Bugcrowd Blog

Kymberlee Price

Recent Posts

Bugcrowd Celebrates Top Researchers with 2016 Bug Bounty Bonus Awards

Posted by Kymberlee Price on Jan 25, 2017 1:06:57 PM

2016 was a big year for our researcher community, which nearly doubled in size to provide our customers access to an even bigger pool of the best hackers in the world. We also saw a 287% increase in researcher payouts and a 66% increase in average size of payouts. 

Read More
Researcher Profiles

Cash Back Reward Program for Top Researchers

Posted by Kymberlee Price on Sep 19, 2016 12:08:29 PM

We know that security researchers have many options when it comes to participating in bug bounty programs, which is why we are so proud to have some of the best researchers in the world participating in bounty programs on the Bugcrowd platform. Throughout the year, we show our appreciation in many ways–from monthly performance bonuses, private parties and events, SWAG, and more.

Today we are excited to publicly announce a new annual reward program for Bugcrowd community members that consistently submit the highest impact vulnerabilities to Bugcrowd bounty programs.

Read More
Bugcrowd News

Product Security Incident Response 101

Posted by Kymberlee Price on Aug 22, 2016 8:23:14 AM

Earlier this year, I wrote extensively about vulnerability disclosure policies and benefits as well as how trust impacts the disclosure process between researchers and vendors. While writing these posts, I looked for publicly available (free!) literature on product security incident response (PSIRT) processes to share. I thought I’d find vendors publishing their PSIRT best practices on operations or how to publish an advisory, but 99% of what I found was network incident response focused and not relevant for application or product security teams. I suddenly realized that despite all my years working in a PSIRT, I'd never published any operational guidance that would help other defenders learn from my experiences - and it was time to change that. 

Read More
Interesting

Bugcrowd VIP Party at DEFCON 2016

Posted by Kymberlee Price on Jul 8, 2016 9:33:06 AM

The one month countdown to both Black Hat USA and DEFCON has officially started, and we have a lot planned for both the Crowd and our customers this August. There are many more announcements to follow, but this is one that can't wait.

Read More
Bugcrowd News

Calling all Mobile Researchers!

Posted by Kymberlee Price on Apr 28, 2016 10:00:00 AM

Over the last year Bugcrowd has seen a dramatic increase in the number of bounty programs that feature mobile app (iOS and Android) targets.  Whether you have mobile skills or just want to expand from web app to mobile app bug hunting, Bugcrowd has several public programs and numerous private programs available for you to hack on for fun and profit. We want you! Which is why we're running a limited time contest for all mobile vulns. 

Read More
Bugcrowd News

"Writing Vulnerability Reports that Maximize Your Bounty Payouts" + My Trip to Nullcon

Posted by Kymberlee Price on Apr 1, 2016 1:14:37 PM

This March I had the opportunity to travel to India and speak at the Nullcon security conference as part of the first Bounty Craft Track - 1.5 days devoted entirely to the art of bug bounty hunting with researchers and members of the security teams from Bugcrowd, Microsoft, Google, Facebook, and Mozilla.  This was a great opportunity for vendors and researchers to engage in interactive conversations, and to share techniques and war stories. And it was awesome to meet dozens of our Crowd members in person, including two of our 2016 Buggy Award winners, Harie_cool and Vishnu_Vardhan_Reddy!  

 

Read More
Conferences, Bug Hunter Tips and Tricks

Vuln Disclosure: Why Security Vendors & Researchers Don’t Trust Each Other - Dark Reading Summary + Video

Posted by Kymberlee Price on Mar 23, 2016 10:21:22 AM
 
The original article originally appeared on 3/22/2016 at 10:45 AM as a Commentary on Dark Reading. 
 
I’ve heard all the common complaints from both researchers and organizations regarding existing disclosure policies written over the last 15 years. There are valid arguments - “It doesn’t fit my business model” and “I don’t trust the other party” - which signal to me that for now, the security ecosystem is too complex for any single policy to be both supported and followed by the majority of vendors and researchers. It’s about more than just the disclosure policies. It’s about addressing the historical distrust and hostility between these two parties, and the damage that years of miscommunication and misunderstandings has created.
Read More
Guest Blog, Running Your Own Program

Nullcon 2016 "Bounty Craft" Track Schedule March 10-11

Posted by Kymberlee Price on Mar 10, 2016 12:05:46 AM

Bugcrowd is excited to partner with Microsoft, Facebook, Google, and Mozilla at Nullcon 2016 for the first ever "Bounty Craft" Track - 1.5 days devoted entirely to the art of bug bounty hunting.

With the explosive growth of the security research community in India, Nullcon provides a great opportunity for vendors and researchers to engage in interactive conversations, and to share techniques and war stories. If you're attending Nullcon, we hope you'll join us tonight and tomorrow!

Read More
Conferences

The Benefits of Public Disclosure

Posted by Kymberlee Price on Mar 9, 2016 4:09:46 PM

As we discussed in the first blog post of this series, Bugcrowd believes that public disclosure of vulnerabilities is a healthy and important part of the vulnerability disclosure process, and encourages organizations and researchers to work together to share information in a coordinated and mutually agreed upon manner. But why? To quote Bruce Schneier,

"Secrecy prevents people from accurately assessing their own risk. Secrecy precludes public debate about security, and inhibits security education that leads to improvements. Secrecy doesn't improve security; it stifles it."

Read More
Interesting, Bug Hunter Tips and Tricks

Bugcrowd's Disclosure Policy

Posted by Kymberlee Price on Feb 23, 2016 12:00:00 PM

To disclose, or not to disclose...

When it comes to disclosure, Bugcrowd encourages organizations and researchers to work together to share information in a coordinated and mutually agreed upon manner. Our Standard Disclosure Terms and Researcher Code of Conduct outline our public disclosure policy, but each organization defines their own unique public disclosure policy of vulnerabilities reported through their bounty program. This document is intended to explain the disclosure options at Bugcrowd to both customers and crowd members.

Read More
Bugcrowd News, Running Your Own Program