Keep track of the latest security news, and in touch with the bounty community.

Heroku Launches a New Bug Bounty Program with Bugcrowd

We’re pleased to announce Heroku has joined forces with Bugcrowd to launch a bug bounty program! View their Bugcrowd bounty page here. We’re excited to partner with Heroku, providing them with an all-in-one bug bounty solution that allows them to focus on what’s important – The security of their platform and their customers. With the Read article →

Open Letter to Internet Users and Businesses: Help Us Test OpenSSL and Make the Internet Safer

Dear Internet Users, To skip directly to the Crowdtilt campaign: https://www.crowdtilt.com/campaigns/lets-make-sure-heartbleed-doesnt-happen-again OpenSSL is the software that you rely on to keep you secure on the Internet. It’s everywhere, from banking websites to the router in your home, and it’s quite likely on the computer you’re sitting at right now.  In April 2014, a vulnerability was disclosed Read article →

Heartbleed Dataset Collection

As sure as there are vulnerabilities as interesting and remotely exploitable (CVSS Exploitability Score: 10) as Heartbleed, there are security researchers who develop tools (a list of which you’ve helped us compile here) and use them to build incredibly insightful data sets. Here’s a few Heartbleed datasets we were looking at today… If we’re missing anything Read article →

Is the Heartbleed exploit out yet?

In short, Yes. A list of POCs are provided below. If we’re missing anything let us know via Twitter @bugcrowd, and we’ll add it to the list and credit you for helping out. Last update: 16 April 2014 11:04 PDT Unless you spent yesterday and this morning under a rock you’ll have heard about a Read article →

The problem with cold testing

Even when security testers have the best of intentions, sometimes sending an unsolicited vulnerability disclosure to a company can have negative consequences. The lifecycle of a bug bounty program often begins as a reaction to a security event. While we advise companies to be proactive, a larger majority of companies are caught off guard by Read article →

To reward a bug bounty submission… or not to reward…

That is the question you’ll quickly discover after starting a bug bounty program. We’re regularly asked how Bugcrowd determines if a bug bounty submission is rewardable. Today, as we approach 10,000 submissions, and as part of Bugcrowd’s commitment to transparency, we’re shedding some light on our submission evaluation process. Its important to note up front that Read article →

Crowdcontrol – The 1st responsible disclosure platform

Since we started Bugcrowd we’ve been reaching out to companies to learn about the challenges involved with setting up and running a responsible vulnerability disclosure program. We discovered the difficulties of handling submission scoring in an email inbox, the underestimated amount of effort that is required to support researcher submissions, and the hassle of reward Read article →

Marisa’s RSA Conference Week In Review

Before I go into my thoughts about this year’s RSA Conference, I’d like to personally thank everyone that came out to support Bugcrowd during our events this week. We wanted to meet you all and hang out, and in that regard it went better than we could have hoped for. (And welcome to all of Read article →

HP Zero Day Initiative’s vulnerability fix timeline now 120 days

HP’s Zero Day Initiative has upped the ante for vulnerability disclosure by asking vendors to fix disclosed vulnerabilities within 120 days. While many issues are being fixed within the existing window, HP Zero Day is pushing vendors to be even more responsive, stating that they’d release limited details after 120 days. ZDI’s current inventory consists Read article →

BSidesSF 2014 – Duo Security and Trey Ford

It’s Monday, and RSA/B-sides week 2014 is already in full force! Over the last 24 hours, a ton of important security topics have been discussed at BsidesSF 2014. (Bugcrowd is very proud to be supporting the information security community as a BsidesSF Core sponsor.) Zach Lanier and Mark Stanislav – The Internet of Things Duo Security announced Read article →