Bugcrowd Blog

A Look Inside: Bug Bounties vs. Penetration Testing

Posted by Casey Ellis on Apr 19, 2017 1:01:19 PM

Can bug bounty programs replace penetration tests?

This question has come up a lot in the past several months and today we released a guide that begins to answer it.

Read More
Running Your Own Program, Research and Reports

New Industry Report: 2017 CISO Investment Blueprint

Posted by Jason Haddix on Jan 31, 2017 6:00:00 AM

What are CISOs concerned about in application security for 2017?

What are their spending and resource allocation priorities?

What does the modern-day appsec landscape look like?

At the end of 2016 we surveyed some security industry leaders to get their thoughts on the current state of application security and what is to come for appsec organizations over the next twelve months. We discovered that application security organizations are at a steep disadvantage and their current positions may not be enough to keep up with modern attackers:
Read More
Research and Reports

Bug Bounty Myth #7: Bounty programs are too hard to manage

Posted by Payton O'Neal on Dec 6, 2016 8:45:00 AM

Over the past months, we’ve addressed the bug bounty misconceptions outlined in our recent guide, 7 Bug Bounty Myths, Busted. So far we’ve...

Today we're taking a look at what it really takes to manage a bug bounty program in our last post in this series...

Read More
Running Your Own Program, Research and Reports

Bug Bounty Myth #6: Bug Bounties are too costly and hard to budget for.

Posted by Payton O'Neal on Nov 29, 2016 10:52:27 AM

In the past several weeks, we’ve been adressing the bug bounty misconceptions in our guide, 7 Bug Bounty Myths, Busted. So far we’ve...

Today we’re talking logistics around budget.

Read More
Running Your Own Program, Research and Reports

Bug Bounty Myth #5: They don’t yield high value results.

Posted by Payton O'Neal on Nov 23, 2016 10:39:58 AM

Although bug bounties have gained incredible traction over the past year, many people still have questions and misunderstandings about what they are and how they work.

In the past several weeks, we’ve been addressing some of those misconceptions in our guide, 7 Bug Bounty Myths, Busted. So far we’ve...

Today we’re getting down to what it’s all about… the results.

Myth #5: Bug bounties don’t yield high-value results.

Read More
Running Your Own Program, Research and Reports

Bug Bounty Myth #3: Running a Bug Bounty Program is Too Risky

Posted by Payton O'Neal on Nov 8, 2016 10:37:20 AM

In our recently released guide, 7 Bug Bounty Myths, Busted, we addressed some common misconceptions about the bug bounty model and bug bounty programs. We're spending some time each week to take a deeper dive into those myths one by one. We started by addressing the misconception that bug bounty programs are all public and open to everyone and last week discussed the types of companies engaging with the bug bounty modelThis week, we’re talking about risk...  

Read More
Running Your Own Program, Research and Reports

Bug Bounty Myth #2: Only Tech Companies Run Bug Bounties

Posted by Payton O'Neal on Nov 2, 2016 2:33:32 PM

In our recently released guide, 7 Bug Bounty Myths, Busted, we addressed some common misconceptions about the bug bounty model and bug bounty programs. We're spending some time each week to take a deeper dive at those myths one by one. Last week we talked about the misconception that bug bounties are all public, and are open to everyone. Today, we're addressing a related misconception regarding the types of companies engaging with the bug bounty model.

Myth #2: Only tech companies run bug bounty programs

By taking a quick look at our public programs page, our customers page, and our ‘List’ page, it’s clear that this isn't true.

Read More
Running Your Own Program, Research and Reports

Bug Bounty Myth #1: All Bug Bounty Programs are 'Public'

Posted by Payton O'Neal on Oct 26, 2016 12:17:29 PM

Throughout this year, bug bounties have hit an all time high in the news, and are well on their way to becoming non-negotiable parts of mature security organizations. Because of that buzz and the positive traction the bug bounty space is seeing, it’s easy for us to forget that this is still a new and novel approach to security that not everyone fully understands. That’s why we’ve put our ears to the ground to pick up on some commonly held misconceptions about how they work, why they work, and for whom they’re ideal. 

Read More
Running Your Own Program, Research and Reports

Inside the Mind of a Hacker: Bugcrowd's 2016 Bug Hunter Community Report

Posted by Sam Houston on Sep 29, 2016 9:59:00 AM

Over the past four years that we've been helping organizations connect with the world's top security talent to run crowdsourced security programs, a lot has changed. In our recent State of Bug Bounty Report, we examine that change with proof that more traditional organizations adopting the bug bounty model, more private programs being run, and so on and so forth. 

The crux of that change, however, lies in the community. Whether you call them hackers, bug hunters, or security researchers, they make the bug bounty world go 'round. As this niche grows and evolves from the small group it once was, it is becoming more nuanced, and the motivations of bug hunters vary widely.

Read More
Bugcrowd News, Research and Reports

Bugcrowd's 2nd Annual State of Bug Bounty Report - A Note from the CEO

Posted by Casey Ellis on Jun 8, 2016 8:45:37 AM

Bugcrowd has always held education and sharing as a core value, which is why I’m very pleased to announce the release of our second annual State of Bug Bounty Report.

This 22-page document gives the reader an up-close and personal look at the evolving dynamics of the bug bounty market, and deeper insight into the early stages of the “unlikely romance” blossoming between hackers and organizations. Read the full report

Read More
Bugcrowd News, Research and Reports