Bugcrowd Blog

Jason Haddix

Father, hacker, Head of Trust and Security at Bugcrowd, blogger, & nerd.

Recent Posts

Big Bugs | Episode 6: API Security and the Internet of Things w/ Fitbit

Posted by Jason Haddix on Sep 30, 2016 9:59:00 AM

The unprecedented growth and adoption of connected devices have created innumerable threats for organizations, manufacturers, and consumers, while at the same time creating unprecedented opportunities for hackers. In this episode of Big Bugs, Jason Haddix joins Fitbit’s security team to explore what it takes to effectively hack connected devices through APIs, and how the role of defenders has evolved in this domain. 

The speakers explore the growing prevalence of connected devices in our lives, the use of APIs, the increasing importance of API testing in its new form (REST vs older XML based testing), and how it's a valuable skillset for researchers as well as organizations.

Read More
Bugcrowd News

Big Bugs | Episode 5: Big XSS–Not an Oxymoron

Posted by Jason Haddix on Aug 29, 2016 6:40:25 PM

Over the past 10+ years, Cross-Site Scripting has made its way into just about every ‘top-ten vulnerability’ list and has consistently starred in headlines and POCs. XSS vulnerabilities are also commonly submitted through bug bounty programs, and many write them off as ‘low hanging fruit.’ We’re here to tell you that not all XSS are created equal.

This episode of Big Bugs examines the reason we're experiencing XSS-Fatigue, some examples of high impact XSS bugs found in the wild, and resources for defenders and offenders.

Read More
Running Your Own Program

Big Bugs Podcast Episode 4: Fun and Hacking with Pokemon Go!

Posted by Jason Haddix on Jul 29, 2016 2:30:11 PM

This week's Big Bugs podcast is near and dear to my heart, combining three of my favorite things: mobile hacking, gaming, and security in general. In this episode, I'll start by giving a brief history of Niantic and Pokemon Go and review some of the few technical issues that the game has experienced. The bulk of this podcast will be focused on how the hacking scene found ways to reverse engineer the game, and of course some tips and tricks so you can catch 'em all.

It's a bit longer than the usual Big Bugs podcast, but I feel like it's well worth it, as the Pokemon Go phenomenon has been amazing to experience and be part of. Below the recording, I've included some notes to accompany this episode, and resources referenced as well.

Subscribe to our Bugcrowd Podcast RSS feed here: 

Read More
Interesting, Bug Hunter Tips and Tricks

Big Bugs Podcast Episode 3: $15K for IoT Device Takeover

Posted by Jason Haddix on Jun 27, 2016 12:17:50 PM

Today we published the third episode of our podcast series 'Big Bugs' hosted by me. In this episode, embedded in this post and available on SoundCloud, I am joined by special guest Adam Hartway of Digital Safety (DiSa) to explore a $15K bug uncovered in their winner takes-all bug bounty program.

Read More
Interesting

Big Bugs Podcast Episode 2: ImageTragick Up Close

Posted by Jason Haddix on May 27, 2016 10:14:28 AM

This morning we released the second episode of our new podcast series 'Big Bugs' hosted by me. This episode, embedded in this post and available on SoundCloud, takes a look at the recently popularized bug, ImageTragick. I discuss the detection and remediation time line of the widespread bug in the image processing suite, ImageMagic, as well as the implications it has for developers and researchers.

Read More
Interesting

Big Bugs Podcast Episode 1: Auto Bugs - Critical Vulns found in Cars with Jason Haddix

Posted by Jason Haddix on Apr 29, 2016 3:09:01 PM

Today we released our first episode of our new podcast series 'Big Bugs' hosted by me. Our first episode, embedded in this post and available on SoundCloud, provides an introduction to the car hacking space. With case studies of successful attacks and research from the past years, I also provide some technical resources for testing as well as technical resources for developers. Enjoy!

Read More
Interesting

First Update to our Vulnerability Rating Taxonomy

Posted by Jason Haddix on Mar 25, 2016 10:22:11 AM

Over a month ago, Bugcrowd published its Vulnerability Rating Taxonomy (VRT). We created the VRT to expose the community to common technical priority ratings for certain classes of bugs. Since its release, we have received a tremendous amount of feedback.

 

Based on this feedback, we have divided the Cross-Site Scripting (XSS) entries to provide additional granularity that captures priority variations for XSS within applications with multiple user privilege levels.

Read More
Bugcrowd News

Finding An InfoSec Job

Posted by Jason Haddix on Jul 27, 2015 2:00:02 AM

A lot of organizations out there are looking talented hackers right now. Defense, offense, Ops, Dev, you name it, if you have skills then someone is probably looking for you! The problem doesn't seem to be the *need* but a concise way to finding/getting these positions. Here are a few notes and resources we love for helping connect awesome researchers with awesome companies (it's kinda a thing we do here).

Read More
Interesting

Top 3 Mobile App Security Threats + How to Test for Them

Posted by Jason Haddix on Jul 10, 2015 7:06:42 AM

Mobile devices are relatively new to the connected world, yet the issues surrounding mobile app security have proven much more complex than those around web applications when it comes to threat modeling. With mobile, it's not just about code running on devices, but depends heavily on device security – taking into account different versions, interfaces, platforms, and device integrity (i.e. jailbroken).

Read More
Bug Hunter Tips and Tricks

Hacking With Burp Suite

Posted by Jason Haddix on Jun 29, 2015 2:00:29 AM

Bugcrowd loves its researcher and technical community. One responsibility we feel we have here is to empower that community. As a part of this effort we plan to roll out some free training and professional development material. These videos will be free of charge and are aimed at exploring useful practices in the application security. This is part of a larger initiative we are planning at Bugcrowd (more on that later).

Read More
Bug Hunter Tips and Tricks