Bug Bounty Promotion: SQL Injection Bugs on All Verizon Media Assets  

SQL Injection

The Paranoids Public Bug Bounty program is launching a new promotion. Until the end of July 2021, researchers will be able to receive a 100 percent bonus on SQL injection bugs (CWE-89). All Verizon Media assets are in scope — you can find the program policy here.  

There are currently ten bonuses available. Because researchers typically find SQL injection vulnerabilities in groups, the Paranoids will pay a single bonus, per series of related reports. 

Any submitted report must be sent from Monday through Friday between 9AM and 5PM GMT-4. Bugs reported outside of these hours — this includes the holiday weekend (July 5) — will NOT BE eligible for the bonus. 

Several reminders: 

  • Reports will be triaged in the order they are submitted.
  • Reports which are incomplete or lack sufficient proof may be triaged after later reports. This may result in the later report receiving the bonus and not the earlier report. To try to address this, we will do our best to close incomplete reports and let you file a new, more complete report when you have the missing information.
  • The Promotion bonus applies only to the base value of the bug report. It does not apply to any additional bonuses which the report may be eligible for (including Same Bug Different Host).
  • To prove SQL Injection while limiting the potential to cause damage, we suggest pulling database names and potentially the names of tables within one database.
  • Providing a tailored SQLmap command that will trigger the vulnerability to be shown often helps make triage go very quickly.
  • To help flag reports, we encourage you to put “Public-004” in the title or summary of your report.
  • When we have reached one of the duration limits, this notice will be edited to state the Promotion has ended.
  • You may always continue to hack and submit bugs that are not related to this promotion.
  • CWE-89 SQL Injection vulnerabilities typically receive a Critical rating and a $10,000 bounty. Subject to the standard bounty approval process.
  • CeaseFires may be called during this promotion. That will earn a 25% bonus as usual, on the base bounty only.
  • YQL, LDAP, Vespa are not SQL

Act fast! The quantity of these bonuses is limited.