Origin Energy has released its bug bounty program, offering up to $2,500 for confirmed vulnerabilities.
Managed under Bugcrowd, the program has been running privately since 2018.
Bugcrowd used LinkedIn last week to announce the program is now “public and reachable”.
“Origin has participated in the Bugcrowd vulnerability rewards program since 2018,” said an Origin Energy spokesperson. iTnews.
“We use Bugcrowd’s Bug Bounty program to reward cybersecurity researchers and white hat hackers for finding and reporting vulnerabilities in our software that have the potential to be exploited.
“This is an ongoing approach to cybersecurity, which perfectly complements our internal security code audits and penetration testing as part of our vulnerability management program.”
At this point, Origin wants researchers to focus their attention on its “core publicly available assets” – its web applications. This covers its website, content delivery network, and web-accessible APIs, excluding its authentication API.
Bug classes of interest include server-side remote code execution and request forgery, stored or reflected cross-site scripting, cross-site request forgery, SQL injection, XML external entity attacks, and vulnerabilities in access control.
Origin Energy said it is most interested in vulnerabilities that could make customer information vulnerable or that “subvert business controls” such as offer redemptions or discounts.
The bounty program follows the usual Bugcrowd rules – denial of service is excluded, researchers must not modify Origin or its customers’ data, researchers are responsible for ensuring that they only test domains belonging to Origin and must not launch attacks via forms.
If the tester is viewing authenticated sections of the target, they must be an Origin customer with MyAccount access.
The program also puts Origin Energy’s chat function out of the reach of researchers.