Home / Companies / Bugcrowd / Blog / October 2016

October 2016 Summaries

10 posts from Bugcrowd

Filter
Month: Year:
Post Summaries Back to Blog
There are many key performance indicators (KPIs) of a successful bug bounty program, some that matter more to program owners and others to researchers. At BugCrowd, they aim to align the importance of these KPIs between all parties to better understand what is most helpful and valuable to each. Response time is a critical metric for both maintaining a healthy program and keeping researchers engaged. A 'good' response time is typically within 14 days, with quicker responses being better, but realistically aiming for 4-5 business days is ideal. Consistently reviewing submissions quickly is crucial for the program's health and success, as it improves reputation, cuts through noise, and leads to better coverage by attracting top talent and encouraging continuous testing.
Oct 27, 2016 650 words in the original blog post.
Congratulations to Javidr & konkakarthik for their winning submissions in the researcher promotion focused on mobile targets, which saw 111 unique researchers report vulnerabilities in mobile targets across 30 different bounty programs, resulting in a 62% increase in mobile submissions and a 10% overall increase in the mobile crowd. The promotion aimed to eliminate misconceptions and barriers to entry for mobile testing by providing new resources for interested researchers.
Oct 25, 2016 153 words in the original blog post.
This summary provides a high-level overview of the approach taken by Bugcrowd top-ranked bug hunter Brett Buerhaus in approaching new bug bounties and writing bug submissions.
Oct 18, 2016 1,083 words in the original blog post.
In the bug bounty hunting community, time is a significant factor in participating in bug bounties, especially for those with full-time jobs and family commitments. Top hunters like Brett Buerhaus and Luke Young have found ways to balance their schedules by dedicating a few hours each night to hunting bugs. They emphasize the importance of passion, staying relevant and up-to-date on application security techniques, and making money as incentives. Many researchers view bug bounties as a hobby and a source of discretionary income, allowing them to control the amount of time they commit to it. Due to the first-to-find model, researchers have implemented tactics to minimize the risk of submitting duplicate bugs, such as targeting less popular programs, being creative in their approach, and focusing on critical issues. Successful hunters can earn significant amounts, with some making several hundred thousand dollars a year doing part-time bug bounty work.
Oct 17, 2016 1,299 words in the original blog post.
There is an increased adoption and accessibility of bug bounty programs among larger organizations, which has led to improved awareness of their value. However, concerns about the risks of running such programs remain, including putting a target on one's back, unknowns, unauthorized public disclosure, and perceived liability issues. To mitigate these risks, it's essential to operate with a clear understanding of the benefits and limitations of bug bounty programs, define a scope for testing, articulate what is and isn't acceptable, manage budget effectively, and have a plan in place for handling potential risks or incidents. Ultimately, many of these concerns are perceived rather than real, and running a bug bounty program can be a valuable security assessment method that outweighs the risks when done properly.
Oct 13, 2016 629 words in the original blog post.
You'll want to set up an environment that can withstand the load of researchers testing against it, anticipating at least hundreds of requests per second for an extended period. This means preparing your application and infrastructure to handle the surge in traffic, as well as being mindful of potential impacts on sensitive areas, such as contact forms that might direct users to internal teams. When deciding between a production or staging environment, consider factors like business objectives, capabilities, and sensitivities, weighing benefits like minimizing impact on production clients/users, protecting personally identifiable information, and testing the latest version of your application. Ultimately, choose an approach that aligns with your organization's needs and resources.
Oct 12, 2016 1,089 words in the original blog post.
The security community has been submitting Cross-Site Scripting (XSS) vulnerabilities for a long time, but despite its prevalence, XSS-fatigue has become a phenomenon where the industry has written off XSS as low-hanging fruit due to its longevity and the standardization of JavaScript pop-up or prompt box exploits. However, in reality, XSS is still a highly impactful vulnerability used in various exploit frameworks, including ransomware attacks, nation-state attacks, and more. Bugcrowd's classifications of XSS have shown that these vulnerabilities can have significant impacts, such as account takeover via session hijacking, full password reset, privilege escalation, remote code execution, and control over internal networks. Despite the perceived low-hanging fruit nature of XSS, these examples demonstrate its real-world impact and importance in the security community.
Oct 10, 2016 985 words in the original blog post.
Bugcrowd has expanded its bug bounty programs to include thick client applications, offering a range of targets such as web and mobile apps, APIs, IoT devices, and even cars. The company is running a promotion for submitting vulnerabilities in thick client applications between October 1st and December 31st, with four $500 cash prizes up for grabs. Researchers can participate by emailing [email protected] to express their interest and receive guidance on getting started. Bugcrowd also provides online resources and recommendations for thick client software testing, including books and a CTF challenge.
Oct 07, 2016 423 words in the original blog post.
We take the security research community seriously and appreciate their participation in Bugcrowd programs, reviewing submissions with respect and setting researchers up for success throughout the review process. The average time to triage a submission is expected to be less than 7 business days, and providing clear reports can help minimize processing time. Researchers are encouraged to communicate effectively with program owners and the Bugcrowd ASE team, avoiding unnecessary messages or aggressive behavior. In cases where the review process is not followed as planned, researchers can politely inquire about the status of their report and escalate issues to [email protected] if necessary. The goal is to maintain a healthy working relationship with program owners while ensuring that submissions are handled fairly and respectfully.
Oct 05, 2016 834 words in the original blog post.
In recent months, bug bounties have gained popularity among enterprise organizations, sparking discussions about their effectiveness and limitations. While automation can find many vulnerabilities, it has its limitations and crowdsourcing is a more effective way to bring human creativity into the mix. Bug bounty programs can produce high-quality findings, often within 24 hours of launch, and are not just a quick fix but rather a valuable tool for improving security. Despite common misconceptions, bug bounties have evolved and are now a recognized part of many organizations' security strategies.
Oct 04, 2016 976 words in the original blog post.