Google recently announced that the company has raised its top reward for remote code execution bugs in its Google, Blogger and YouTube domains by 50 percent, saying "Because high-severity vulnerabilities have become harder to identify over the years, researchers have needed more time to find them. We want to demonstrate our appreciation for the significant time researchers dedicate to our program."
The new year is a great time to reflect on the past year and set new goals for the year ahead. To help the Bugcrowd community achieve success in 2017, we've outlined a few New Year's resolutions for bug hunters and bug bounty program managers. Have other resolutions? We want to hear what they are! Tweet us.
In the past month, we’ve been addressing some commonly held misconceptions about the bug bounty model, outlined in our guide, 7 Bug Bounty Myths, Busted. So far we’ve discussed the misconception that bug bounties are all public, examined the types of companies engaging with the bug bounty model, and debunked the perception some have that bug bounties are too risky. This week, we’re talking about the folks that make this economy go ‘round...
Myth #4: Bug bounties don’t attract talented testers.
Anyone who has been involved with a bug bounty program knows this isn't true. For those who have not, this post should give you a better idea as to who these people are, and what they're capable of.
Bug bounties are legal! Twenty-one years ago, Netscape launched the world’s very first bug bounty program. 'Netscape Bugs Bounty' was launched on the beta versions of Netscape Navigator 2.0 software, and awarded cash prizes and SWAG, depending on bug severity. (Sounds pretty familiar, eh?)
The program set the foundation for the bug bounty model–without their even knowing it–and we were curious about that day 21 years ago. We had the opportunity to get straight to the source in a Q&A with Jeff Treuhaft, who was one of the key people behind the Netscape bug bounty program as Netscape’s Product Director. Read on to learn more about why Netscape launched a bug bounty program, what came of it, and where Jeff thinks the model is going.
Earlier today we joined Jake Kouns, CISO of Risk Based Security, and Christine Gadsby, Director of Product Security at BlackBerry for a guest webcast. They gave their Black Hat 2016 talk 'OSS Security Maturity: Time to Put on Your Big Boy Pants' which analyzes the real risks of using OSS and the best way to manage its use within your organization.
Earlier this year, I wrote extensively about vulnerability disclosure policies and benefits as well as how trust impacts the disclosure process between researchers and vendors. While writing these posts, I looked for publicly available (free!) literature on product security incident response (PSIRT) processes to share. I thought I’d find vendors publishing their PSIRT best practices on operations or how to publish an advisory, but 99% of what I found was network incident response focused and not relevant for application or product security teams. I suddenly realized that despite all my years working in a PSIRT, I'd never published any operational guidance that would help other defenders learn from my experiences - and it was time to change that.
This week's Big Bugs podcast is near and dear to my heart, combining three of my favorite things: mobile hacking, gaming, and security in general. In this episode, I'll start by giving a brief history of Niantic and Pokemon Go and review some of the few technical issues that the game has experienced. The bulk of this podcast will be focused on how the hacking scene found ways to reverse engineer the game, and of course some tips and tricks so you can catch 'em all.
It's a bit longer than the usual Big Bugs podcast, but I feel like it's well worth it, as the Pokemon Go phenomenon has been amazing to experience and be part of. Below the recording, I've included some notes to accompany this episode, and resources referenced as well.
Subscribe to our Bugcrowd Podcast RSS feed here: bgcd.co/bcpodcastrss
Today we published the third episode of our podcast series 'Big Bugs' hosted by me. In this episode, embedded in this post and available on SoundCloud, I am joined by special guest Adam Hartway of Digital Safety (DiSa) to explore a $15K bug uncovered in their winner takes-all bug bounty program.
In early February Bugcrowd ran a CTF for its internal employees. The CTF was created and managed by our very own Director of Technical Operations, Jason Haddix. Haddix has been a part of many successful CTFs, both as a participant and organizer. He drew from his technical expertise and knowledge of hacker culture to make a fun and engaging CTF for Bugcrowd employees.