Bugcrowd Blog

Jonathan Cran

Recent Posts

NIST: Vulnerability Disclosure as a Requirement for Every Organization

Posted by Jonathan Cran on Jan 18, 2018 12:11:38 PM

Earlier this month, the National Institute of Standard and Technology’s (NIST) cybersecurity framework released a revision (1.1, Draft 2) of its Framework for Improving Critical Infrastructure Cybersecurity. The new release now includes vulnerability disclosure processes as part of the Framework Core (on page 43).

Read More
Thought leadership, Cybersecurity News

Spectre & Meltdown: Quick Fact Sheet

Posted by Jonathan Cran on Jan 4, 2018 3:10:30 PM
Several recently-published research articles have demonstrated a new class of timing attacks (Meltdown and Spectre) that work on modern CPUs. Variants of this issue are known to affect many modern processors, including certain processors by Intel, AMD and ARM. For a few Intel and AMD CPU models, Google’s Project Zero has provided exploits that work against real software.
Read More
Interesting, Thought leadership

How does a bug bounty fit into my SDLC?

Posted by Jonathan Cran on Apr 4, 2017 2:36:04 PM

"How does a bug bounty fit into my SDLC?" This is a question we hear all the time. While the obvious answer is that it can augment or replace much of your current manual and automated testing, the actual answer is simpler; “bug bounties fit into and support your SDLC each step of the way.”

Read More

In Response to the Department of Commerce's "Green Paper"

Posted by Jonathan Cran on Mar 17, 2017 1:24:02 PM

We recently contributed to the Department of Commerce’s request for public comment on its “Green Paper” with Rapid7, Duo Security, Electronic Frontier Foundation, Center for Democracy & Technology, Global Cyber Alliance and many others that we hope will bolster a more transparent approach to securing the Internet of Things.

Read More
Bugcrowd News

Qualys and Bugcrowd: Automation and the Crowd

Posted by Jonathan Cran on Feb 13, 2017 6:03:00 AM

Today, I’m pleased to announce a partnership and bi-directional integration with Qualys. This integration – the first of its kind – allows our joint customers to easily share vulnerability data between our platforms.

Read More

Introducing Bugcrowd's Accuracy Metric

Posted by Jonathan Cran on Oct 24, 2014 2:02:41 AM

If you’ve been paying attention to your Bugcrowd researcher profile, you may have noticed it was recently updated with an Accuracy metric.

Read More
Bugcrowd News, Bug Hunter Tips and Tricks

Covert Redirect and Known Issues

Posted by Jonathan Cran on May 6, 2014 11:31:08 AM

Recently, an application-layer vulnerability known as OAuth "Covert Redirect" was publicly disclosed and brought to mainstream attention. It was initially hailed in the media as another Heartbleed, and then quickly poo poo’d as overhyped.

Read More

To reward a bug bounty submission... or not to reward...

Posted by Jonathan Cran on Mar 20, 2014 12:41:02 PM

We’re regularly asked how Bugcrowd determines if a bug bounty submission is rewardable. Today, as we approach 10,000 submissions, and as part of Bugcrowd’s commitment to transparency, we’re shedding some light on our submission evaluation process.

Read More
Interesting, Running Your Own Program

Joshua Rogers and Vulnerability Disclosure

Posted by Jonathan Cran on Jan 13, 2014 6:00:28 AM

Recently, A 16 year old Melbourne boy exposed web application weaknesses within Australia’s Public Transport Victoria (PTV) systems and showed personal data of a significant number of citizens was compromised. Shortly thereafter, PTV made it clear they were investigating and that the researcher could be charged under the cybercrime act. The details of this case should be of interest to anyone doing security research and vulnerability disclosure today.

Read More