iscover
ReporterShare this article on:
Powered by
MOMENTUM
MEDIA
Origin Energy has gone public with its bug bounty program, offering up to $2,500 for confirmed vulnerabilities.
Origin Energy's program has been operating privately since 2018 on Bugcrowd.
Bugcrowd is a "crowdsource security platform" that incentivises ethical hackers to report critical bugs, according to its website. The platform is designed to engage ethical hackers, or cyber security researchers to report critical bugs for organisations that are low in resources and diversified skills to find hidden vulnerabilities, addressing the skills gap.
In a LinkedIn post, the Bugcrowd team congratulated Origin Energy for "achieving a big milestone in their cyber security maturity journey", announcing the new development.
"A big congrats to the amazing Origin Energy team.
"Their Bug Bounty Public and joinable," the Bugcrowd LinkedIn post read.
In an iTnews interview, an Origin Energy spokesperson further explained that the company leverages the Bugcrowd vulnerability rewards program as part of their "always-on" approach.
“We use the Bugcrowd bug bounty program to reward cyber security researchers and white hat hackers for finding and reporting vulnerabilities in our software that have the potential to be exploited.
"It's an always-on approach to cyber security, perfectly supplementing our internal security code audits and penetration tests as part of our vulnerability management program," the Origin Energy spokesperson said.
Origin Energy is looking to test their primary publicly facing assets that include its website, content distribution network, and internet-facing APIs, excluding its authentication API through the Bugcrowd program to effectively secure these.
Server-side remote code execution and request forgery, stored or reflected cross-site scripting, cross-site request forgery, SQL injection, XML external entity attacks, and access control vulnerabilities are the bug classes of interest.
Origin Energy added it is most interested in vulnerabilities that have the potential to expose customer information, or vulnerabilities that "subvert business controls" such as offer redemption or discounts.
The bounty program follows the usual Bugcrowd rules – denial-of-service is excluded, researchers must not alter Origin's or its customers' data, researchers are responsible for ensuring they only test domains owned by Origin and must not launch attacks via forms.
If the tester is looking at authenticated sections of the target, they must be an Origin customer with MyAccount access.
The program also puts Origin Energy's chat function off-limits to researchers.
[Related: North Korean hackers biggest losers of crypto crash]
Be the first to hear the latest developments in the cyber industry.
