Bugcrowd Blog

We Called, Our Mobile Researchers Answered!

Posted by Chloe Brown on Oct 25, 2016 10:03:00 AM

Throughout June, July and August 2016, we ran a researcher promotion focused on mobile targets and we are thrilled today to finally be able to announce the winners:

Congratulations to Javidr &  konkakarthik for their winning submissions!

Read More
Bugcrowd News

Bug Bounty Model Celebrates 21st Birthday!

Posted by Casey Ellis on Oct 20, 2016 10:15:00 AM

Bug bounties are legal! Twenty-one years ago, Netscape launched the world’s very first bug bounty program. 'Netscape Bugs Bounty' was launched on the beta versions of Netscape Navigator 2.0 software, and awarded cash prizes and SWAG, depending on bug severity. (Sounds pretty familiar, eh?)

The program set the foundation for the bug bounty model–without their even knowing it–and we were curious about that day 21 years ago. We had the opportunity to get straight to the source in a Q&A with Jeff Treuhaft, who was one of the key people behind the Netscape bug bounty program as Netscape’s Product Director. Read on to learn more about why Netscape launched a bug bounty program, what came of it, and where Jeff thinks the model is going.

Read More

Tips from Top Hackers - Bug Hunting methodology and the importance of writing quality submissions

Posted by Sam Houston on Oct 18, 2016 1:25:05 PM

Yesterday we shared how some of Bugcrowd’s top-ranked bug hunters fit bounties into their schedule and maximize payouts, and today we’re going to dive a bit deeper with one of those researchers. In today's post, Brett Buerhaus, ranked 16 on Bugcrowd and experienced security researcher, shares his method for approaching new bug bounties and writing bug submissions.

Read More
Bug Hunter Tips and Tricks, Researcher Resources

Tips from Top Hackers - How to fit bounties into your schedule and maximize payouts

Posted by Sam Houston on Oct 17, 2016 4:22:41 PM

In our recently published report on the bug hunting community, we asked all kinds of bug hunters what motivates them to participate in bug bounties, and how they decide what programs to participate in. Amongst several of the groups identified in the report, time was a huge factor. With a full-time job, family and a social life, how does one fit bug bounty hunting into their busy schedule?

Read More
Researcher Resources

Bug Bounties: Risk and Reward

Posted by Payton O'Neal on Oct 13, 2016 3:24:03 PM

Today our CEO, Casey Ellis, and founder and attorney at Cipher Law, James Denaro stepped on stage at AppSecUSA 2016 to talk about the logistics and legalities of bug bounties. They talked through some of the most common concerns people have about bug bounties and discussed both ways to address those concerns, as well as implement liability controls.

Read More

All You Need to Know About Bug Bounty Testing Environments

Posted by Grant McCracken on Oct 12, 2016 1:05:00 PM

By way of a quick refresher, in regards to setting up a bug bounty program, we've already covered step zero, setting your scope, and the importance of focus areas, as well as some considerations to make around exclusions on your program.

Now that we’ve covered most of what goes into writing a bug bounty brief, including rewards and disclosure policies, let’s take a look at what environment you'll be providing for researchers to test against. Regardless of how you decide to set up your application(s), it's important to remember that our goal is to attract great talent from the crowd, sustain activity, and ultimately minimize the challenges of setting up and running a bug bounty for you and your internal teams.

Read More
Running Your Own Program

Q4 Researcher Promotion: Thick Client Targets

Posted by Chloe Brown on Oct 7, 2016 11:35:11 AM

As the bug bounty space has matured, the range of targets to test against has expanded and diversified incredibly. Our programs offer a broad range of targets, from web and mobile, to APIs and IoT devices (even cars)! Over the last several months, Bugcrowd has launched more and more bounty programs that feature thick client applications. 

Whether you have skills in testing thick client software, or want to expand your expertise, Bugcrowd has several public programs and numerous private programs available for you to hack on for fun and profit. This quarter we're running a limited time promotion for all submissions found in thick client applications.  

Read More
Bugcrowd News, Researcher Resources

How and When to Effectively Escalate a Submission

Posted by Chloe Brown on Oct 5, 2016 1:05:18 PM

We take the security research community seriously and appreciate the valuable time spent participating in Bugcrowd programs. Each submission is reviewed with the respect that it deserves, and we have a commitment to set researchers up for success as reports move through the review process. This entails understanding the submission review process, respecting bounty guidelines, and effectively communicating with program owners and the Bugcrowd Application Security Engineering (ASE) team.

Read More
Researcher Resources

Bug Bounty: Part of This Complete Breakfast

Posted by Casey Ellis on Oct 4, 2016 4:40:45 PM

In the past several months, bug bounties have gained popularity in the press and have been adopted with increasing velocity by enterprise organizations. Along with this popularity, the bug bounty model has also received some criticism, and various actors within the industry have raised some very good questions. In keeping with our commitment to transparency, honesty, and education, we thought it was as good as time as any to discuss two specific areas that have cropped up in the past several months, quality and impact, through examining some misconceptions about bug bounties.

Read More

Big Bugs | Episode 6: API Security and the Internet of Things w/ Fitbit

Posted by Jason Haddix on Sep 30, 2016 9:59:00 AM

The unprecedented growth and adoption of connected devices have created innumerable threats for organizations, manufacturers, and consumers, while at the same time creating unprecedented opportunities for hackers. In this episode of Big Bugs, Jason Haddix joins Fitbit’s security team to explore what it takes to effectively hack connected devices through APIs, and how the role of defenders has evolved in this domain. 

The speakers explore the growing prevalence of connected devices in our lives, the use of APIs, the increasing importance of API testing in its new form (REST vs older XML based testing), and how it's a valuable skillset for researchers as well as organizations.

Read More
Bugcrowd News