At the beginning of the year, we made a decision to put some stakes in the ground.
We decided it was time to talk, write, argue, and share about sides of the bug bounty space that we interact with every day, but would otherwise rarely see the light of day... The kinds of things that some would consider as Bugcrowd's "secret sauce."
Why? Read on.
We have a few simple goals...
- Invite and encourage more of the world's leading companies to embrace the creativity, power, and passion of the many thousands of white-hats in the world
- Leverage these relationships to create better security feedback between people who build and defend, and those who's skill is to think like an attacker
- Increase the quality and volume of submissions, to increase liquidity to the white-hat hacker community and see more budding hackers-in-waiting enter the space
Towards these goals, over Q1 we cranked out a fair bit of content, and released some handy new tools...
- We drew a line in the sand when it comes to the question "What's a bug worth?" setting the first ever market rate of bugs based on priority and companies' security maturity with our Defensive Vulnerability Pricing Model
- Shared our internally developed Vulnerability Rating Taxonomy to show the technical impact and priority of specific bug types and classes
- Supported and helped explain the reasons researchers want to publicly disclose their findings, and the benefits of authorized coordinated disclosure
- Spoke alongside Facebook, Microsoft, Google and Mozilla at Nullcon for the first ever "Bounty Craft" Track, which focused on increasing quality reports coming out of the booming Indian hacker community
- Promoted clear communication and expectation setting between hackers and companies by showing the influence of bounty briefs as informal contracts, and setting practical steps and guidelines in our "Anatomy of a Bounty Brief"
As one of a handful of players in an up-and-coming space that is rapidly maturing and gaining traction, we took it upon ourselves to start the conversation, and take on the responsibility to advocate for and support this "unlikely romance" between these two groups of people who desperately need each other, but historically suck at getting along.
By aligning expectations on both sides and encouraging efficient communication, both parties can continue to work together to achieve one common goal; creating confidence in the face of a hostile Internet.
Happy end of quarter to those in business, and to the hackers that are helping them!