Bugcrowd Blog

Big Bugs Podcast Episode 3: $15K for IoT Device Takeover

Posted by Jason Haddix on Jun 27, 2016 12:17:50 PM

Today we published the third episode of our podcast series 'Big Bugs' hosted by me. In this episode, embedded in this post and available on SoundCloud, I am joined by special guest Adam Hartway of Digital Safety (DiSa) to explore a $15K bug uncovered in their winner takes-all bug bounty program.

Read More

Sandbagging, 'Sneakers' and Steganography: Bugcrowd's First Internal CTF

Posted by Leif Dreizler on Jun 24, 2016 4:19:04 PM

In early February Bugcrowd ran a CTF for its internal employees. The CTF was created and managed by our very own Director of Technical Operations, Jason Haddix. Haddix has been a part of many successful CTFs, both as a participant and organizer. He drew from his technical expertise and knowledge of hacker culture to make a fun and engaging CTF for Bugcrowd employees.

Read More

Podcast - An Inside Look at the Crowd with Frans Rosen & Sam Houston

Posted by Sam Houston on May 31, 2016 1:45:44 PM

For me, one of the most enjoyable aspects of the security industry is the security community. The relationships I've been fortunate enough to build over the past couple of years have made this job very rewarding and of course, a ton of fun. I recently had the chance to record a podcast discussion with Frans Rosen, founder of Detectify and active bug bounty hunter to discuss our experiences in the security community:

Read More

Big Bugs Podcast Episode 2: ImageTragick Up Close

Posted by Jason Haddix on May 27, 2016 10:14:28 AM

This morning we released the second episode of our new podcast series 'Big Bugs' hosted by me. This episode, embedded in this post and available on SoundCloud, takes a look at the recently popularized bug, ImageTragick. I discuss the detection and remediation time line of the widespread bug in the image processing suite, ImageMagic, as well as the implications it has for developers and researchers.

Read More

How Crowdsourcing Increases The Quality of A Product

Posted by Katrina Rodzon on May 13, 2016 12:24:05 PM

Crowdsourcing isn’t the new kid on the block anymore. Most people know the value of outsourcing to a crowd to receive a wider breadth of resources, perspectives or expertise. More recently though, companies large and small have been turning to crowds for additional quality to their product - whether it’s functionality, design, utility, or even security. Even so, commonly, when I tell people about Bugcrowd and crowdsourced security testing, they usually ask:

I can see the importance of crowdsourcing for resource constrained companies that don’t have the headcount for a full security team, but how would any large company benefit from that type of model? Wouldn’t they be able to hire the needed experts in-house?

Read More

Big Bugs Podcast Episode 1: Auto Bugs - Critical Vulns found in Cars with Jason Haddix

Posted by Jason Haddix on Apr 29, 2016 3:09:01 PM

Today we released our first episode of our new podcast series 'Big Bugs' hosted by me. Our first episode, embedded in this post and available on SoundCloud, provides an introduction to the car hacking space. With case studies of successful attacks and research from the past years, I also provide some technical resources for testing as well as technical resources for developers. Enjoy!

Read More

Bug Bounties and NGWAF: 1+1=3

Posted by Payton O'Neal on Apr 22, 2016 11:02:07 AM

Return on Investment - ROI. Sales departments have to show it, marketing departments have to show it, and of course, security departments do too. At the end of the day we all need to show where the dollars are going, and security teams have the additional burden of correlating those dollars spent with the elimination of risk - or the perceived elimination of risk.

Read More
Interesting, Guest Blog

The Benefits of Public Disclosure

Posted by Kymberlee Price on Mar 9, 2016 4:09:46 PM

As we discussed in the first blog post of this series, Bugcrowd believes that public disclosure of vulnerabilities is a healthy and important part of the vulnerability disclosure process, and encourages organizations and researchers to work together to share information in a coordinated and mutually agreed upon manner. But why? To quote Bruce Schneier,

"Secrecy prevents people from accurately assessing their own risk. Secrecy precludes public debate about security, and inhibits security education that leads to improvements. Secrecy doesn't improve security; it stifles it."

Read More
Interesting, Bug Hunter Tips and Tricks

First Annual Buggy Awards Recap

Posted by Payton O'Neal on Mar 7, 2016 11:38:42 AM

Earlier today we held the First Annual Buggy Awards hosted by our CEO and Founder Casey Ellis, our Director of Customer Success Abby Mulligan, and our Sr. Director of Researcher Operations Kymberlee Price. The aim of these awards was to honor the top bug hunters and companies running bounty programs in 2015. These two groups of people are essential to our company success and are advancing the bug bounty and vulnerability disclosure space. 

Read More
Interesting, Bugcrowd News

On the U.S. Government and Bug Bounties

Posted by Casey Ellis on Mar 2, 2016 2:07:02 PM

My favorite thing about going to conferences is establishing the underlying trends behind the questions I’m asked. We’re only half-way through RSAC/BSides week, and already the dominant question is clear:

When is the government going to start a bug bounty program?

Here’s my answer:

The government has no choice but to adopt a crowdsourced model for vulnerability discovery, it’s more a question of when will the pain of staying the same exceed the pain of change.

Read More
Interesting, Conferences