2016 was a big year for our researcher community, which nearly doubled in size to provide our customers access to an even bigger pool of the best hackers in the world. We also saw a 287% increase in researcher payouts and a 66% increase in average size of payouts.
We know that security researchers have many options when it comes to participating in bug bounty programs, which is why we are so proud to have some of the best researchers in the world participating in bounty programs on the Bugcrowd platform. Throughout the year, we show our appreciation in many ways–from monthly performance bonuses, private parties and events, SWAG, and more.
Today we are excited to publicly announce a new annual reward program for Bugcrowd community members that consistently submit the highest impact vulnerabilities to Bugcrowd bounty programs.
Earlier this year, I wrote extensively about vulnerability disclosure policies and benefits as well as how trust impacts the disclosure process between researchers and vendors. While writing these posts, I looked for publicly available (free!) literature on product security incident response (PSIRT) processes to share. I thought I’d find vendors publishing their PSIRT best practices on operations or how to publish an advisory, but 99% of what I found was network incident response focused and not relevant for application or product security teams. I suddenly realized that despite all my years working in a PSIRT, I'd never published any operational guidance that would help other defenders learn from my experiences - and it was time to change that.
The one month countdown to both Black Hat USA and DEFCON has officially started, and we have a lot planned for both the Crowd and our customers this August. There are many more announcements to follow, but this is one that can't wait.
Over the last year Bugcrowd has seen a dramatic increase in the number of bounty programs that feature mobile app (iOS and Android) targets. Whether you have mobile skills or just want to expand from web app to mobile app bug hunting, Bugcrowd has several public programs and numerous private programs available for you to hack on for fun and profit. We want you! Which is why we're running a limited time contest for all mobile vulns.
This March I had the opportunity to travel to India and speak at the Nullcon security conference as part of the first Bounty Craft Track - 1.5 days devoted entirely to the art of bug bounty hunting with researchers and members of the security teams from Bugcrowd, Microsoft, Google, Facebook, and Mozilla. This was a great opportunity for vendors and researchers to engage in interactive conversations, and to share techniques and war stories. And it was awesome to meet dozens of our Crowd members in person, including two of our 2016 Buggy Award winners, Harie_cool and Vishnu_Vardhan_Reddy!
Bugcrowd is excited to partner with Microsoft, Facebook, Google, and Mozilla at Nullcon 2016 for the first ever "Bounty Craft" Track - 1.5 days devoted entirely to the art of bug bounty hunting.
With the explosive growth of the security research community in India, Nullcon provides a great opportunity for vendors and researchers to engage in interactive conversations, and to share techniques and war stories. If you're attending Nullcon, we hope you'll join us tonight and tomorrow!
As we discussed in the first blog post of this series, Bugcrowd believes that public disclosure of vulnerabilities is a healthy and important part of the vulnerability disclosure process, and encourages organizations and researchers to work together to share information in a coordinated and mutually agreed upon manner. But why? To quote Bruce Schneier,
"Secrecy prevents people from accurately assessing their own risk. Secrecy precludes public debate about security, and inhibits security education that leads to improvements. Secrecy doesn't improve security; it stifles it."
To disclose, or not to disclose...
When it comes to disclosure, Bugcrowd encourages organizations and researchers to work together to share information in a coordinated and mutually agreed upon manner. Our Standard Disclosure Terms and Researcher Code of Conduct outline our public disclosure policy, but each organization defines their own unique public disclosure policy of vulnerabilities reported through their bounty program. This document is intended to explain the disclosure options at Bugcrowd to both customers and crowd members.