Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Hackers Offered Up to $1,000 for Vulnerabilities in Drupal 8

The Drupal security team announced this week that it’s prepared to offer up to $1,000 for vulnerabilities found in Drupal 8, the latest version of the popular open source content management system (CMS).

The Drupal security team announced this week that it’s prepared to offer up to $1,000 for vulnerabilities found in Drupal 8, the latest version of the popular open source content management system (CMS).

Drupal 8, which will be released soon, brings major architectural changes. The developers said they want to ensure that this version upholds the same level of security as previous releases, and they’re turning to white hat hackers for help in achieving this goal.

The Drupal 8 bug bounty program, funded with money from the Drupal Association D8 Accelerate program, is open until August 31, 2015, but the period might be extended.

As part of the program, powered by the crowdsourced security bug-finding platform Bugcrowd, Drupal is prepared to offer between $50 and $1,000 for cross-site scripting (XSS), SQL Injection, cross-site request forgery (CSRF), access bypass, and other flaws.

“The more serious the issue, the more the security team will be paying. Issues must first be confirmed by a security team member before being approved for payment. You must provide a detailed explanation of the issue and steps to reproduce the issue. The quality of your report will be taken into account when assigning a value to it,” Drupal said.

SSL and HTTP security issues, clickjacking, error messages, logout CSRF, disclosure of known public files or folders, and username enumeration are not in the scope of the bug bounty program. Drupal developers have also pointed out that attacks requiring the attacker to have elevated privileges will not be taken into consideration.

Researchers who identify vulnerabilities in Drupal 7 or contributed projects are urged to report them to the developer, but they should not expect to get paid.

Experts interested in hacking Drupal 8 are instructed to install a copy of the CMS from Git and report their findings through Bugcrowd.

Advertisement. Scroll to continue reading.

Drupal is not the only organization to launch a bug bounty program through Bugcrowd this week. Electric vehicle company Tesla Motors announced that researchers can earn between $25 and $1,000 for each of the bugs they find on teslamotors.com and other official domains. The shop.teslamotors.com, ir.teslamotors.com and feedback.teslamotors.com websites are not included in the program as they are third-party sites hosted by non-Tesla entities.

The bug bounty program covers only Tesla’s web application. Those who uncover security issues in other services and products, such as vehicles, are advised to report them to vulnerability (at) teslamotors.com.

Tesla is prepared to offer $200-$500 for XSS, $100-$500 for CSRF, $500-$1,000 for SQL injection and vertical privilege escalation, and $1,000 for command injection.

Related: United Airlines Offers Air Miles in New Bug Bounty Program

Related: Western Union Launches Public Bug Bounty Program

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.