Bugcrowd Blog

Ring ring! Hello, Mobile Testers?

Posted by Chloe Brown on Jul 18, 2016 10:50:03 AM

In April we announced a Mobile bonus reward program for researchers that submitted valid, non-duplicate mobile vulnerabilities for a chance to win $1000, and in early June we expanded the program to two bonuses. We are excited to announce our two winners, and congratulate putsi and robinooklay for their mobile submissions! 

Read More
Bugcrowd Updates

Fiat Chrysler - The First Full-Line Automaker to Launch a Paid Public Bug Bounty Program

Posted by Casey Ellis on Jul 13, 2016 6:56:39 AM

2015 was the year the public perception of automobile safety changed forever… Chris Valasek and Charlie Miller’s notorious Jeep Cherokee hack transformed the idea of the humble automobile into a 2-tonne computer that can be hacked just like any other. In recent years, automakers are realising that hackers just like Charlie and Chris are already at the table, ready and willing to help, and are leveraging the work coming out of this community to make their products safer from cyber threats.

We are excited to announce that Fiat Chrysler Automobiles is joining the ranks of those pioneering this relationship, by becoming one of the first automakers to launch a bug bounty program.

Read More
Bugcrowd Updates

June 2016 Leaderboard

Posted by Kaila Pollart on Jul 11, 2016 12:30:00 PM

Bugcrowd is excited to announce our June 2016 Hall of Fame winners! Apologies for the delay in posting this, but I'm sure you've all seen that we're pretty busy planning big things for Black Hat + DEFCON this August.

Once again, mongo has topped the June leaderboard with his amazing work across our platform. Following up, we're happy to have mert in second place, and Web_Plus rounding out the top three. To thank our top performers for their hard work, Bugcrowd is pleased to announce that all three researchers will receive bonuses for their performance.

Read More
Bugcrowd Updates

Bugcrowd VIP Party at DEFCON 2016

Posted by Kymberlee Price on Jul 8, 2016 9:33:06 AM

The one month countdown to both Black Hat USA and DEFCON has officially started, and we have a lot planned for both the Crowd and our customers this August. There are many more announcements to follow, but this is one that can't wait.

Read More
Bugcrowd Updates

Essential to a Successful Bounty Brief: Exclusions

Posted by Grant McCracken on Jun 29, 2016 11:00:00 AM
In continuing our series on building a bounty brief, we've already covered step 0, creating a scope, and also touched briefly on focus areas. Now that you have the foundation of what you want researchers to be testing, it's now time to turn your attention to what you don't want them to be testing - which is just as, if not more important, as clearly stating what you do want to be tested. We do this by explicitly noting and drawing the researcher's attention to our  exclusions.

Why is it so important? Simply put, it's a matter of respecting researchers' time and effort. If we take a moment to look at this from a researcher's point of view, every issue that we clearly exclude on the bounty brief is something they won't/don't need waste their time testing for and/or reporting. A brief that doesn't contain explicit exclusions runs the risk of receiving issues that the program owner may not care for - resulting in wasting the time and resources of both the researcher and the program owner.  To clearly document these exclusions, we've identified five of the most common categories to consider for exclusions when building your program: low impact issues, intended functionality, known issues, accepted risks, and issues resulting from pivoting. 

Read More
Running Your Own Program

Bug Bounty Lifecycle, Visualized

Posted by Payton O'Neal on Jun 28, 2016 2:32:08 PM
We recently released State of Bug Bounty 2016 Report which aggregated data and trends from companies running bug bounty programs, and researchers participating in them. A major takeaway from the accompanying survey of security professionals was the response to ' What are your organization's apprehensions about running a bug bounty program?' The number one most popular answer was 'Not sure where to begin.'
Read More
Running Your Own Program

Big Bugs Podcast Episode 3: $15K for IoT Device Takeover

Posted by Jason Haddix on Jun 27, 2016 12:17:50 PM

Today we published the third episode of our podcast series 'Big Bugs' hosted by me. In this episode, embedded in this post and available on SoundCloud, I am joined by special guest Adam Hartway of Digital Safety (DiSa) to explore a $15K bug uncovered in their winner takes-all bug bounty program.

Read More
Interesting

Sandbagging, 'Sneakers' and Steganography: Bugcrowd's First Internal CTF

Posted by Leif Dreizler on Jun 24, 2016 4:19:04 PM

In early February Bugcrowd ran a CTF for its internal employees. The CTF was created and managed by our very own Director of Technical Operations, Jason Haddix. Haddix has been a part of many successful CTFs, both as a participant and organizer. He drew from his technical expertise and knowledge of hacker culture to make a fun and engaging CTF for Bugcrowd employees.

Read More
Interesting

Researcher Spotlight - Putsi

Posted by Sam Houston on Jun 14, 2016 2:03:12 PM

Putsi is #38 on the community leaderboard, with a 97.14% acceptance rate and an average bug priority of 3. Putsi just recently entered the top 40 on Bugcrowd and has had success with many private and public bounty programs on the platform.

Read below for our interview with Putsi and make sure to follow @Putsi on Twitter.

Read More
Researcher Profiles

OWASP's Open Source Bug Bounty Launch

Posted by Payton O'Neal on Jun 13, 2016 3:28:37 PM

A few weeks ago we launched a very exciting program, and now that it’s well underway, wanted to give a huge shout out to the awesome organization making it happen. The Open Web Application Security Project (OWASP) is not only the authority on most things application security but a phenomenal open source organization that is constantly trying new things, evolving and innovating the application security landscape.

Read More
Bugcrowd Updates

Stay in touch with the bug bounty community and on top of latest security news