Bugcrowd Blog

Big Bugs Podcast Episode 1: Auto Bugs - Critical Vulns found in Cars with Jason Haddix

Posted by Jason Haddix on Apr 29, 2016 3:09:01 PM

Today we released our first episode of our new podcast series 'Big Bugs' hosted by me. Our first episode, embedded in this post and available on SoundCloud, provides an introduction to the car hacking space. With case studies of successful attacks and research from the past years, I also provide some technical resources for testing as well as technical resources for developers. Enjoy!

Read More
Interesting

Calling all Mobile Researchers!

Posted by Kymberlee Price on Apr 28, 2016 10:00:00 AM

Over the last year Bugcrowd has seen a dramatic increase in the number of bounty programs that feature mobile app (iOS and Android) targets.  Whether you have mobile skills or just want to expand from web app to mobile app bug hunting, Bugcrowd has several public programs and numerous private programs available for you to hack on for fun and profit. We want you! Which is why we're running a limited time contest for all mobile vulns. 

Read More
Bugcrowd Updates

[Guest Blog] Skyscanner's Adventures in Bug Bounties

Posted by Payton O'Neal on Apr 27, 2016 11:07:19 AM

Posted originally on by Stuart Hirst on Skyskanner's Code Voyager Blog

Skyscanner has a culture of innovation and continuous improvement. For our IT security function, the ‘Security Squad’, it is no different. External security testing had previously taken the form of standard penetration testing, which brought considerable value and helped improve security posture. However, our Squad wanted to look at new ways of testing the products that we help secure on a daily basis. In early 2015, we began to investigate the possibility of a crowd-sourced testing mechanism.

Read More
Guest Blog, Running Your Own Program

Bug Bounties and NGWAF: 1+1=3

Posted by Payton O'Neal on Apr 22, 2016 11:02:07 AM

Return on Investment - ROI. Sales departments have to show it, marketing departments have to show it, and of course, security departments do too. At the end of the day we all need to show where the dollars are going, and security teams have the additional burden of correlating those dollars spent with the elimination of risk - or the perceived elimination of risk.

Read More
Interesting, Guest Blog

$15M to Connect Hackers and Companies… Why, and What’s Next?

Posted by Casey Ellis on Apr 20, 2016 1:30:00 PM

Today is a great day for hackers, defenders, Bugcrowd as a company, and for Aussie founders with a dream to execute on the world stage. We’re very proud to have Blackbird Ventures, the same firm that pioneered the Startmate incubator where Bugcrowd began, taking the lead on our $15M Series B alongside existing investors Rally, Costanoa and Paladin. We’re just as pleased to welcome Salesforce Ventures and Industry Ventures to the family.  

Read More
Bugcrowd Updates

[Guest Blog] Using a Braun Shaver to Bypass XSS Audit and WAF by Frans Rosen, Detectify

Posted by Sam Houston on Apr 19, 2016 1:12:14 PM

This post was contributed by Frans Rosen, Bug Bounty Hunter and Knowledge Advisor at Detectify

TLDR: Sometimes you just need to spend a couple of months to exploit a XSS with a hygiene product.

For a couple of months this specific bug was on my "check later" list. I later reported it to the company running a private bug bounty. I had been messing with it back and forth and was never been able to do something that actually made sense – and as soon as I had some progress – a new obstacle came crashing in my face. After a few months returning to the same endpoint, I was finally able to create a PoC to show that a security issue was present.

It's a freaking XSS, but hey, the story is what counts, right..? :)

Read More
Guest Blog, Bug Hunter Tips and Tricks

Researcher Spotlight: Nijagaw

Posted by Sam Houston on Apr 15, 2016 2:19:31 PM

Nicodemo Gawronski, @Nijagaw has been hacking on Bugcrowd bounty programs since mid-2014 and is also a Penetration Tester at Sec-1 in the UK. He is ranked 8th on Bugcrowd’s all time leaderboard and was nominated in the 2015 Bugcrowd Buggy Awards for Most Valuable Hacker which awarded the researchers with overall high activity, low noise, and high impact. He has an acceptance rate of 99.11% and an average priority of 3.09.  

Read More
Researcher Profiles

Starting a Bug Bounty Program, Step Zero

Posted by Grant McCracken on Apr 12, 2016 3:55:31 PM

So you want to run a bug bounty program…

First off, congratulations! You’re on the cutting-edge of security and are in good company, surrounded by giants such as Google and Facebook who've run their own programs for years, as well as other innovators like Tesla , Pinterest, and Dropbox. Chances are, if you're considering starting your own program, you've started to think about what you want to test, and even what you might offer for rewards. Stop! Before you even start taking those steps, consider step zero.

Read More
Running Your Own Program

Fashion Retailer Lyst Launches Bug Bounty Program

Posted by Payton O'Neal on Apr 7, 2016 9:41:00 AM

Yesterday Lyst, an online designer fashion retailer out of London, launched their public bug bounty program with Bugcrowd. As crowdsourced cybersecurity is adopted by a more diverse set of industries, it's encouraging to see companies like Lyst commit to work more closely with the security research community.

Read More
New Program Announcements

March 2016 Leaderboard

Posted by Dana Daigle on Apr 4, 2016 11:12:28 AM

Bugcrowd is excited to announce our March 2016 Hall of Fame winners!  Huge recognition goes to mongo , who has topped the monthly leaderboard for the second month in a row due to his solid string of P1 and P2 submissions! To thank our top performers for their hard work, Bugcrowd is pleased to announce that the following three researchers will receive bonuses for their performance:

Read More
Bugcrowd Updates

Stay in touch with the bug bounty community and on top of latest security news