May 2016 Summaries
9 posts from Bugcrowd
Filter
Month:
Year:
Post Summaries
Back to Blog
I've recorded a podcast discussion with Frans Rosen, founder of Detectify and active bug bounty hunter, to share our experiences in the security community and discuss best practices for other hackers. I got my start in security through building relationships within the industry, which has made this job very rewarding and enjoyable. Frans shared stories from his early days as a bug bounty hunter, including first reports that resulted in big payouts, and discussed common traits and skills of top hunters. He also gave an inside look at what it's like to work for a company that runs bug bounties for others.
May 31, 2016
196 words in the original blog post.
This morning we released the second episode of our new podcast series ‘Big Bugs’ hosted by me. I discuss the detection and remediation timeline of the widespread bug in the image processing suite, ImageMagick, as well as its implications for developers and researchers. The bug, known as ImageTragick, has been detected using tools like Burp Check, and various alternatives to ImageMagick have been suggested, including Compressor.io, Imgix, Cloudinary, and more. I also explore the impact of this vulnerability on WordPress sites, highlighting potential risks and solutions. If you're interested in learning more about this bug and how to protect yourself, check out the resources listed below, including links to articles from reputable sources like Softpedia and InfoSec Institute.
May 27, 2016
156 words in the original blog post.
When coming across a *.target.com scope, it's often beneficial to explore less-traveled applications running on unusual subdomains to uncover critical vulnerabilities and potential high payouts. Various techniques can be employed for subdomain discovery, including utilizing public resources such as search engines or scanning IP blocks and doing reverse lookups. One popular method is using Google Dorks to filter results, while other tools like Virustotal, DNSDumpster, and Shodan provide extensive information on subdomains. Bruteforce techniques can also be effective in discovering subdomains, with various tools available for automation, such as Subbrute, dnscan, Nmap, and Recon-Ng. A script called Enumall.sh can automate the process of harvesting subdomains from public resources and bruteforcing them, utilizing a combination of Google scraping, Bing scraping, Baidu scraping, Netcraft, and the SecLists project subdomain list.
May 26, 2016
903 words in the original blog post.
Fuzzybear, a Bugcrowd community leader, has been actively participating in bug bounty programs and has achieved impressive results, including finding 65 bugs on Bugcrowd. He attributes his success to continuous learning about new vulnerabilities and manual analysis before automating tasks. Fuzzybear emphasizes the importance of staying curious and not ignoring unusual findings. He hopes that as the popularity of bug bounties grows, it will lead to a shift in how companies approach security, with greater transparency and financial rewards for collaboration with the security community.
May 18, 2016
599 words in the original blog post.
At the beginning of this year, Bugcrowd released its "Defensive Vulnerability Pricing Model" that sets market rates for security vulnerabilities by criticality, providing guidance on budgeting for crowdsourced security programs and attracting top talent. This model is informed by tens of thousands of vulnerability submissions and years of running public and private crowdsourced security programs, and has already started to be adopted by organizations. The goal of this model is to facilitate more payouts to crowdworkers, increasing activity and engagement, and ultimately providing more value for organizations committed to building secure products. By advocating for competitive bug payouts and encouraging companies to reward appropriately, Bugcrowd aims to increase motivation and activity amongst the crowd, as seen in the success story of Jet.com, which has aligned its rewards with the suggested rates. The model is a living document that will be reassessed quarterly to ensure it remains fair and competitive.
May 17, 2016
530 words in the original blog post.
The financial sector is a prime target for cyber attacks due to the sensitive and valuable information held by banks and financial institutions. The industry has seen a significant rise in web application attacks, with 82% of all web app attacks targeting financial services organizations, up from 31% in 2015. In response, financial institutions are increasingly adopting crowdsourced application security testing programs, with a 400% increase over the past three years, and reporting higher payouts per bug, on average $323. These private bounty programs offer benefits such as access to controlled testing environments and sensitive data testing, which are valued by organizations like Western Union, which has seen success in harnessing the volume, diversity, and quality of a crowdsourced security testing crowd.
May 11, 2016
604 words in the original blog post.
Mico, a skilled security researcher, has been actively contributing to Bugcrowd's leaderboard with over 1926 kudos points, having found 266 bugs and achieving a 91% acceptance rate. Mico's journey in technology began at school around 2009 when he first started using computers for research and later became interested in graphic design before transitioning into learning programming skills. He discovered his passion for security research after the Sony hack in 2014 and has been actively participating in bug bounty programs since signing up on Bugcrowd in January 2015, with a goal of progressing to web application penetration testing roles in the future. Mico's motivation stems from the process of learning and the thrill of discovering vulnerabilities, and he offers tips such as reading vulnerability write-ups, downloading vulnerable VMs, and using social media to connect with other researchers. He believes that bug bounties will continue to gain popularity as companies recognize the value of crowd-sourced security testing.
May 10, 2016
695 words in the original blog post.
Mongo topped the April leaderboard with 1039 points earned through multiple P1 submissions, earning a $2500 bonus. Researchers blum and Nikaiw also received bonuses for their performance, with scores of 746 and 465 points respectively, worth $1500 and $1000. High severity bugs that result in critical security impact can earn the most kudos points, potentially leading to faster invitations to private bounty programs. A current contest is running for mobile researchers, where valid submissions will be entered into a raffle to win $1000, with multiple entries possible depending on the number of valid bugs submitted.
May 04, 2016
315 words in the original blog post.
A bounty program's scope is crucial for its success, as it determines what can and cannot be tested by researchers, thereby ensuring they test only the desired aspects of an organization's application or service. It's essential to avoid ambiguity in the scope, as this can lead to misguided researchers testing outside the intended boundaries, wasting time and resources. A clear scope also requires understanding one's attack surface, which involves knowing what parts of the application are vulnerable to attacks. By prioritizing targets intentionally, organizations can ensure that researchers focus on the most critical aspects of their application or service, ultimately leading to more effective testing and better security outcomes.
May 02, 2016
1,296 words in the original blog post.