Deutsche Post Security Cup – Bug Bounty Contest


The trend of paying for bugs is certainly catching on, the most recent entrant to the field is Deutsche Post the German postal service. They announced this week a security cup for their new online secure messaging service. The bug bounty trend has resurfaced recently with Mozilla increasing its bounty to $3000 and Google increasing their offering shortly after that too.

Teams will have seed money and will be awarded additional bounties for major and minor bugs. There’s quite a lot of money up for grabs if you count the seed money + find at least 2 critical bugs and a few minor bugs you could walk away with quite a fat stash.

Deutsche Post, the successor to the German federal postal service, will offer bounties for bugs researchers find in its E-Postbrief secure message service, the company announced this week.

The firm, which also operates the DHL overnight delivery service, will kick off a contest in October after it pre-approves research teams that apply for what it’s calling the Deutsche Post Security Cup. Each team will be seeded with €3,000 ($3,800), but must use their own tools and agree to not touch any private data they come across during their work. The teams must also keep quiet about any vulnerabilities they find until December, when Deutsche Post will award prizes and reveal the bugs it’s patched.

You can look at this two ways really, on one hand this is a good initiative meaning the system will be secured in some way. Of course that’s entirely dependant on the skill level of the people who enter the ‘cup’. But judging by the bounty amounts I’d say they are likely to attract a fairly decent crowd.

On the other hand you could say this is a form of crowd-sourcing, they are avoiding paying big bucks to a proper security company for an audit and farming it out under the guise of a bounty scheme to whoever shows up.

Bounties of €6,000 ($6,400) and €1,000 ($1,300) will be paid for major and minor bugs, respectively, with a four-member jury classifying the reported vulnerabilities. The jury includes Jennifer Granick, the civil liberties director of the Electronic Frontier Foundation (EFF) and Thorsten Holz, the co-founder of the German Honeynet Project, which places vulnerable systems on the Internet to collect malware.

Bug bounties and prizes gained momentum this summer after Mozilla and Google both hiked the rewards they pay to researchers who report vulnerabilities in Firefox and Chrome, respectively. Shortly after the bounty boosts, the long-running Zero Day Initiative (ZDI) bug payment program run by HP TippingPoint announced new rules, including a six-month deadline for patching reported problems.

More information about Deutsche Post’s bug contest can be found on its Web site.

I hope all findings are publicly published so we can really judge the value of the outcome and what kind of opportunity this represents for corporations who are looking for security solutions. It could bring about a whole new breed of ‘bounty hackers’ that solely exist (professionally) on these kind of offerings.

Plus the fact they do actually have some well-known judges who are credible and known in the industry. It seems like the whole bounty scheme could be heating up.

Source: Network World

Posted in: Exploits/Vulnerabilities

, , ,


Latest Posts:


GKE Auditor - Detect Google Kubernetes Engine Misconfigurations GKE Auditor – Detect Google Kubernetes Engine Misconfigurations
GKE Auditor is a Java-based tool to detect Google Kubernetes Engine misconfigurations, it aims to help security & dev teams streamline the configuration process
zANTI - Android Wireless Hacking Tool Free Download zANTI – Android Wireless Hacking Tool Free Download
zANTI is an Android Wireless Hacking Tool that functions as a mobile penetration testing toolkit that lets you assess the risk level of a network using mobile.
HELK - Open Source Threat Hunting Platform HELK – Open Source Threat Hunting Platform
The Hunting ELK or simply the HELK is an Open-Source Threat Hunting Platform with advanced analytics capabilities such as SQL declarative language, graphing etc
trape - OSINT Analysis Tool For People Tracking Trape – OSINT Analysis Tool For People Tracking
Trape is an OSINT analysis tool, which allows people to track and execute intelligent social engineering attacks in real-time.
Fuzzilli - JavaScript Engine Fuzzing Library Fuzzilli – JavaScript Engine Fuzzing Library
Fuzzilii is a JavaScript engine fuzzing library, it's a coverage-guided fuzzer for dynamic language interpreters based on a custom intermediate language.
OWASP APICheck - HTTP API DevSecOps Toolset OWASP APICheck – HTTP API DevSecOps Toolset
APICheck is an HTTP API DevSecOps toolset, it integrates existing tools, creates execution chains easily and is designed for integration with 3rd parties.


Comments are closed.