Today we published the third episode of our podcast series 'Big Bugs' hosted by me. In this episode, embedded in this post and available on SoundCloud, I am joined by special guest Adam Hartway of Digital Safety (DiSa) to explore a $15K bug uncovered in their winner takes-all bug bounty program.
In early February Bugcrowd ran a CTF for its internal employees. The CTF was created and managed by our very own Director of Technical Operations, Jason Haddix. Haddix has been a part of many successful CTFs, both as a participant and organizer. He drew from his technical expertise and knowledge of hacker culture to make a fun and engaging CTF for Bugcrowd employees.
For me, one of the most enjoyable aspects of the security industry is the security community. The relationships I've been fortunate enough to build over the past couple of years have made this job very rewarding and of course, a ton of fun. I recently had the chance to record a podcast discussion with Frans Rosen, founder of Detectify and active bug bounty hunter to discuss our experiences in the security community:
This morning we released the second episode of our new podcast series 'Big Bugs' hosted by me. This episode, embedded in this post and available on SoundCloud, takes a look at the recently popularized bug, ImageTragick. I discuss the detection and remediation time line of the widespread bug in the image processing suite, ImageMagic, as well as the implications it has for developers and researchers.
Crowdsourcing isn’t the new kid on the block anymore. Most people know the value of outsourcing to a crowd to receive a wider breadth of resources, perspectives or expertise. More recently though, companies large and small have been turning to crowds for additional quality to their product - whether it’s functionality, design, utility, or even security. Even so, commonly, when I tell people about Bugcrowd and crowdsourced security testing, they usually ask:
I can see the importance of crowdsourcing for resource constrained companies that don’t have the headcount for a full security team, but how would any large company benefit from that type of model? Wouldn’t they be able to hire the needed experts in-house?
Today we released our first episode of our new podcast series 'Big Bugs' hosted by me. Our first episode, embedded in this post and available on SoundCloud, provides an introduction to the car hacking space. With case studies of successful attacks and research from the past years, I also provide some technical resources for testing as well as technical resources for developers. Enjoy!
Return on Investment - ROI. Sales departments have to show it, marketing departments have to show it, and of course, security departments do too. At the end of the day we all need to show where the dollars are going, and security teams have the additional burden of correlating those dollars spent with the elimination of risk - or the perceived elimination of risk.
As we discussed in the first blog post of this series, Bugcrowd believes that public disclosure of vulnerabilities is a healthy and important part of the vulnerability disclosure process, and encourages organizations and researchers to work together to share information in a coordinated and mutually agreed upon manner. But why? To quote Bruce Schneier,
"Secrecy prevents people from accurately assessing their own risk. Secrecy precludes public debate about security, and inhibits security education that leads to improvements. Secrecy doesn't improve security; it stifles it."
Earlier today we held the First Annual Buggy Awards hosted by our CEO and Founder Casey Ellis, our Director of Customer Success Abby Mulligan, and our Sr. Director of Researcher Operations Kymberlee Price. The aim of these awards was to honor the top bug hunters and companies running bounty programs in 2015. These two groups of people are essential to our company success and are advancing the bug bounty and vulnerability disclosure space.
My favorite thing about going to conferences is establishing the underlying trends behind the questions I’m asked. We’re only half-way through RSAC/BSides week, and already the dominant question is clear:
When is the government going to start a bug bounty program?
Here’s my answer:
The government has no choice but to adopt a crowdsourced model for vulnerability discovery, it’s more a question of when will the pain of staying the same exceed the pain of change.