Bugcrowd Blog

Risk and Liability Concerns - Your Questions Answered

Posted by Jason Pitzen on May 23, 2016 11:13:40 AM

I’ve worked in the security industry now for about seven years, and in the responsible disclosure space for the last two and a half years. In that time I’ve heard and answered just about every question regarding legal, compliance and regulatory controls around vulnerability disclosure and bug bounties.

Bugcrowd’s goal from the beginning has been to utilize an incredibly efficient platform to facilitate the responsible disclosure of security vulnerabilities between organizations and the researcher community. That having been said, we understand that working with an incredibly savvy workforce of independent talent may raise some concerns, and it may surprise you to learn that the same goes for the researcher community. So whether you yourself have concerns, or your internal legal department does, we want to arm you with both logical justification and legal safety nets to put your mind at ease.

Read More
Running Your Own Program

Researcher Spotlight - Fuzzybear

Posted by Sam Houston on May 18, 2016 2:57:55 PM

Fuzzybear is #43 on the community leaderboard, with a 100% acceptance rate and an average bug priority of 2.55. In the short time he's been on Bugcrowd and in bug bounties he has done quite well, successfully finding 65 bugs on Bugcrowd bug bounties, most of which was through private bug bounty programs. He also has one of my favorite usernames in the community!

Read below for our interview with Fuzzybear, where he shares some great practical advice for researchers.

Read More
Researcher Profiles

Jet.com Increases Rewards to Match the Market Rate of Security Bugs

Posted by Payton O'Neal on May 17, 2016 4:48:04 PM

At the beginning of this year we released our ‘Defensive Vulnerability Pricing Model’ that answers the question “what’s a bug worth?”. This guide outlines how much organizations should budget for crowdsourced security programs, and what reward ranges attract the right talent. In short, this guide, informed by tens of thousands of vulnerability submissions and years of running public and private crowdsourced security programs, set the first market rates for security vulns by criticality, and now organizations are beginning to adopt this guidance.

Read More
Running Your Own Program, New Program Announcements

How Crowdsourcing Increases The Quality of A Product

Posted by Katrina Rodzon on May 13, 2016 12:24:05 PM

Crowdsourcing isn’t the new kid on the block anymore. Most people know the value of outsourcing to a crowd to receive a wider breadth of resources, perspectives or expertise. More recently though, companies large and small have been turning to crowds for additional quality to their product - whether it’s functionality, design, utility, or even security. Even so, commonly, when I tell people about Bugcrowd and crowdsourced security testing, they usually ask:

I can see the importance of crowdsourcing for resource constrained companies that don’t have the headcount for a full security team, but how would any large company benefit from that type of model? Wouldn’t they be able to hire the needed experts in-house?

Read More
Interesting

As Cyber Attacks in the Financial Sector Increase YoY, Organizations Move towards Utilizing the Crowd

Posted by Brooke Motta on May 11, 2016 12:34:22 PM

During FS-ISAC last week, we had our ears to the ground, chatting with security folks about their concerns, challenges and hopes for application security testing and have set out to distill some of our observations and data to discuss the state of application security in the financial sector.

Read More
Running Your Own Program

Researcher Spotlight - Mico

Posted by Sam Houston on May 10, 2016 8:30:00 AM

This week’s Researcher Spotlight is on Mico! Mico ranks #5 on Bugcrowd’s leaderboard with over 1926 kudos points, 266 bugs found, a 91% acceptance rate and an average bug priority of 2.92. In a relatively short period of time we’ve seen Mico climb his way up the charts. Mico can be found on Bugcrowd and you can follow him on Twitter at @bugtest0101.



Take us back to your early days, what got you started with technology?

Read More
Researcher Profiles

April 2016 Leaderboard

Posted by Dana Daigle on May 4, 2016 11:57:14 AM

Time for the April Hall of Fame announcement of 2016!  Big recognition once again goes to mongo, who topped the April leaderboard with an astounding 1039 points earned through multiple P1 submissions.

Read More
Bugcrowd Updates

How to Write a Clear and Thoughtful Scope, A Deep Dive

Posted by Grant McCracken on May 2, 2016 4:56:47 PM

We recently published a comprehensive but abbreviated guide 'Anatomy of a Bounty Brief' which explores each part of a bounty program brief and how organizations can write them more clearly and thoughtfully. We also recently wrote about how important it is to consider 'step zero' prior to launching your program - to ensure that your organization has the the necessary resources and is fully prepared to run a successful program. 

Once you've identified that you and your organization are ready to commit the necessary time and resources to running a bug bounty program, it's time to start building out your program brief - the first step of which, is setting the program scope.

Read More
Running Your Own Program

Big Bugs Podcast Episode 1: Auto Bugs - Critical Vulns found in Cars with Jason Haddix

Posted by Jason Haddix on Apr 29, 2016 3:09:01 PM

Today we released our first episode of our new podcast series 'Big Bugs' hosted by me. Our first episode, embedded in this post and available on SoundCloud, provides an introduction to the car hacking space. With case studies of successful attacks and research from the past years, I also provide some technical resources for testing as well as technical resources for developers. Enjoy!

Read More
Interesting

Calling all Mobile Researchers!

Posted by Kymberlee Price on Apr 28, 2016 10:00:00 AM

Over the last year Bugcrowd has seen a dramatic increase in the number of bounty programs that feature mobile app (iOS and Android) targets.  Whether you have mobile skills or just want to expand from web app to mobile app bug hunting, Bugcrowd has several public programs and numerous private programs available for you to hack on for fun and profit. We want you! Which is why we're running a limited time contest for all mobile vulns. 

Read More
Bugcrowd Updates

Stay in touch with the bug bounty community and on top of latest security news