Security Experts:

Western Union Launches Public Bug Bounty Program

Financial services and communications company Western Union has launched a public bug bounty program via the Bugcrowd platform. Researchers who identify serious security issues can earn up to $5,000 per bug.

Western Union had been running a private vulnerability disclosure program on Bugcrowd since early 2014. However, the company has now decided to make its program public to allow all of the 15,000 researchers who have signed up on the crowdsourced security testing platform to report flaws.

The new public bug bounty program covers all of Western Union’s main domains, including westernunion.com, westernunion.de, westernunion.fr, india.westernunion.com. m.westernunion.com. and foundation.westernunion.com.

However, the company has highlighted that these websites are variations of a single core Web application. This means that a vulnerability identified in one domain can likely be reproduced on other domains as well, but it will be eligible for a single reward.

For the time being, Western Union’s blog (blog.westernunion.com) is not available for testing as it is being transitioned to new servers.

Experts who report eligible vulnerabilities can earn between $100 and $5,000 per bug. It’s worth noting that several types of security issues are not eligible for a bounty, including descriptive error messages, brute-force attacks on the login and password reset pages, clickjacking, self-XSS, cross-site request forgery (CSRF) on pages available to anonymous users, logout CSRF, and flaws related to SSL settings.

"[Bugcrowd’s] testers dig deep in their testing. Not only will they take a URL and test it for many days, but they have also found what other systems have not identified. No system can be proven to have zero vulnerabilities, so continuous testing at this level of depth is great,” said David Levin, Western Union’s director of information security.

Researchers who take part in Western Union’s bug bounty program must keep in mind that they need to obtain explicit permission before publicly disclosing the vulnerabilities they find.

"Traditionally, financial institutions have been slow to adopt the crowdsourced security model, but the online world has grown so quickly and the cyberattacks against consumers have been so aggressive, it's clear the risk isn't going away," said Casey Ellis, CEO and co-founder of Bugcrowd. "We're thrilled to support Western Union both in their efforts to scale and manage their bug bounty program, and as they continue to pioneer the way for financial institutions of all sizes."

Western Union is not the only major brand to launch a vulnerability disclosure program this month. Adobe announced a program through HackerOne, but the company isn’t offering any monetary rewards. Instead, researchers who find flaws can boost their HackerOne reputation score.

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.