Bugcrowd Blog

Big Bugs Podcast Episode 2: ImageTragick Up Close

Posted by Jason Haddix on May 27, 2016 10:14:28 AM

This morning we released the second episode of our new podcast series 'Big Bugs' hosted by me. This episode, embedded in this post and available on SoundCloud, takes a look at the recently popularized bug, ImageTragick. I discuss the detection and remediation time line of the widespread bug in the image processing suite, ImageMagic, as well as the implications it has for developers and researchers.

Read More
Interesting

Discovering Subdomains

Posted by Shpend Kurtishaj on May 26, 2016 1:31:14 PM

When coming across a *.target.com scope, it’s always a good idea to seek the road less travelled. Exotic and forgotten applications running on strangely named subdomains will quickly lead to uncovering critical vulnerabilities and often high payouts. Discovering such subdomains is a critical skill for today's bug hunter and choosing the right techniques and tools is paramount.

Read More

Risk and Liability Concerns - Your Questions Answered

Posted by Jason Pitzen on May 23, 2016 11:13:40 AM

I’ve worked in the security industry now for about seven years, and in the responsible disclosure space for the last two and a half years. In that time I’ve heard and answered just about every question regarding legal, compliance and regulatory controls around vulnerability disclosure and bug bounties.

Bugcrowd’s goal from the beginning has been to utilize an incredibly efficient platform to facilitate the responsible disclosure of security vulnerabilities between organizations and the researcher community. That having been said, we understand that working with an incredibly savvy workforce of independent talent may raise some concerns, and it may surprise you to learn that the same goes for the researcher community. So whether you yourself have concerns, or your internal legal department does, we want to arm you with both logical justification and legal safety nets to put your mind at ease.

Read More
Running Your Own Program

Researcher Spotlight - Fuzzybear

Posted by Sam Houston on May 18, 2016 2:57:55 PM

Fuzzybear is #43 on the community leaderboard, with a 100% acceptance rate and an average bug priority of 2.55. In the short time he's been on Bugcrowd and in bug bounties he has done quite well, successfully finding 65 bugs on Bugcrowd bug bounties, most of which was through private bug bounty programs. He also has one of my favorite usernames in the community!

Read below for our interview with Fuzzybear, where he shares some great practical advice for researchers.

Read More
Researcher Profiles

Jet.com Increases Rewards to Match the Market Rate of Security Bugs

Posted by Payton O'Neal on May 17, 2016 4:48:04 PM

At the beginning of this year we released our ‘Defensive Vulnerability Pricing Model’ that answers the question “what’s a bug worth?”. This guide outlines how much organizations should budget for crowdsourced security programs, and what reward ranges attract the right talent. In short, this guide, informed by tens of thousands of vulnerability submissions and years of running public and private crowdsourced security programs, set the first market rates for security vulns by criticality, and now organizations are beginning to adopt this guidance.

Read More
Running Your Own Program, New Program Announcements

How Crowdsourcing Increases The Quality of A Product

Posted by Katrina Rodzon on May 13, 2016 12:24:05 PM

Crowdsourcing isn’t the new kid on the block anymore. Most people know the value of outsourcing to a crowd to receive a wider breadth of resources, perspectives or expertise. More recently though, companies large and small have been turning to crowds for additional quality to their product - whether it’s functionality, design, utility, or even security. Even so, commonly, when I tell people about Bugcrowd and crowdsourced security testing, they usually ask:

I can see the importance of crowdsourcing for resource constrained companies that don’t have the headcount for a full security team, but how would any large company benefit from that type of model? Wouldn’t they be able to hire the needed experts in-house?

Read More
Interesting

As Cyber Attacks in the Financial Sector Increase YoY, Organizations Move towards Utilizing the Crowd

Posted by Brooke Motta on May 11, 2016 12:34:22 PM

During FS-ISAC last week, we had our ears to the ground, chatting with security folks about their concerns, challenges and hopes for application security testing and have set out to distill some of our observations and data to discuss the state of application security in the financial sector.

Read More
Running Your Own Program

Researcher Spotlight - Mico

Posted by Sam Houston on May 10, 2016 8:30:00 AM

This week’s Researcher Spotlight is on Mico! Mico ranks #5 on Bugcrowd’s leaderboard with over 1926 kudos points, 266 bugs found, a 91% acceptance rate and an average bug priority of 2.92. In a relatively short period of time we’ve seen Mico climb his way up the charts. Mico can be found on Bugcrowd and you can follow him on Twitter at @bugtest0101.



Take us back to your early days, what got you started with technology?

Read More
Researcher Profiles

April 2016 Leaderboard

Posted by Dana Daigle on May 4, 2016 11:57:14 AM

Time for the April Hall of Fame announcement of 2016!  Big recognition once again goes to mongo, who topped the April leaderboard with an astounding 1039 points earned through multiple P1 submissions.

Read More
Bugcrowd Updates

How to Write a Clear and Thoughtful Scope, A Deep Dive

Posted by Grant McCracken on May 2, 2016 4:56:47 PM

We recently published a comprehensive but abbreviated guide 'Anatomy of a Bounty Brief' which explores each part of a bounty program brief and how organizations can write them more clearly and thoughtfully. We also recently wrote about how important it is to consider 'step zero' prior to launching your program - to ensure that your organization has the the necessary resources and is fully prepared to run a successful program. 

Once you've identified that you and your organization are ready to commit the necessary time and resources to running a bug bounty program, it's time to start building out your program brief - the first step of which, is setting the program scope.

Read More
Running Your Own Program

Stay in touch with the bug bounty community and on top of latest security news