Bugcrowd Blog

Researcher Spotlight: Mongo

Posted by Sam Houston on Jan 29, 2016 3:38:30 PM

When a new researcher joins our community and quickly climbs the ranks, we take notice. This week’s spotlight is on Mongo, currently ranked 8th on the Bugcrowd Leaderboard with an acceptance rate of 99%. And this is after only 6 months of submitting bugs!

Read More
Researcher Profiles

December 2015 Hall of Fame

Posted by Kymberlee Price on Dec 31, 2015 3:37:00 PM

Bugcrowd is excited to announce our December 2015 Hall of Fame winners!  To thank our top performers for their hard work, Bugcrowd is pleased to announce that the following three researchers will receive bonuses for their performance.

Read More
Bugcrowd Updates

Building Bugcrowd: Our First Principles

Posted by Casey Ellis on Dec 31, 2015 7:25:27 AM

About 12 months after Bugcrowd started, one of our team pulled me aside and made a suggestion that truly altered the course of the company:

Read More
Bugcrowd Updates

Researcher Spotlight: Jared Perry

Posted by Sam Houston on Dec 14, 2015 5:37:19 AM

This week's Researcher Spotlight is on Jared Perry, a researcher in Canada with a 100% acceptance rate and an average priority of 2.78. Jared's path to bug bounties shows how important it can be to network and connect with other bug bounty hunters in the community.

Read More
Researcher Profiles

New Bug Bounty! Revel POS iPad Application

Posted by Payton O'Neal on Dec 9, 2015 10:22:51 AM

We’re stoked to announce that our neighbor and friend, Revel Systems, has launched their first public bug bounty program!

Read More
New Program Announcements

Researcher Spotlight: Justin Steven

Posted by Sam Houston on Dec 7, 2015 4:34:41 AM

With Bugcrowd's roots in Australia, it's always a great time to work with the security community from down under. Australia has some of the best infosec talent around, and this week's Spotlight is on one of their bug bounty hunters: Justin Steven.

Read More
Researcher Profiles

October & November 2015 Hall of Fame

Posted by Kymberlee Price on Dec 2, 2015 9:11:12 AM

Bugcrowd is excited to announce our October & November 2015 Hall of Fame winners! To thank our top performers for their hard work, Bugcrowd is pleased to announce that six researchers will receive bonuses for their performance.

Read More
Bugcrowd Updates

Researcher Spotlight: Darkarnium

Posted by Sam Houston on Nov 30, 2015 5:03:20 AM

It's only been 5 months since Darkarnium joined Bugcrowd, but in that short time he's shot his way up our all-time leaderboard to #113 and impressed us all with his 100% acceptance rate and 1.5 average priority. Darkarnium is a bit of a "sniper", the bugs that he submits are often a high priority and high impact.

Read More
Researcher Profiles

3 Years since Bugcrowd's First Bug Bounty!

Posted by Payton O'Neal on Nov 20, 2015 1:57:37 AM
Three years ago today we launched our very first bug bounty on “a nifty web app!”

[see the original post here]

What started as just a web form submission for Bugcrowd's first bug bounty testing program in 2012 has evolved into an awesome and ever improving platform, a dynamic community of the best security researchers in the world, and a group of customers that are innovating application security testing alongside us.

 

During that evolution, we’ve learned a lot, built a lot, and iterated A LOT. The cornerstone to that learning has been our own programs. We run our own bug bounty programs because we believe in what we do. That...
  • coordinated disclosure is a must have for application security
  • our relationship with the security research community is invaluable
  • channeling security feedback to engineering teams is important
  • there are many different ways to engage the crowd

 

We believe in bug bounties, and have relied on our crowd to deliver high quality testing, as the 15 person startup we once were, and as the growing enterprise company we are now. We’ve done this in a variety of ways as we’ve evolved the bug bounty concept.

 

Bugcrowd's Bug Bounty Program Evolution:
Bugcrowd’s bug bounties have looked and behaved in many different ways in the past 3 years. We kicked off our first bug bounty as a time-boxed, open program with cash reward pool on a web app designed specifically for bounty testing. The second program launch was also a time-boxed, kudos only program. Thus the birth of Bugcrowd Kudos!

 

In September 2013 we rolled out our first bug bounty on bugcrowd.com, a public ongoing program with cash rewards.

 

Our first private Flex on Crowdcontrol, our vulnerability management platform, was launched earlier this year, when we invited 100 of our best researchers for what was essentially a 2-week crowdsourced penetration test. With phenomenal results that you can read as part of our upcoming case study, we closed the program, implemented fixes for valid submissions and paid out lots of cash.

 

Since then we’ve run subsequent Flex Programs in tandem with our major releases, wherein our minimum reward prize has been $500 with a max of $5,000. This continuous, private testing offers us a more focused researcher pool that specializes in the skill-sets relevant to our product.

 

The above diagram shows our ideal testing cycle wherein we run a public bounty on our website and researcher portal, implement private ongoing testing on Crowdcontrol, and time-boxed tests in sync with product releases.

 

Using our own product allows us to experience and understand how security feedback fits into the product lifecycle and helps us build features that improve the vulnerability management workflow for our customers. As a security company it is greatly important that we keep our customers’ data safe. By building and using our own product we can better understand how to achieve that.

 

Thanks for joining us in achieving our goal of creating safer software, and a safer Internet. Be sure to read more about the Bugcrowd bounty programs and check out all of our public programs.

 

Get the case study on December 3rd.
Read More
Bugcrowd Updates

Researcher Thanks-Giveaway

Posted by Sam Houston on Nov 19, 2015 11:00:45 PM


Today marks Bugcrowd's 3-year anniversary of launching our first bounty program. We've come a long way over these few years, and we couldn't have done it without our amazing researcher community.

Read More
Bugcrowd Updates

Stay in touch with the bug bounty community and on top of latest security news