Earlier this month, the National Institute of Standard and Technology’s (NIST) cybersecurity framework released a revision (1.1, Draft 2) of its Framework for Improving Critical Infrastructure Cybersecurity. The new release now includes vulnerability disclosure processes as part of the Framework Core (on page 43).
Several recently-published research articles have demonstrated a new class of timing attacks (Meltdown and Spectre) that work on modern CPUs. Variants of this issue are known to affect many modern processors, including certain processors by Intel, AMD and ARM. For a few Intel and AMD CPU models, Google’s Project Zero has provided exploits that work against real software.
"How does a bug bounty fit into my SDLC?" This is a question we hear all the time. While the obvious answer is that it can augment or replace much of your current manual and automated testing, the actual answer is simpler; “bug bounties fit into and support your SDLC each step of the way.”
We recently contributed to the Department of Commerce’s request for public comment on its “Green Paper” with Rapid7, Duo Security, Electronic Frontier Foundation, Center for Democracy & Technology, Global Cyber Alliance and many others that we hope will bolster a more transparent approach to securing the Internet of Things.
Today, I’m pleased to announce a partnership and bi-directional integration with Qualys. This integration – the first of its kind – allows our joint customers to easily share vulnerability data between our platforms.
If you’ve been paying attention to your Bugcrowd researcher profile, you may have noticed it was recently updated with an Accuracy metric.
Recently, an application-layer vulnerability known as OAuth "Covert Redirect" was publicly disclosed and brought to mainstream attention. It was initially hailed in the media as another Heartbleed, and then quickly poo poo’d as overhyped.
We’re regularly asked how Bugcrowd determines if a bug bounty submission is rewardable. Today, as we approach 10,000 submissions, and as part of Bugcrowd’s commitment to transparency, we’re shedding some light on our submission evaluation process.
Recently, A 16 year old Melbourne boy exposed web application weaknesses within Australia’s Public Transport Victoria (PTV) systems and showed personal data of a significant number of citizens was compromised. Shortly thereafter, PTV made it clear they were investigating and that the researcher could be charged under the cybercrime act. The details of this case should be of interest to anyone doing security research and vulnerability disclosure today.