In this post, I will provide a brief overview of the anatomy of a mobile penetration test, and cover the first step in getting started with mobile testing on an Android device. My goal is to help folks that are new to mobile testing break the barrier of getting started, and debunk the assumption that mobile application testing is too difficult.
Earlier this year, I wrote extensively about vulnerability disclosure policies and benefits as well as how trust impacts the disclosure process between researchers and vendors. While writing these posts, I looked for publicly available (free!) literature on product security incident response (PSIRT) processes to share. I thought I’d find vendors publishing their PSIRT best practices on operations or how to publish an advisory, but 99% of what I found was network incident response focused and not relevant for application or product security teams. I suddenly realized that despite all my years working in a PSIRT, I'd never published any operational guidance that would help other defenders learn from my experiences - and it was time to change that.
Bugcrowd is excited to announce our July 2016 Hall of Fame winners! Apologies for the delay in posting this, but we spent all last week in Las Vegas at Black Hat/DEFCON (you can read all about it here)!
Once again, mert has topped the June leaderboard with his amazing work across our platform. Following up, we're happy to have VINOTHKUMAR in second place, and krbtgt rounding out the top three. To thank our top performers for their hard work, Bugcrowd is pleased to announce that all three researchers will receive bonuses for their performance.
Now that we've rested our feet, drank some water, and adjusted from the Las Vegas time warp, we thought we'd give a brief recap of our week. In the six days we spent boots down in Vegas, we caught some great talks with some of our favorite people, threw, sponsored and attended awesome events, and as always, met amazing folks from the InfoSec community.
This week's Big Bugs podcast is near and dear to my heart, combining three of my favorite things: mobile hacking, gaming, and security in general. In this episode, I'll start by giving a brief history of Niantic and Pokemon Go and review some of the few technical issues that the game has experienced. The bulk of this podcast will be focused on how the hacking scene found ways to reverse engineer the game, and of course some tips and tricks so you can catch 'em all.
It's a bit longer than the usual Big Bugs podcast, but I feel like it's well worth it, as the Pokemon Go phenomenon has been amazing to experience and be part of. Below the recording, I've included some notes to accompany this episode, and resources referenced as well.
Subscribe to our Bugcrowd Podcast RSS feed here: bgcd.co/bcpodcastrss
Crowdcontrol’s new ‘Insights’ dashboard provides insightful metrics into your bug bounty program performance. This is just the first step we are taking in bringing you the right metrics to initiate scalable actions and provide meaningful reports for your security team, development team and the people who write the checks.
In April we announced a Mobile bonus reward program for researchers that submitted valid, non-duplicate mobile vulnerabilities for a chance to win $1000, and in early June we expanded the program to two bonuses. We are excited to announce our two winners, and congratulate putsi and robinooklay for their mobile submissions!
2015 was the year the public perception of automobile safety changed forever… Chris Valasek and Charlie Miller’s notorious Jeep Cherokee hack transformed the idea of the humble automobile into a 2-tonne computer that can be hacked just like any other. In recent years, automakers are realising that hackers just like Charlie and Chris are already at the table, ready and willing to help, and are leveraging the work coming out of this community to make their products safer from cyber threats.
We are excited to announce that Fiat Chrysler Automobiles is joining the ranks of those pioneering this relationship, by becoming one of the first automakers to launch a bug bounty program.
Bugcrowd is excited to announce our June 2016 Hall of Fame winners! Apologies for the delay in posting this, but I'm sure you've all seen that we're pretty busy planning big things for Black Hat + DEFCON this August.
Once again, mongo has topped the June leaderboard with his amazing work across our platform. Following up, we're happy to have mert in second place, and Web_Plus rounding out the top three. To thank our top performers for their hard work, Bugcrowd is pleased to announce that all three researchers will receive bonuses for their performance.