Home / Companies / Bugcrowd / Blog / January 2018

January 2018 Summaries

9 posts from Bugcrowd

Filter
Month: Year:
Post Summaries Back to Blog
In the final quarter of 2017, Bugcrowd engineers identified areas where submission data was not correctly updating. They resolved issues with duplicate submissions and corrected kudos point values for non-duplicate submissions. The changes ensure that updated information from original reports is accurately reflected in subsequent submissions, including VRT categorization, CVSS scores, and target priorities. Bugcrowd has maintained transparency throughout the process, contacting affected researchers before making any adjustments to their kudos points. The company continues to value transparency and encourages users to reach out with questions or follow them on social media for updates.
Jan 30, 2018 148 words in the original blog post.
In 2017, Bugcrowd's researcher community experienced significant growth, with a 32% increase in rewarded submissions and a 25% boost to average rewards. The MVP program recognized 145 researchers who qualified for the program, earning over $3 million in total payouts. Researchers must meet specific requirements, including an average submission acceptance rate of at least 80%, average submission priority between 1.0 and 2.99, and a minimum of 10 qualifying submissions. The program is now open to all researchers for 2018, with new requirements including no significant enforcement infractions in the prior six months. Researchers who meet these requirements will be awarded a year-end bonus in January following their qualification year.
Jan 25, 2018 488 words in the original blog post.
The Uber data breach, which involved 57 million driver and rider accounts being stolen and kept secret for over a year, raises significant ethical concerns regarding bug bounty programs and cybersecurity. The company's payment to the hackers, disguised as a bug bounty, creates confusion about what constitutes a legitimate bug bounty payment. This incident highlights the importance of clear scope, guidelines, and managed processes in bug bounty programs. Additionally, Uber may have violated FTC rules on breach disclosure and state laws by not disclosing the theft of driver data. The incident also underscores the need for organizations to prioritize transparency and responsible disclosure in the face of cybersecurity threats. The bug bounty community is actively addressing these issues and will be hosting a webinar to discuss further.
Jan 24, 2018 554 words in the original blog post.
We have recognized the pain point of managing vulnerability reports in-house and have committed to providing full-scale bug bounty support and services since day one. Our platform provides expert technical review and escalation of valid vulnerability submissions, as well as facilitation of researcher communications crucial for detailed reports and high engagement. We respond quickly to every submission, with an average time to first response of under 24 hours for critical vulnerabilities and payouts that are industry leading. Our team has streamlined the process, decreasing the first-touch response by 21% and time to validate vulnerabilities by 11%, while maintaining a high level of signal for customers across all managed programs. With vulnerability submissions on the rise, our managed approach continues to be the most efficient solution, reducing required time and effort by at least 80% for our customers.
Jan 22, 2018 562 words in the original blog post.
The National Institute of Standard Technology's (NIST) cybersecurity framework has released a revision (1.1, Draft 2) that includes vulnerability disclosure processes as part of the Framework Core. This addition is a result of an industry effort and was prompted by organizations such as Rapid7, Duo Security, Cisco, Symantec, and Bugcrowd. The revised framework now requires processes to be established for receiving, analyzing, and responding to vulnerabilities disclosed from internal and external sources, including security researchers. This move is seen as a positive step forward in the fight against cyber attacks and is supported by the White House's Federal IT Modernization Report, which positions vulnerability disclosure as the best-practice approach to external security testing for the U.S. Government.
Jan 18, 2018 396 words in the original blog post.
The author is concerned about the increasing number of data breaches in various organizations, including government networks and private sector companies. They believe that proactive measures should be taken to protect against malicious attacks, such as running vulnerability disclosure programs and bug bounties with the help of skilled hackers and researchers. The IT Modernization Plan aims to overhaul legacy systems and improve security through modern technology and DevOps processes, which includes leveraging bug bounties to identify vulnerabilities before they are exploited by enemy nation states or hackers. The author hopes that more government agencies will adopt similar programs and partner with companies like Bugcrowd to support them, in order to spread private sector knowledge at scale.
Jan 11, 2018 452 words in the original blog post.
As a seasoned security expert with extensive experience running bug bounty programs for the Department of Defense, I've witnessed firsthand the power of crowdsourced security testing and the need to protect our increasingly vulnerable digital landscape. The internet has created a new frontier that requires us to not only consider cyber threats but also to shore up and secure it. Companies like Bugcrowd bring together skilled hackers with organizations and government agencies to help identify vulnerabilities, providing an opportunity for hackers to make a living while improving security. I'm excited to join Bugcrowd and help grow the business in the public sector while promoting ethical hacking and shoring up the security of our daily services.
Jan 09, 2018 485 words in the original blog post.
The bug bounty space is expected to expand globally in 2018, with more companies adopting programs across various industries and company sizes. This growth is driven by the maturation of the model and a growing focus on security, particularly in Europe following the implementation of GDPR. Researchers predict that 2018 will see increased engagement from white-hat hackers, with a focus on personal engagements between companies and their top hunters, as well as corporate events. Hacker motivations are expected to remain driven by notoriety, autonomy, self-respect, power, money, breaking new technologies, and challenging targets such as mobile apps and cryptocurrencies. The industry at most risk for cyberattack is predicted to be financial, due to its high value of sensitive data and access to funds.
Jan 05, 2018 619 words in the original blog post.
Today, Bugcrowd is recognizing its top December 2017 winners, with todayisnew taking the first place, followed by S4thi5h and mongo in third. To reward their efforts, Bugcrowd is awarding bonuses to these top performers. The amount of bonus varies based on the points earned, with todayisnew receiving $2,500 for 654 points, while S4thi5h and mongo received $1,500 and $1,000 respectively. High-severity bugs that result in critical security impact are given more kudos points, not only rewarding the researchers but also increasing their chances of getting invited to private bounty programs faster.
Jan 04, 2018 197 words in the original blog post.