If you’re reading this article, statistically speaking your organization might be getting hacked. Data breaches of U.S. government networks, once novel, have become pervasive over the past year. Take it from the Office of Personnel Management (OPM) or the IRS – no one is safe anymore. In private sector, the Equifax hack and Intel’s processor vulnerabilities have hit mainstream media by storm. The question needs to be asked: are we doing enough to protect our nation’s assets against malicious attacks?
My career has taken me on an incredible journey. From being a commissioned officer in the Navy and serving in Operations Enduring and Iraqi Freedom, to Apple to the Pentagon, I’ve spent the better part of my life following and homing in on my passion. That’s what brings me here, to Bugcrowd.
Several recently-published research articles have demonstrated a new class of timing attacks (Meltdown and Spectre) that work on modern CPUs. Variants of this issue are known to affect many modern processors, including certain processors by Intel, AMD and ARM. For a few Intel and AMD CPU models, Google’s Project Zero has provided exploits that work against real software.
2017 was a year for the books. The Equifax breach, the third Yahoo! breach, the Uber breach -- today nearly every American has been impacted by the loss of personally identifiable information (PII) data. And the threat continues to rise.
In the last installment of The Personalities that Put the “Crowd” in Bugcrowd (Part 2 of 3), I discussed the “Full-Timer” and “Virtuoso” personality types as part of the five distinct personalities that make up our crowd of nearly 70,000 security researchers. As stated previously, it's important to understand researcher motivations if you intend to run a successful bug bounty program. And to that end, I will be covering the final personality type in this post: the “Protector”. If you want to learn more about all five personalities - along with other interesting data and metrics about our crowd - check out our Inside the Mind of a Hacker 2.0 report. With that - let’s dive in!
Previously, in The Personalities that Put the “Crowd” in Bugcrowd (Part 1 of 3), I covered both the “Knowledge-Seeker” and “Hobbyist” personality types as part of the five distinct personalities that make up our crowd of over 65,000 security researchers. In order for companies to run successful bug bounty programs, it's important to understand researcher motivations - and to that end I will be covering the next two personality types in this post: those being “Full-Timer” and “Virtuoso”. If you want to learn more about all five personalities, along with other interesting data and metrics about our crowd - check out our Inside the Mind of a Hacker 2.0 report. And with that, let’s dive right in!
Crowdsourced security testing and vulnerability disclosure programs require the right combination of policy, resources, and support to be successful. Bugcrowd's leading platform and team bring years of experience facilitating success with whiteglove management of these programs. From the policy design, launch, and submission management our Operations team is a close partner of our talented researcher community and customers.
Last week, David Baker (Bugcrowd’s Chief Security Officer) released a blog post discussing why it's important to understand researcher motivations in order to run a successful bug bounty program. Furthermore - to enable current and future customers to get a better handle on what drives security researchers at Bugcrowd - we released the Inside the Mind of a Hacker (version 2.0) report covering a broad range of metrics around who the Crowd is comprised of; including data on age, level of education, geographic location, and most importantly - what motivates us (and I use the term “us”, because I myself am a security researcher on Bugcrowd).
What we know so far
Earlier today it was publicly disclosed that Apple’s MacOS High Sierra contains a trivially-exploitable flaw, which allows malicious individuals to generate a persistent root access account to your system. It is not readily apparent whether or not this vulnerability is remotely exploitable, but out an of abundance of caution there are several steps you can take immediately to protect your system.
The bug bounty market is growing quickly. While an increasing number of organizations are embracing the concept, there still remains some confusion and ambiguity around paying hackers for vulnerabilities. Events like recently disclosed Uber breach illustrate this confusion. I’ll take this opportunity to clarify and define this rapidly evolving market.