Origin Energy has made its bug bounty program public, offering up to $2500 for confirmed vulnerabilities.
Run under Bugcrowd, the program has been operating privately since 2018.
Bugcrowd used LinkedIn late last week to announce the program is now “public and joinable.”
“Origin has been participating in the Bugcrowd vulnerability rewards program since 2018," an Origin Energy spokesperson told iTnews.
“We use the Bugcrowd bug bounty program to reward cyber security researchers and white hat hackers for finding and reporting vulnerabilities in our software that have the potential to be exploited.
“It’s an always-on approach to cyber security, perfectly supplementing our internal security code audits and penetration tests as part of our vulnerability management program.”
At this stage, Origin wants researchers to focus their attention on its "primary publicly-facing assets” – its web applications. That covers its website, content distribution network, and Internet-facing APIs, excluding its authentication API.
Bug classes of interest include server-side remote code execution and request forgery, stored or reflected cross-site scripting, cross-site request forgery, SQL injection, XML external entity attacks, and access control vulnerabilities.
Origin Energy said it is most interested in vulnerabilities that could leave customer information vulnerable, or that “subvert business controls” such as offer redemption or discounts.
The bounty program follows the usual Bugcrowd rules - denial-of-service is excluded, researchers must not alter Origin’s or its customers’ data, researchers are responsible for ensuring they only test domains owned by Origin, and must not launch attacks via forms.
If the tester is looking at authenticated sections of the target, they must be an Origin customer with MyAccount access.
The program also puts Origin Energy’s chat function off-limits to researchers.