4chan launches bug bounty program
Posted on 07 May 2014.
In the wake of the recent data breach that spelled the end of art products Canvas and DrawQuest, 4chan founder and owner Chris "moot" Poole has announced that they will be launching the 4chan Vulnerability Disclosure Program.

After having described the various mistakes that allowed the intruder to obtain and leak information about 4chan users, as well as moderator names and IP addresses, Poole added that they have patched the vulnerability that made the attack possible, and have spent two weeks reviewing their code and servers "to apply fixes and make improvements where possible."

The attacker also managed to compromise Poole's AWS account, and create an admin account, which allowed him to spin up a hundred extra-large instances, likely for Bitcoin mining.

"Thereís no silver bullet when it comes to security, and the only way to stay ahead of it is constant vigilance," he noted in a blog post. "Donít rely on any one method to protect your service, assume the methods you already have in place donít work, adhere to best practices, and make it a point to revisit security on a regular basisónot just when something goes terribly wrong."

To that end, they have started the bug bounty program, which will include vulnerabilities and bugs in websites and services operated by 4chan (chan.org, 4channel.org, 4cdn.org, and their subdomains).

Researchers are urged to test both for hardware and software flaws, but are warned not to submit vulnerabilities reported by automated vulnerability scanning tools, unless they have a working PoC or reason to believe that the issue is exploitable. They are also told that 4chan users, volunteers, customers, and employees are not to be targeted (both physically or via social engineering).

"We will investigate all legitimate reports and do our best to quickly fix the problem," Poole announced. Less then 24 hours since the program has been launched, a bug has already been submitted and resolved by the team.

As far as the bounties are concerned, they are largely symbolical: an inclusion into the 4chan Hall of Fame, and either $20 in self-serve advertising credit valid for one year, or a 4chan Pass valid for one year.

Now it only remains to be seen if these incentives will be enough.









Spotlight

Staples customers likely the latest victims of credit card breach

Posted on 21 October 2014.  |  Multiple banks say they have identified a pattern of credit and debit card fraud suggesting that several Staples Inc. office supply locations in the Northeastern United States are currently dealing with a data breach.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Oct 22nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //