Bugcrowd is pleased to recognize our November 2017 Hall of Fame winners!
Previously, in The Personalities that Put the “Crowd” in Bugcrowd (Part 1 of 3), I covered both the “Knowledge-Seeker” and “Hobbyist” personality types as part of the five distinct personalities that make up our crowd of over 65,000 security researchers. In order for companies to run successful bug bounty programs, it's important to understand researcher motivations - and to that end I will be covering the next two personality types in this post: those being “Full-Timer” and “Virtuoso”. If you want to learn more about all five personalities, along with other interesting data and metrics about our crowd - check out our Inside the Mind of a Hacker 2.0 report. And with that, let’s dive right in!
Crowdsourced security testing and vulnerability disclosure programs require the right combination of policy, resources, and support to be successful. Bugcrowd's leading platform and team bring years of experience facilitating success with whiteglove management of these programs. From the policy design, launch, and submission management our Operations team is a close partner of our talented researcher community and customers.
Last week, David Baker (Bugcrowd’s Chief Security Officer) released a blog post discussing why it's important to understand researcher motivations in order to run a successful bug bounty program. Furthermore - to enable current and future customers to get a better handle on what drives security researchers at Bugcrowd - we released the Inside the Mind of a Hacker (version 2.0) report covering a broad range of metrics around who the Crowd is comprised of; including data on age, level of education, geographic location, and most importantly - what motivates us (and I use the term “us”, because I myself am a security researcher on Bugcrowd).
What we know so far
Earlier today it was publicly disclosed that Apple’s MacOS High Sierra contains a trivially-exploitable flaw, which allows malicious individuals to generate a persistent root access account to your system. It is not readily apparent whether or not this vulnerability is remotely exploitable, but out an of abundance of caution there are several steps you can take immediately to protect your system.
The bug bounty market is growing quickly. While an increasing number of organizations are embracing the concept, there still remains some confusion and ambiguity around paying hackers for vulnerabilities. Events like recently disclosed Uber breach illustrate this confusion. I’ll take this opportunity to clarify and define this rapidly evolving market.
Last week, we released our second annual Inside the Mind of a Hacker 2.0 report. We dove into different hacker profiles, their motivations for hacking, and the impact building a relationship makes on a successful bug bounty program. We found lots of interesting stats on our bug hunting community, both expected and surprising.
We are excited to introduce new submission search and filtering capabilities to Crowdcontrol, built to optimize the time you spend finding submissions.
Over the last three years, we have seen a steady rise in vulnerability submissions, with a 67% increase in submissions year over year and a 73% increase of valid submissions. What is driving this steady rise? Our recent “2017 State of the Bug Bounty Report” discusses bounty adoption growth, citing a 77% increase in new programs over the last year. Of all the programs we run, 44% are organizations larger than 500 employees. Often times, organizations of this size have much larger attack surfaces, which can result in a high rate of submissions. In order to ensure our users are able to keep up with this increase in activity, they need novel ways to query their submissions.
Since the 1990’s, the internet has been filling our digital world with an insurmountable amount of content right at the edge of our fingertips. However, because of the amount, much of this content isn’t always applicable to you. So where do you go to easily find relatable information that yields the most value? Google, of course! In 1998, the company invented a simple solution to filter through a mass amount of data to find exactly what you are looking for, and fast!
Just as Google helps you find the most relevant content for you based on a simple search, Crowdcontrol now allows you to find the exact submission you are looking for. We recognize each user on Bugcrowd is unique–whether you are a researcher or customer; the importance of one query to an organization may not be important to another. With that in mind, Crowdcontrol’s new submission filtering offers a tokenized search capability, allowing you to easily search and find specific submissions.
Last year, we launched the Inside the Mind of a Hacker report, sharing insights into the distinct profiles and stories, gathered from the Bugcrowd researcher community. Today we’re launching our second iteration on this, Inside the Mind of a Hacker 2.0, diving deeper into the collective power and intelligence the bug bounty community brings to the war on bugs.
The stakes have never been greater, it seems. Breaches and attacks from independent actors or nation states have increased in number and their impact can be felt by all. At Bugcrowd, we’ve built a community of more than 65,000 security researchers and white-hat hackers that is helping organizations around the globe increase their defenses by finding and resolving security vulnerabilities at break-neck speed.
We are consistently asked “How Do I Earn Private Program Invitations?”
Hands down, this is our most commonly asked question from members of our Crowd, so we want to take this opportunity to reemphasize the most important information to keep an eye on if you’re looking to get invited to a private program.
Since 2015, we have consistently used the following performance and activity markers (+ any required technical skills!) to choose our program participants. The criteria we continue to use to determine invites: