-machine vendors are beginning to take t...

Bug Bounty Programs Are Being Used to Buy Silence

Investigative report on how commercial bug-bounty programs like HackerOne, Bugcrowd, and SynAck are being used to silence researchers: Used properly, bug bounty platforms connect security researchers with organizations wanting extra scrutiny. In exchange for reporting a security flaw, the...

Microsoft Lab Offers $300K For Working Azure Exploits

Las Vegas – In an attempt to sniff out bugs in its Azure cloud platform, Microsoft announced at Black Hat USA 2019 on Monday that it will offer rewards of up to $300,000 for researchers who launch successful test exploits for the platform. Microsoft has launched a dedicated Azure cloud host testi...

GitHub Increases Rewards, Scope For Bug Bounty Program

GitHub has bolstered its bug-bounty program with increased rewards, an expanded scope of products and the addition of legal “safe-harbor” terms aiming to protect bounty hunters. The web-based hosting service announced Tuesday that its program, first launched in 2014, will no longer have a maximum...

Podcast: Bugcrowd Founder on Printer Bugs, IoT Bounty Hunting, and New VDP Project

Bugcrowd has had a busy summer. Recently, the bug-bounty company partnered with HP to launch the first-ever bug bounty program for printers, with rewards of up to $10,000 for discovered vulnerabilities. Bugcrowd also recently announced Disclose.io, an open-sourced project to standardize best...

Navigating an Uncharted Future, Bug Bounty Hunters Seek Safe Harbors

When researcher Kevin Finisterre found a security error in drone-maker DJI’s systems enabling him to access flight log data and images of customers, he thought he had hit the $30,000 jackpot as part of the drone company’s newly announced bug bounty program. Instead, when the incident occurred in...

What HIPAA and Other Compliance Teaches Us About the Reality of GDPR

with contributing author, William J. Malik, CISA | VP, Infrastructure Strategies The date for General Data Protection Regulation GDPR compliance is just weeks away, yet many organizations, especially those outside Europe, remain unprepared. It turns out that the experiences from other privacy...

France warns Microsoft to Stop Collecting Windows 10 Users' Personal Data

We have heard a lot about privacy concerns surrounding Windows 10 and accusations on Microsoft of collecting too much data about users without their consent. Now, the French data protection authority has ordered Microsoft to stop it. France's National Data Protection Commission CNIL issued a form...

What you need to know: Navigating EU Data Protection changes – EU-US Privacy Shield and EU General Data Protection Regulation

If youre an organization with trans-Atlantic presence that transmits and stores European citizen data e.g. employee payroll & HR data, client & prospect data in the U.S. you will want to pay attention. What we will discuss was administered under the European Unions Data Protection Directive and a...

The Clock is ticking for EU and US to Negotiate New Safe Harbor Deal: What You Can Do to Stay Out of Legal Limbo

European authorities have given the European Union and US officials three months to come up with an alternative to the Safe Harbor agreement after the European Court of Justice ECJ declared Safe Harbor laws invalid earlier this month. The new agreement must protect the personal data of European...

EC Ruling Invalidates Safe Harbor - Now What?

In a ruling on October 7, 2015 the European Court of Justice ECJ invalidated the principal European component of the U.S.-E.U. Safe Harbor Framework when it ruled in Schrems v. Data Protection Commissioner. In the ruling the court said that the existing U.S.-EU Safe Harbor agreement, overseen by...