Bugcrowd Blog

[Guest Blog] Bugcrowd’s Buggy Awards: Fitbit Takes Two!

Posted by Bugcrowd on Mar 16, 2017 12:13:04 PM

Appeared originally on the Fitbit Engineering Blog

Read More
Guest Blog

Guest Blog: Barracuda Bug Bounty Program Shifts to the Cloud

Posted by Payton O'Neal on Nov 17, 2016 9:36:54 AM

Posted originally on November 14 by Dave Farrow, Senior Director, Information Security at Barracuda Networks.

Read More
Guest Blog

[Guest Blog] Skyscanner's Adventures in Bug Bounties

Posted by Payton O'Neal on Apr 27, 2016 11:07:19 AM

Posted originally on by Stuart Hirst on Skyskanner's Code Voyager Blog

Skyscanner has a culture of innovation and continuous improvement. For our IT security function, the ‘Security Squad’, it is no different. External security testing had previously taken the form of standard penetration testing, which brought considerable value and helped improve security posture. However, our Squad wanted to look at new ways of testing the products that we help secure on a daily basis. In early 2015, we began to investigate the possibility of a crowd-sourced testing mechanism.

Read More
Guest Blog, Running Your Own Program, Case Studies

Bug Bounties and NGWAF: 1+1=3

Posted by Payton O'Neal on Apr 22, 2016 11:02:07 AM

Return on Investment - ROI. Sales departments have to show it, marketing departments have to show it, and of course, security departments do too. At the end of the day we all need to show where the dollars are going, and security teams have the additional burden of correlating those dollars spent with the elimination of risk - or the perceived elimination of risk.

Read More
Interesting, Guest Blog

[Guest Blog] Using a Braun Shaver to Bypass XSS Audit and WAF by Frans Rosen, Detectify

Posted by Sam Houston on Apr 19, 2016 1:12:14 PM

This post was contributed by Frans Rosen, Bug Bounty Hunter and Knowledge Advisor at Detectify

TLDR: Sometimes you just need to spend a couple of months to exploit a XSS with a hygiene product.

For a couple of months this specific bug was on my "check later" list. I later reported it to the company running a private bug bounty. I had been messing with it back and forth and was never been able to do something that actually made sense – and as soon as I had some progress – a new obstacle came crashing in my face. After a few months returning to the same endpoint, I was finally able to create a PoC to show that a security issue was present.

It's a freaking XSS, but hey, the story is what counts, right..? :)

Read More
Guest Blog, Bug Hunter Tips and Tricks

[Guest Blog] InfoSec’s New Mandate: Silo Smashing and Feedback Loop Amplification

Posted by Payton O'Neal on Mar 24, 2016 9:59:56 AM

The original post by James Wickett appeared originally on Signal Sciences Lab on 03/24/16.  


I have reached the age where friends are getting roles like CISO or Director of Security or Senior Architect. All important titles with crucial tasks ahead of them. Usually when friends take these roles they immediately realize that they have found themselves in unfamiliar waters. The skills that got them to that role are not the skills they need to succeed.

Read More
Guest Blog

Vuln Disclosure: Why Security Vendors & Researchers Don’t Trust Each Other - Dark Reading Summary + Video

Posted by Kymberlee Price on Mar 23, 2016 10:21:22 AM
 
The original article originally appeared on 3/22/2016 at 10:45 AM as a Commentary on Dark Reading. 
 
I’ve heard all the common complaints from both researchers and organizations regarding existing disclosure policies written over the last 15 years. There are valid arguments - “It doesn’t fit my business model” and “I don’t trust the other party” - which signal to me that for now, the security ecosystem is too complex for any single policy to be both supported and followed by the majority of vendors and researchers. It’s about more than just the disclosure policies. It’s about addressing the historical distrust and hostility between these two parties, and the damage that years of miscommunication and misunderstandings has created.
Read More
Guest Blog, Running Your Own Program

Guest Blog: Indeed's Bug Bounty Goals, Learnings and Successes

Posted by Payton O'Neal on Mar 18, 2016 1:51:53 PM

This post is an exerpt from "A Bounty of Security," originally posted on by Gregory Caswell on the Indeed Engineering Blog.

Read More
Guest Blog

Guest Post: Hunting the “Automated Pentesting” Unicorn

Posted by Sam Houston on Feb 25, 2016 2:18:29 PM
At Bugcrowd we are firm believers in the value of human creativity and their ability to discover new and complex techniques to compromise the security of their target. Yesterday Ryan Broadfoot published a blog on Medium that dives into the complexities of a penetration test and the inherent strengths of security researchers to tackle these issues. We've published Ryan's blog below, and we encourage you to visit Ryan's website and follow him @norsec0de on Twitter.
Read More
Guest Blog

Advice From A Researcher: How To Approach A Target

Posted by Katrina Rodzon on Jul 14, 2015 1:00:11 AM

Editor's Note: Today I’d like to introduce you to Bugcrowd member Anshuman Bhartiya (anshuman_bh). As an information security professional as well as bug bounty researcher, Anshuman has helped improve the security of many organizations. He has submitted several P1 & P2 bugs leading to his high standing within the programs he is involved in. As an active member on our Bugcrowd forum he also contributes to the bug bounty researcher community. This blog is from one of his responses on the forum that he has allowed us to post here. We are thrilled to share his thoughts and experience on how to successfully approach a target. Thanks!

Read More
Guest Blog, Bug Hunter Tips and Tricks