Bugcrowd Blog

NIST: Vulnerability Disclosure as a Requirement for Every Organization

Posted by Jonathan Cran on Jan 18, 2018 12:11:38 PM

Earlier this month, the National Institute of Standard and Technology’s (NIST) cybersecurity framework released a revision (1.1, Draft 2) of its Framework for Improving Critical Infrastructure Cybersecurity. The new release now includes vulnerability disclosure processes as part of the Framework Core (on page 43).

Read More
Thought leadership, Cybersecurity News

Why more government agencies should run Bug Bounties and VDP

Posted by Michael Chung on Jan 11, 2018 8:06:00 AM

If you’re reading this article, statistically speaking your organization might be getting hacked. Data breaches of U.S. government networks, once novel, have become pervasive over the past year. Take it from the Office of Personnel Management (OPM) or the IRS – no one is safe anymore. In private sector, the Equifax hack and Intel’s processor vulnerabilities have hit mainstream media by storm. The question needs to be asked: are we doing enough to protect our nation’s assets against malicious attacks?

Read More
Interesting, Thought leadership, Federal

2018 Predictions: It Takes a Crowd

Posted by Sam Houston on Jan 5, 2018 9:43:00 AM

At the end of 2017 we asked our researcher community what changes they predicted for the bug bounty space in the year to come.

Read More
Thought leadership

Spectre & Meltdown: Quick Fact Sheet

Posted by Jonathan Cran on Jan 4, 2018 3:10:30 PM
Several recently-published research articles have demonstrated a new class of timing attacks (Meltdown and Spectre) that work on modern CPUs. Variants of this issue are known to affect many modern processors, including certain processors by Intel, AMD and ARM. For a few Intel and AMD CPU models, Google’s Project Zero has provided exploits that work against real software.
Read More
Interesting, Thought leadership

3 Reasons Bugcrowd Researchers Keep Coming Back

Posted by Ryan Black on Dec 18, 2017 9:17:09 AM

2017 was a year for the books. The Equifax breach, the third Yahoo! breach, the Uber breach -- today nearly every American has been impacted by the loss of personally identifiable information (PII) data. And the threat continues to rise.

Read More
Interesting, Research and Reports, Thought leadership

The Personalities That Put the “Crowd” in Bugcrowd (Part 3 of 3)

Posted by Keith Hoodlet on Dec 14, 2017 8:16:00 AM

In the last installment of The Personalities that Put the “Crowd” in Bugcrowd (Part 2 of 3), I discussed the “Full-Timer” and “Virtuoso” personality types as part of the five distinct personalities that make up our crowd of nearly 70,000 security researchers. As stated previously, it's important to understand researcher motivations if you intend to run a successful bug bounty program. And to that end, I will be covering the final personality type in this post: the “Protector”. If you want to learn more about all five personalities - along with other interesting data and metrics about our crowd - check out our Inside the Mind of a Hacker 2.0 report. With that - let’s dive in!

Read More
Interesting, Research and Reports, Thought leadership

The Personalities That Put the “Crowd” in Bugcrowd (Part 2 of 3)

Posted by Keith Hoodlet on Dec 7, 2017 9:02:00 AM

Previously, in The Personalities that Put the “Crowd” in Bugcrowd (Part 1 of 3), I covered both the “Knowledge-Seeker” and “Hobbyist” personality types as part of the five distinct personalities that make up our crowd of over 65,000 security researchers. In order for companies to run successful bug bounty programs, it's important to understand researcher motivations - and to that end I will be covering the next two personality types in this post: those being “Full-Timer” and “Virtuoso”. If you want to learn more about all five personalities, along with other interesting data and metrics about our crowd - check out our Inside the Mind of a Hacker 2.0 report. And with that, let’s dive right in!

Read More
Interesting, Research and Reports, Thought leadership

Leveraging Policy and a Purpose-built Platform to Steer the Ship in SecOps

Posted by Ryan Black on Dec 4, 2017 9:03:00 AM

Crowdsourced security testing and vulnerability disclosure programs require the right combination of policy, resources, and support to be successful. Bugcrowd's leading platform and team bring years of experience facilitating success with whiteglove management of these programs. From the policy design, launch, and submission management our Operations team is a close partner of our talented researcher community and customers.

Read More
Interesting, Thought leadership, SecOps

The Personalities That Put the “Crowd” in Bugcrowd (Part 1 of 3)

Posted by Keith Hoodlet on Dec 1, 2017 6:02:00 AM

Last week, David Baker (Bugcrowd’s Chief Security Officer) released a blog post discussing why it's important to understand researcher motivations in order to run a successful bug bounty program. Furthermore - to enable current and future customers to get a better handle on what drives security researchers at Bugcrowd - we released the Inside the Mind of a Hacker (version 2.0) report covering a broad range of metrics around who the Crowd is comprised of; including data on age, level of education, geographic location, and most importantly - what motivates us (and I use the term “us”, because I myself am a security researcher on Bugcrowd).

Read More
Interesting, Researcher Resources, Thought leadership

MacOS High Sierra: Getting to the Root of the Problem

Posted by Keith Hoodlet on Nov 28, 2017 2:49:41 PM

What we know so far

Earlier today it was publicly disclosed that Apple’s MacOS High Sierra contains a trivially-exploitable flaw, which allows malicious individuals to generate a persistent root access account to your system. It is not readily apparent whether or not this vulnerability is remotely exploitable, but out an of abundance of caution there are several steps you can take immediately to protect your system.

Read More
Interesting, Thought leadership, Cybersecurity News