Home / Companies / Bugcrowd / Blog / March 2016

March 2016 Summaries

7 posts from Bugcrowd

Filter
Month: Year:
Post Summaries Back to Blog
The Bugcrowd Vulnerability Rating Taxonomy (VRT) has been updated to provide additional granularity for Cross-Site Scripting (XSS) entries, capturing priority variations for XSS within applications with multiple user privilege levels. Understanding the context of both the attacker and victim is essential in determining an appropriate priority value, as situations where a lower privilege user can XSS a higher privilege user have the most severe impact. The update reflects insights from feedback received over a month ago, including new scenarios that led to the implementation, such as Stored XSS with non-admin attacking anyone and Reflected XSS with admin attacking anyone. The VRT is meant to convey a baseline suggestion, and ultimately, the final decision regarding a bug's priority is up to the client.
Mar 25, 2016 292 words in the original blog post.
As a CISO or Director of Security, breaking down silos and amplifying feedback loops are crucial to succeeding in their role. Silos exist due to the nature of the role, with security often reporting to non-security departments, but can be broken down functionally by approaching development and engineering along with operations and QA with empathy. Amplifying feedback loops involves creating right-to-left feedback loops, shortening and amplifying all feedback loops to continually make corrections, understanding and responding to customers, internal and external, embedding knowledge where needed, and encouraging the importance of security through real-time dialogue with development teams. Two modern approaches to achieve this are creating bug bounty programs and instrumenting web runtime with NextGen Web App Firewalls (NGWAF), which provide visibility across the organization, reinforce feedback loops, and integrate with existing tooling, helping InfoSec teams integrate into the organization and build more secure products, services, and teams.
Mar 24, 2016 1,804 words in the original blog post.
Crowdcontrol now supports file uploads of all sizes and formats, including video files, to expedite the vulnerability validation process for researchers working on private or public programs. A new "Attach a File" link has been added at the bottom of comment boxes, allowing users to easily upload files to comments. Researchers can upload multiple files to a single reply before sending the comment, and customers will receive attachments in the activity feed located at the bottom of vulnerability reports. The uploaded files can be downloaded by clicking on the attachment text, providing an enhanced way for researchers to share details or replication steps of vulnerabilities found during crowdsourced security programs.
Mar 19, 2016 248 words in the original blog post.
This is an excerpt from "A Bounty of Security" originally posted on the Indeed Engineering Blog by Gregory Caswell. Indeed prioritizes keeping job seekers' information safe and secure as it develops its services. The company recognizes that hackers will always try to bypass security measures, so it creates a bug bounty program to attract security experts who can help improve its systems. By offering rewards of up to $5,000 for critical bugs, Indeed aims to encourage responsible disclosure and reduce coercive behavior from individuals seeking payment upfront. The company uses Bugcrowd.com as an impartial arbiter to fairly assess the severity of bugs and provide rewards without abuse, ensuring a mutually beneficial collaboration between security researchers and Indeed.
Mar 18, 2016 443 words in the original blog post.
Bugcrowd has announced its February 2016 Hall of Fame winners, recognizing top performers who earned significant points through P1 and P2 submissions, with mongo earning the most points. To reward their efforts, Bugcrowd is providing bonuses to researchers who topped the leaderboard, including mongo, Private, and PatrikF. The platform emphasizes the importance of submitting high-severity bugs to earn more rewards and potentially gain access to private bounty programs faster.
Mar 17, 2016 215 words in the original blog post.
The Bugcrowd community has grown to over 25,000 researchers, with a significant presence on Twitter, having surpassed 10,000 followers. The company hosted various events and conferences, including RSA Conference, where they showcased their research and had notable speakers such as Rami Malek, who is a fan of the community. Bugcrowd also invested in their researcher community, with over 300 talks, sessions, and briefings held during the conference. The company's growth and engagement were recognized through various awards and recognitions, including the RSA Conference Lifetime Achievement Award for Art Coviello. Additionally, Bugcrowd was involved in several trending news topics, including cyberpathogens and bug bounty programs, which demonstrate their commitment to security research and collaboration with industries.
Mar 09, 2016 774 words in the original blog post.
The Bugcrowd community was recognized at their First Annual Buggy Awards, hosted by Casey Ellis, Abby Mulligan, and Kymberlee Price, for outstanding contributions to bug bounty programs in 2015. The top public bounty program with the fastest response time went to Fitbit, while Tesla Motors won the award for researchers' choice due to its well-regarded reward payouts, communication, and interesting targets. Three individuals were awarded as top bug hunters: Vishnu_Vardhan_Reddy for responsible disclosure champion, Nahamsec for most P1's, and Harie_cool for most valuable hacker.
Mar 07, 2016 1,057 words in the original blog post.