Bugcrowd Blog

Bugcrowd Integration Now Available in Qualys Web Application Scanning

Posted by Dave Ferguson on Oct 18, 2017 8:53:33 AM

The new version of Qualys Web Application Scanning, WAS 5.7, adds an integration with Bugcrowd for centralized viewing and triaging of both WAS automated vulnerability detections and vulnerabilities submitted by Bugcrowd’s approved security researchers.

Read More
Guest Blog, Bugcrowd News

Ethical Security Research on SecureDrop

Posted by Jennifer Helsby, SecureDrop on Sep 19, 2017 11:05:00 AM

The SecureDrop engineering team welcomes the contributions of security researchers. SecureDrop is relied on by sources to talk with journalists at dozens of news organizations, many of whom are taking significant risks to bring information to the public eye. We want to do everything we can to make the whistleblowing process as safe for them as possible. Testing by external security researchers is an important part of that process. In order to minimize risk to SecureDrop users throughout the security research process, in this post we will describe how to ethically perform security research on SecureDrop and what constitutes acceptable and unacceptable behavior.

Read More
Guest Blog, Program Launches

Moving Fast with Security

Posted by Ron White on Sep 18, 2017 10:15:00 AM

Our driving purpose at Ibotta is to reward our users with cash rebates that make a difference in their lives. They have entrusted their earnings with us, and it’s our responsibility to do our best to safeguard their accounts.

Read More
Guest Blog, Case Studies

Dash Elevates its Bug Bounty Program from Private to Public

Posted by Jim Bursch on Sep 6, 2017 6:02:00 AM

We’re excited to announce our bug bounty program is moving from private to public! Dash is opening up its doors to more than 60,000 registered and verified Bugcrowd security experts around the world to detect issues on behalf of Dash and be rewarded in bug bounty payments. That means more vulnerabilities are discovered and fixed, and we’re all more secure as a result.

Read More
Guest Blog, Bugcrowd News, Program Launches

Why We’re Letting 60,000 Bugcrowd Security Researchers Ethically Hack Us

Posted by Matthew Hart on Jul 12, 2017 9:04:47 AM

At Atlassian, security is baked into the product development lifecycle. We employ an entire team of security engineers who build threat models, review code, and test our systems. Building and maintaining products that keep our customers safe is a team effort.

Read More
Guest Blog, Program Launches

[Guest Blog] Bugcrowd’s Buggy Awards: Fitbit Takes Two!

Posted by Bugcrowd on Mar 16, 2017 12:13:04 PM

Appeared originally on the Fitbit Engineering Blog

Read More
Guest Blog

Guest Blog: Barracuda Bug Bounty Program Shifts to the Cloud

Posted by Payton O'Neal on Nov 17, 2016 9:36:54 AM

Posted originally on November 14 by Dave Farrow, Senior Director, Information Security at Barracuda Networks.

Read More
Guest Blog

[Guest Blog] Skyscanner's Adventures in Bug Bounties

Posted by Payton O'Neal on Apr 27, 2016 11:07:19 AM

Posted originally on by Stuart Hirst on Skyskanner's Code Voyager Blog

Skyscanner has a culture of innovation and continuous improvement. For our IT security function, the ‘Security Squad’, it is no different. External security testing had previously taken the form of standard penetration testing, which brought considerable value and helped improve security posture. However, our Squad wanted to look at new ways of testing the products that we help secure on a daily basis. In early 2015, we began to investigate the possibility of a crowd-sourced testing mechanism.

Read More
Guest Blog, Running Your Own Program, Case Studies

Bug Bounties and NGWAF: 1+1=3

Posted by Payton O'Neal on Apr 22, 2016 11:02:07 AM

Return on Investment - ROI. Sales departments have to show it, marketing departments have to show it, and of course, security departments do too. At the end of the day we all need to show where the dollars are going, and security teams have the additional burden of correlating those dollars spent with the elimination of risk - or the perceived elimination of risk.

Read More
Interesting, Guest Blog

[Guest Blog] Using a Braun Shaver to Bypass XSS Audit and WAF by Frans Rosen, Detectify

Posted by Sam Houston on Apr 19, 2016 1:12:14 PM

This post was contributed by Frans Rosen, Bug Bounty Hunter and Knowledge Advisor at Detectify

TLDR: Sometimes you just need to spend a couple of months to exploit a XSS with a hygiene product.

For a couple of months this specific bug was on my "check later" list. I later reported it to the company running a private bug bounty. I had been messing with it back and forth and was never been able to do something that actually made sense – and as soon as I had some progress – a new obstacle came crashing in my face. After a few months returning to the same endpoint, I was finally able to create a PoC to show that a security issue was present.

It's a freaking XSS, but hey, the story is what counts, right..? :)

Read More
Guest Blog, Bug Hunter Tips and Tricks