Bugcrowd Blog

W0RLD 3C0N0M1C F0RUM L3ARN1NG J0URN3Y

Posted by Ingrum Putz on Jun 21, 2017 9:08:45 AM

Bugcrowd’s vision is to deliver a radical cybersecurity advantage. In addition to providing the best platform and tools to allow the top security researchers on the planet to find vulnerabilities on our customer’s applications, networks, and devices (IoT), we know that the key to our vision and making the Internet a safer place is EDUCATION EDUCATION EDUCATION!   

Read More
Interesting

Evaluating the business impact of software vulnerabilities

Posted by David Baker on Mar 22, 2017 9:00:00 AM

Google recently announced that the company has raised its top reward for remote code execution bugs in its Google, Blogger and YouTube domains by 50 percent, saying "Because high-severity vulnerabilities have become harder to identify over the years, researchers have needed more time to find them. We want to demonstrate our appreciation for the significant time researchers dedicate to our program."

Read More
Interesting

2017 Bug Bounty Resolutions

Posted by Sam Houston on Jan 3, 2017 12:21:59 PM

The new year is a great time to reflect on the past year and set new goals for the year ahead. To help the Bugcrowd community achieve success in 2017, we've outlined a few New Year's resolutions for bug hunters and bug bounty program managers. Have other resolutions? We want to hear what they are! Tweet us.

Read More
Interesting

Bug Bounty Myth #4: Bug Bounties Don’t Attract Talented Testers

Posted by Payton O'Neal on Nov 15, 2016 11:00:00 AM

In the past month, we’ve been addressing some commonly held misconceptions about the bug bounty model, outlined in our guide, 7 Bug Bounty Myths, Busted. So far we’ve discussed the misconception that bug bounties are all public, examined the types of companies engaging with the bug bounty model, and debunked the perception some have that bug bounties are too risky. This week, we’re talking about the folks that make this economy go ‘round...

Myth #4: Bug bounties don’t attract talented testers.

Anyone who has been involved with a bug bounty program knows this isn't true. For those who have not, this post should give you a better idea as to who these people are, and what they're capable of.

Read More
Interesting

Bug Bounty Model Celebrates 21st Birthday!

Posted by Casey Ellis on Oct 20, 2016 10:15:00 AM

Bug bounties are legal! Twenty-one years ago, Netscape launched the world’s very first bug bounty program. 'Netscape Bugs Bounty' was launched on the beta versions of Netscape Navigator 2.0 software, and awarded cash prizes and SWAG, depending on bug severity. (Sounds pretty familiar, eh?)

The program set the foundation for the bug bounty model–without their even knowing it–and we were curious about that day 21 years ago. We had the opportunity to get straight to the source in a Q&A with Jeff Treuhaft, who was one of the key people behind the Netscape bug bounty program as Netscape’s Product Director. Read on to learn more about why Netscape launched a bug bounty program, what came of it, and where Jeff thinks the model is going.

Read More
Interesting

August 2016 Hall of Fame Winners!

Posted by Kaila Pollart on Sep 7, 2016 3:48:45 PM

Bugcrowd is excited to announce our August 2016 Hall of Fame winners! 

Read More
Interesting

OSS Security Maturity: Time to Put On Your Big Boy Pants!

Posted by Payton O'Neal on Aug 30, 2016 4:31:45 PM


Earlier today we joined Jake Kouns, CISO of Risk Based Security, and Christine Gadsby, Director of Product Security at BlackBerry for a guest webcast. They gave their Black Hat 2016 talk 'OSS Security Maturity: Time to Put on Your Big Boy Pants' which analyzes the real risks of using OSS and the best way to manage its use within your organization. 

This post is a high-level review of that presentation–you can watch the recording here and download their slides here.

Read More
Interesting

Product Security Incident Response 101

Posted by Kymberlee Price on Aug 22, 2016 8:23:14 AM

Earlier this year, I wrote extensively about vulnerability disclosure policies and benefits as well as how trust impacts the disclosure process between researchers and vendors. While writing these posts, I looked for publicly available (free!) literature on product security incident response (PSIRT) processes to share. I thought I’d find vendors publishing their PSIRT best practices on operations or how to publish an advisory, but 99% of what I found was network incident response focused and not relevant for application or product security teams. I suddenly realized that despite all my years working in a PSIRT, I'd never published any operational guidance that would help other defenders learn from my experiences - and it was time to change that. 

Read More
Interesting

Big Bugs Podcast Episode 4: Fun and Hacking with Pokemon Go!

Posted by Jason Haddix on Jul 29, 2016 2:30:11 PM

This week's Big Bugs podcast is near and dear to my heart, combining three of my favorite things: mobile hacking, gaming, and security in general. In this episode, I'll start by giving a brief history of Niantic and Pokemon Go and review some of the few technical issues that the game has experienced. The bulk of this podcast will be focused on how the hacking scene found ways to reverse engineer the game, and of course some tips and tricks so you can catch 'em all.

It's a bit longer than the usual Big Bugs podcast, but I feel like it's well worth it, as the Pokemon Go phenomenon has been amazing to experience and be part of. Below the recording, I've included some notes to accompany this episode, and resources referenced as well.

Subscribe to our Bugcrowd Podcast RSS feed here: 

Read More
Interesting, Bug Hunter Tips and Tricks

Big Bugs Podcast Episode 3: $15K for IoT Device Takeover

Posted by Jason Haddix on Jun 27, 2016 12:17:50 PM

Today we published the third episode of our podcast series 'Big Bugs' hosted by me. In this episode, embedded in this post and available on SoundCloud, I am joined by special guest Adam Hartway of Digital Safety (DiSa) to explore a $15K bug uncovered in their winner takes-all bug bounty program.

Read More
Interesting