Bugcrowd Blog

Bug Bounty Lifecycle, Visualized

Posted by Payton O'Neal on Jun 28, 2016 2:32:08 PM
We recently released State of Bug Bounty 2016 Report which aggregated data and trends from companies running bug bounty programs, and researchers participating in them. A major takeaway from the accompanying survey of security professionals was the response to ' What are your organization's apprehensions about running a bug bounty program?' The number one most popular answer was 'Not sure where to begin.'
Read More
Running Your Own Program

Risk and Liability Concerns - Your Questions Answered

Posted by Jason Pitzen on May 23, 2016 11:13:40 AM

I’ve worked in the security industry now for about seven years, and in the responsible disclosure space for the last two and a half years. In that time I’ve heard and answered just about every question regarding legal, compliance and regulatory controls around vulnerability disclosure and bug bounties.

Bugcrowd’s goal from the beginning has been to utilize an incredibly efficient platform to facilitate the responsible disclosure of security vulnerabilities between organizations and the researcher community. That having been said, we understand that working with an incredibly savvy workforce of independent talent may raise some concerns, and it may surprise you to learn that the same goes for the researcher community. So whether you yourself have concerns, or your internal legal department does, we want to arm you with both logical justification and legal safety nets to put your mind at ease.

Read More
Running Your Own Program

Jet.com Increases Rewards to Match the Market Rate of Security Bugs

Posted by Payton O'Neal on May 17, 2016 4:48:04 PM

At the beginning of this year we released our ‘Defensive Vulnerability Pricing Model’ that answers the question “what’s a bug worth?”. This guide outlines how much organizations should budget for crowdsourced security programs, and what reward ranges attract the right talent. In short, this guide, informed by tens of thousands of vulnerability submissions and years of running public and private crowdsourced security programs, set the first market rates for security vulns by criticality, and now organizations are beginning to adopt this guidance.

Read More
Running Your Own Program, New Program Announcements

As Cyber Attacks in the Financial Sector Increase YoY, Organizations Move towards Utilizing the Crowd

Posted by Brooke Motta on May 11, 2016 12:34:22 PM

During FS-ISAC last week, we had our ears to the ground, chatting with security folks about their concerns, challenges and hopes for application security testing and have set out to distill some of our observations and data to discuss the state of application security in the financial sector.

Read More
Running Your Own Program

How to Write a Clear and Thoughtful Scope, A Deep Dive

Posted by Grant McCracken on May 2, 2016 4:56:47 PM

We recently published a comprehensive but abbreviated guide 'Anatomy of a Bounty Brief' which explores each part of a bounty program brief and how organizations can write them more clearly and thoughtfully. We also recently wrote about how important it is to consider 'step zero' prior to launching your program - to ensure that your organization has the the necessary resources and is fully prepared to run a successful program. 

Once you've identified that you and your organization are ready to commit the necessary time and resources to running a bug bounty program, it's time to start building out your program brief - the first step of which, is setting the program scope.

Read More
Running Your Own Program

[Guest Blog] Skyscanner's Adventures in Bug Bounties

Posted by Payton O'Neal on Apr 27, 2016 11:07:19 AM

Posted originally on by Stuart Hirst on Skyskanner's Code Voyager Blog

Skyscanner has a culture of innovation and continuous improvement. For our IT security function, the ‘Security Squad’, it is no different. External security testing had previously taken the form of standard penetration testing, which brought considerable value and helped improve security posture. However, our Squad wanted to look at new ways of testing the products that we help secure on a daily basis. In early 2015, we began to investigate the possibility of a crowd-sourced testing mechanism.

Read More
Guest Blog, Running Your Own Program

Starting a Bug Bounty Program, Step Zero

Posted by Grant McCracken on Apr 12, 2016 3:55:31 PM

So you want to run a bug bounty program…

First off, congratulations! You’re on the cutting-edge of security and are in good company, surrounded by giants such as Google and Facebook who've run their own programs for years, as well as other innovators like Tesla , Pinterest, and Dropbox. Chances are, if you're considering starting your own program, you've started to think about what you want to test, and even what you might offer for rewards. Stop! Before you even start taking those steps, consider step zero.

Read More
Running Your Own Program

Vuln Disclosure: Why Security Vendors & Researchers Don’t Trust Each Other - Dark Reading Summary + Video

Posted by Kymberlee Price on Mar 23, 2016 10:21:22 AM
 
The original article originally appeared on 3/22/2016 at 10:45 AM as a Commentary on Dark Reading. 
 
I’ve heard all the common complaints from both researchers and organizations regarding existing disclosure policies written over the last 15 years. There are valid arguments - “It doesn’t fit my business model” and “I don’t trust the other party” - which signal to me that for now, the security ecosystem is too complex for any single policy to be both supported and followed by the majority of vendors and researchers. It’s about more than just the disclosure policies. It’s about addressing the historical distrust and hostility between these two parties, and the damage that years of miscommunication and misunderstandings has created.
Read More
Guest Blog, Running Your Own Program

Bugcrowd's Disclosure Policy

Posted by Kymberlee Price on Feb 23, 2016 12:00:00 PM

To disclose, or not to disclose...

When it comes to disclosure, Bugcrowd encourages organizations and researchers to work together to share information in a coordinated and mutually agreed upon manner. Our Standard Disclosure Terms and Researcher Code of Conduct outline our public disclosure policy, but each organization defines their own unique public disclosure policy of vulnerabilities reported through their bounty program. This document is intended to explain the disclosure options at Bugcrowd to both customers and crowd members.

Read More
Bugcrowd News, Running Your Own Program

Traditional And Flex Bounty Models: A Re-Introduction

Posted by Katrina Rodzon on Jul 2, 2015 2:00:31 AM

We’ve proved here at Bugcrowd that traditional security assessments pale in comparison to leveraging a community of researchers. Today we want to talk about the options and benefits of our programs for both researchers and clients.

Read More
Bugcrowd News, Running Your Own Program