All news with #bug bounty tag

🤖 AI is increasingly used to accelerate bug bounty research, automating vulnerability discovery, API reverse engineering, and large-scale code scanning. While platforms and triage services like Intigriti can flag unreliable, AI-generated reports, smaller or open-source programs (for example Curl) are overwhelmed by low-quality submissions that consume significant staff time. Experts stress that AI augments skilled researchers but cannot replace human judgment.

🔍 AI-powered tools and large language models are speeding up vulnerability discovery, enabling so-called "bionic hackers" to automate reconnaissance, reverse engineering, and large-scale scanning. Platforms such as HackerOne report sharp increases in valid AI-related reports and payouts, but many submissions are low-quality noise that burdens maintainers. Experts recommend treating AI as a research assistant, strengthening triage, and preserving human judgment to filter false positives and duplicates.

🛡️ Pwn2Own Ireland 2025 concluded in Cork with security researchers awarded $1,024,750 after demonstrating 73 zero-day vulnerabilities across eight product categories. Targets included printers, network-attached storage, messaging apps, smart home and surveillance devices, home networking gear, flagship phones (iPhone 16, Galaxy S25, Pixel 9) and wearables. The contest expanded the attack surface to include USB port exploitation on locked mobile handsets while retaining Bluetooth, Wi‑Fi and NFC vectors. Summoning Team topped the leaderboard with $187,500 and 22 Master of Pwn points.

🔒On the first day of Pwn2Own Ireland 2025, security researchers exploited 34 unique zero-day vulnerabilities and collected $522,500 in cash awards. Team DDOS (Bongeun Koo and Evangelos Daravigkas) chained eight flaws to compromise a QNAP Qhora-322 router via its WAN interface and access a QNAP TS-453E, earning $100,000 and moving into second place on the Master of Pwn leaderboard. The Summoning Team led day one with $102,500 and 11.5 points after multiple successful root exploits. The Zero Day Initiative (ZDI) organized the event and coordinates 90-day responsible disclosure with affected vendors.

🛡️ Penetration testing remains a critical control, but the classic, one-size-fits-all approach can create hidden financial and operational burdens. Administrative overheads, complex scoping decisions and indirect remediation work all add time and cost while risking scope creep and disruption. The article recommends flexible, consumption-based models—such as PTaaS and Outpost24's CyberFlex—to improve coverage, transparency and ROI.

🔒 Apple has expanded its Security Bounty program, doubling the top award to $2,000,000 for exploit chains that achieve goals comparable to sophisticated mercenary spyware. The company says bonuses for Lockdown Mode bypasses and vulnerabilities found in beta software can push payouts past $5 million. New, higher rewards include $100,000 for a complete Gatekeeper bypass, $1,000,000 for broad unauthorized iCloud access, up to $300,000 for one-click WebKit sandbox escapes, and up to $1,000,000 for wireless proximity exploits. Apple is also introducing Target Flags, a mechanism that lets researchers demonstrate exploitability and qualify for accelerated awards processed immediately after verification, even before a fix is released.

🔐 Apple has increased the top award in its Apple Security Bounty program to $2m for exploit chains that emulate sophisticated mercenary spyware. Bonuses for Lockdown Mode bypasses and vulnerabilities found in beta software can more than double that payout, potentially exceeding $5m. Apple also raised many category rewards — including $100,000 for a Gatekeeper bypass and $1m for broad unauthorized iCloud access — and introduced a Target Flags initiative to speed and standardize exploitability demonstrations.

🔒 Google has launched an AI Vulnerability Reward Program (AI VRP) offering base rewards up to $20,000 and up to $30,000 with multipliers for validated AI-product bugs. The program moves AI-related reports from the Abuse VRP into a dedicated stream to simplify submissions and unify reward assessment. In-scope products include Search, Gemini apps and Workspace, and qualifying issues cover data exfiltration, phishing enablement and model theft. Content-focused prompt injections and jailbreaks remain out of scope and should be reported via in-product tools.

🛡️ Google has launched a new AI Vulnerability Reward Program to incentivize security researchers to find and report flaws in its AI systems. The program targets high-impact vulnerabilities across flagship offerings including Google Search, Gemini Apps, and Google Workspace core apps, and also covers AI Studio, Jules, and other AI integrations. Rewards scale with severity and novelty—up to $30,000 for exceptional reports and up to $20,000 for standard flagship security flaws. Additional bounties include $15,000 for sensitive data exfiltration and smaller awards for phishing enablement, model theft, and access control issues.

🔐 Zeroday Cloud is a new hacking competition focused on open-source cloud and AI tools, offering a $4.5 million bug bounty pool. Hosted by Wiz Research with Google Cloud, AWS, and Microsoft, it takes place December 10–11 at Black Hat Europe in London. The contest features six categories covering AI, Kubernetes, containers, web servers, databases, and DevOps, with bounties ranging from $10,000 to $300,000. Participants must deliver complete compromises and register via HackerOne.

🛡️ HackerOne paid $81 million to white-hat hackers over the past 12 months, supporting more than 1,950 bug bounty programs and offering vulnerability disclosure, penetration testing, and code security services. The top 100 programs paid $51 million between July 1, 2024 and June 30, 2025, and the top 10 alone accounted for $21.6 million. AI-related vulnerabilities jumped over 200%, with prompt injection up 540%, while 70% of surveyed researchers reported using AI tools to improve hunting.

🔒 The Microsoft Bounty Program distributed $17 million this year to 344 security researchers across 59 countries, marking the largest total payout in the program’s history. In partnership with the Microsoft Security Response Center (MSRC), researchers helped identify and remediate more than a thousand potential vulnerabilities across Azure, Microsoft 365, Windows, and other Microsoft products and services. The program also expanded coverage and awards for Copilot, identity and Defender scopes, Dynamics 365 & Power Platform AI categories, and refreshed Windows attack scenario incentives to prioritize high-impact research.

🔒 Microsoft is relaunching Zero Day Quest with up to $5 million in total bounties for high-impact Cloud and AI security research. The Research Challenge runs 4 August–4 October 2025 and focuses on targeted scenarios across Azure, Copilot, Dynamics 365 and Power Platform, Identity, and M365. Eligible critical findings receive a +50% bounty multiplier, and top contributors may be invited to an exclusive live hacking event at Microsoft’s Redmond campus in Spring 2026. Participants will have access to training from the AI Red Team, MSRC, and product teams, and Microsoft will support transparent, responsible disclosure.

🔒 Microsoft has expanded the .NET Bounty Program, increasing maximum awards to $40,000 and broadening coverage to include all supported .NET and ASP.NET versions, adjacent technologies like F#, templates, and GitHub Actions. The program simplifies award tiers, aligns impact categories with other Microsoft bounty programs, and defines report quality as complete (working exploit) or not complete, encouraging detailed, actionable submissions.

🛡️ Microsoft has updated the .NET Bounty Program, expanding scope and increasing maximum payouts to $40,000 for high-impact vulnerabilities. The program now covers all supported versions of .NET and ASP.NET (including Blazor and F#), repository templates, and GitHub Actions in .NET repositories. Awards are now tied to explicit severity and report quality criteria, with higher payments for complete, exploit-backed reports.

🔒 At 13, Dylan became the youngest researcher to collaborate with the Microsoft Security Response Center (MSRC), demonstrating notable technical skill, persistence, and professional communication. He progressed from Scratch to HTML and source-code analysis, discovering vulnerabilities in Teams and other services and reporting them responsibly. His findings influenced bug bounty terms to admit younger researchers while he continues to balance school, competitions, and extracurriculars.