The new version of Qualys Web Application Scanning, WAS 5.7, adds an integration with Bugcrowd for centralized viewing and triaging of both WAS automated vulnerability detections and vulnerabilities submitted by Bugcrowd’s approved security researchers.
The SecureDrop engineering team welcomes the contributions of security researchers. SecureDrop is relied on by sources to talk with journalists at dozens of news organizations, many of whom are taking significant risks to bring information to the public eye. We want to do everything we can to make the whistleblowing process as safe for them as possible. Testing by external security researchers is an important part of that process. In order to minimize risk to SecureDrop users throughout the security research process, in this post we will describe how to ethically perform security research on SecureDrop and what constitutes acceptable and unacceptable behavior.
Our driving purpose at Ibotta is to reward our users with cash rebates that make a difference in their lives. They have entrusted their earnings with us, and it’s our responsibility to do our best to safeguard their accounts.
We’re excited to announce our bug bounty program is moving from private to public! Dash is opening up its doors to more than 60,000 registered and verified Bugcrowd security experts around the world to detect issues on behalf of Dash and be rewarded in bug bounty payments. That means more vulnerabilities are discovered and fixed, and we’re all more secure as a result.
At Atlassian, security is baked into the product development lifecycle. We employ an entire team of security engineers who build threat models, review code, and test our systems. Building and maintaining products that keep our customers safe is a team effort.
Posted originally on by Stuart Hirst on Skyskanner's Code Voyager Blog
Skyscanner has a culture of innovation and continuous improvement. For our IT security function, the ‘Security Squad’, it is no different. External security testing had previously taken the form of standard penetration testing, which brought considerable value and helped improve security posture. However, our Squad wanted to look at new ways of testing the products that we help secure on a daily basis. In early 2015, we began to investigate the possibility of a crowd-sourced testing mechanism.
Return on Investment - ROI. Sales departments have to show it, marketing departments have to show it, and of course, security departments do too. At the end of the day we all need to show where the dollars are going, and security teams have the additional burden of correlating those dollars spent with the elimination of risk - or the perceived elimination of risk.
This post was contributed by Frans Rosen, Bug Bounty Hunter and Knowledge Advisor at Detectify
TLDR: Sometimes you just need to spend a couple of months to exploit a XSS with a hygiene product.
For a couple of months this specific bug was on my "check later" list. I later reported it to the company running a private bug bounty. I had been messing with it back and forth and was never been able to do something that actually made sense – and as soon as I had some progress – a new obstacle came crashing in my face. After a few months returning to the same endpoint, I was finally able to create a PoC to show that a security issue was present.
It's a freaking XSS, but hey, the story is what counts, right..? :)