Bugcrowd Blog

Product Security Incident Response 101

Posted by Kymberlee Price on Aug 22, 2016 8:23:14 AM

Earlier this year, I wrote extensively about vulnerability disclosure policies and benefits as well as how trust impacts the disclosure process between researchers and vendors. While writing these posts, I looked for publicly available (free!) literature on product security incident response (PSIRT) processes to share. I thought I’d find vendors publishing their PSIRT best practices on operations or how to publish an advisory, but 99% of what I found was network incident response focused and not relevant for application or product security teams. I suddenly realized that despite all my years working in a PSIRT, I'd never published any operational guidance that would help other defenders learn from my experiences - and it was time to change that. 

Read More
Interesting

Big Bugs Podcast Episode 4: Fun and Hacking with Pokemon Go!

Posted by Jason Haddix on Jul 29, 2016 2:30:11 PM

This week's Big Bugs podcast is near and dear to my heart, combining three of my favorite things: mobile hacking, gaming, and security in general. In this episode, I'll start by giving a brief history of Niantic and Pokemon Go and review some of the few technical issues that the game has experienced. The bulk of this podcast will be focused on how the hacking scene found ways to reverse engineer the game, and of course some tips and tricks so you can catch 'em all.

It's a bit longer than the usual Big Bugs podcast, but I feel like it's well worth it, as the Pokemon Go phenomenon has been amazing to experience and be part of. Below the recording, I've included some notes to accompany this episode, and resources referenced as well.

Subscribe to our Bugcrowd Podcast RSS feed here: 

Read More
Interesting, Bug Hunter Tips and Tricks

Big Bugs Podcast Episode 3: $15K for IoT Device Takeover

Posted by Jason Haddix on Jun 27, 2016 12:17:50 PM

Today we published the third episode of our podcast series 'Big Bugs' hosted by me. In this episode, embedded in this post and available on SoundCloud, I am joined by special guest Adam Hartway of Digital Safety (DiSa) to explore a $15K bug uncovered in their winner takes-all bug bounty program.

Read More
Interesting

Sandbagging, 'Sneakers' and Steganography: Bugcrowd's First Internal CTF

Posted by Leif Dreizler on Jun 24, 2016 4:19:04 PM

In early February Bugcrowd ran a CTF for its internal employees. The CTF was created and managed by our very own Director of Technical Operations, Jason Haddix. Haddix has been a part of many successful CTFs, both as a participant and organizer. He drew from his technical expertise and knowledge of hacker culture to make a fun and engaging CTF for Bugcrowd employees.

Read More
Interesting

Podcast - An Inside Look at the Crowd with Frans Rosen & Sam Houston

Posted by Sam Houston on May 31, 2016 1:45:44 PM

For me, one of the most enjoyable aspects of the security industry is the security community. The relationships I've been fortunate enough to build over the past couple of years have made this job very rewarding and of course, a ton of fun. I recently had the chance to record a podcast discussion with Frans Rosen, founder of Detectify and active bug bounty hunter to discuss our experiences in the security community:

Read More
Interesting

Big Bugs Podcast Episode 2: ImageTragick Up Close

Posted by Jason Haddix on May 27, 2016 10:14:28 AM

This morning we released the second episode of our new podcast series 'Big Bugs' hosted by me. This episode, embedded in this post and available on SoundCloud, takes a look at the recently popularized bug, ImageTragick. I discuss the detection and remediation time line of the widespread bug in the image processing suite, ImageMagic, as well as the implications it has for developers and researchers.

Read More
Interesting

How Crowdsourcing Increases The Quality of A Product

Posted by Katrina Rodzon on May 13, 2016 12:24:05 PM

Crowdsourcing isn’t the new kid on the block anymore. Most people know the value of outsourcing to a crowd to receive a wider breadth of resources, perspectives or expertise. More recently though, companies large and small have been turning to crowds for additional quality to their product - whether it’s functionality, design, utility, or even security. Even so, commonly, when I tell people about Bugcrowd and crowdsourced security testing, they usually ask:

I can see the importance of crowdsourcing for resource constrained companies that don’t have the headcount for a full security team, but how would any large company benefit from that type of model? Wouldn’t they be able to hire the needed experts in-house?

Read More
Interesting

Big Bugs Podcast Episode 1: Auto Bugs - Critical Vulns found in Cars with Jason Haddix

Posted by Jason Haddix on Apr 29, 2016 3:09:01 PM

Today we released our first episode of our new podcast series 'Big Bugs' hosted by me. Our first episode, embedded in this post and available on SoundCloud, provides an introduction to the car hacking space. With case studies of successful attacks and research from the past years, I also provide some technical resources for testing as well as technical resources for developers. Enjoy!

Read More
Interesting

Bug Bounties and NGWAF: 1+1=3

Posted by Payton O'Neal on Apr 22, 2016 11:02:07 AM

Return on Investment - ROI. Sales departments have to show it, marketing departments have to show it, and of course, security departments do too. At the end of the day we all need to show where the dollars are going, and security teams have the additional burden of correlating those dollars spent with the elimination of risk - or the perceived elimination of risk.

Read More
Interesting, Guest Blog

The Benefits of Public Disclosure

Posted by Kymberlee Price on Mar 9, 2016 4:09:46 PM

As we discussed in the first blog post of this series, Bugcrowd believes that public disclosure of vulnerabilities is a healthy and important part of the vulnerability disclosure process, and encourages organizations and researchers to work together to share information in a coordinated and mutually agreed upon manner. But why? To quote Bruce Schneier,

"Secrecy prevents people from accurately assessing their own risk. Secrecy precludes public debate about security, and inhibits security education that leads to improvements. Secrecy doesn't improve security; it stifles it."

Read More
Interesting, Bug Hunter Tips and Tricks