June 2018 Summaries
12 posts from Bugcrowd
Filter
Month:
Year:
Post Summaries
Back to Blog
The process of integrating application security into Jira for developers involves various use cases such as the centralized Jira Security Project, In Developer Jira Projects, and Hybrid models, each with their own set of pros and cons. To facilitate this integration, Bugcrowd offers features like automatic ticket creation, multi-project support, and customizable field configurations to respect developer notes and maintain accountability. A partnership between engineering and security teams is crucial for successful integration, and Bugcrowd supports various Jira project configurations to meet the needs of different organizations.
Jun 29, 2018
640 words in the original blog post.
Vulnerability Remediation Advice is a new feature on Crowdcontrol that aims to bridge the gap between Development and Security teams by providing guidance for secure coding methodologies. This feature enables developers to quickly fix vulnerabilities, minimize time to market, and improve their ability to create secure code in the future. With better insight and guidance, developers can accelerate the remediation process, reducing business risk and operational overhead. The new feature includes remediation advice for every validated vulnerability submission and provides training tools to advance developer knowledge of securing code.
Jun 28, 2018
272 words in the original blog post.
Overstock.com is launching a public vulnerability disclosure program through the Bugcrowd platform to improve the security and stability of its online shopping experience. The program will allow a global community of researchers to report security issues to Overstock's IT Security team, helping to maintain customer trust. This move is part of the company's ongoing efforts to engage with the security community and participate in private bug bounty programs.
Jun 28, 2018
141 words in the original blog post.
Bugcrowd has been managing bug bounty programs for 6 years and has a team of diverse industry professionals with various backgrounds who validate and triage bugs on customer's programs, ensuring qualified and experienced team members are involved in the process. The company operates on a first-to-find basis and provides transparency through its Crowdcontrol dashboard, allowing customers to see all interactions and vulnerabilities. The Security Operations team consists of high-trust security professionals, both background-checked and under NDA, with most being US-based. Bugcrowd prioritizes triage accuracy, with an acceptance rate post-triage to submission resolution of ~92%, and provides a clear process for handling concerns or escalations, including open channels of communication and arbitration.
Jun 27, 2018
819 words in the original blog post.
The term "hacker" is often associated with malicious cybercriminals, but in reality, it refers to a broader group of people who are experts at programming and solving problems with computers. The word has been misused over time, leading to a semantic problem that makes it difficult for good hackers to be recognized as such. To address this issue, companies like Bugcrowd are working to educate the market on the difference between hackers and cybercriminals, promoting a culture of innovation and problem-solving. This approach is exemplified by the "thinking like a hacker" philosophy, which values creative solutions and unique innovative ways of achieving success.
Jun 25, 2018
514 words in the original blog post.
Upwork prioritizes data security to ensure its freelancers and clients can focus on work. The company has launched a public bug bounty program on the Crowdcontrol platform, working with Bugcrowd to tap into a global community of security researchers. This partnership aims to enhance the overall security of Upwork's products and build trust among customers.
Jun 19, 2018
196 words in the original blog post.
I had a great time attending the Gartner Security and Risk Management conference in Washington DC, where I was able to hear from industry experts on various topics including application security. Application security is indeed complicated due to the rapid change in deployment models and the need for enterprises to adopt multiple approaches such as legacy, VMs, containers, and serverless computing. The trend of integrating security with agile/DevOps style development, known as DevSecOps, is gaining momentum, with a focus on shifting security left into the development process. Additionally, crowdsourced security through bug bounty programs is becoming increasingly mainstream, offering an alternative approach to traditional penetration testing methods. As a result, infrastructure-based controls are becoming less relevant, and the focus is shifting towards securing APIs and other application-level vulnerabilities.
Jun 18, 2018
433 words in the original blog post.
Bug bounty programs can be challenging to manage, with tasks such as responding to hundreds of vulnerability submissions weekly and paying researchers. However, managed bug bounty solutions with a third-party provider like Bugcrowd can take much of the legwork out of running a program, offering powerful platforms and dedicated support. These platforms provide features such as customizable bounty briefs, triage engines, centralized communication, seamless payments, and insightful reporting to help security teams manage their programs effectively. Additionally, Bugcrowd's team of application security experts and vulnerability disclosure space leaders offer pre-launch consulting, promotion services, bug validation and triage, and ongoing maintenance to ensure program success.
Jun 15, 2018
776 words in the original blog post.
Bugcrowd is excited to attend Hacker Summer Camp in Las Vegas and showcase their work, with activities including conference talks, hospitality suites, parties, and surprises. The company will be hosting live presentations at their booth, where attendees can learn about crowdsourced security and bug hunting methodologies. Bugcrowd will also host a "Meet the ASEs" panel event on August 11, and offer various events throughout the week, such as the Risky Biz Party, Level Up Party, BJJ Smackdown, and House Party. These events are open to the public and provide opportunities for attendees to connect with Bugcrowd's researchers and executives.
Jun 14, 2018
826 words in the original blog post.
Bug bounty programs are often misunderstood and perceived as costly and difficult to budget for, but with careful planning and a thoughtful approach, organizations can easily control their budget. This involves articulating the scope of the program through a bounty brief, deciding how to run the program by choosing between private or public engagement and time-boxed testing, and determining an incentive program that suits the organization's needs. By tailoring these elements, organizations can maximize the success of their bug bounty program, minimize unknown variables such as cost, and ensure its effectiveness in catching vulnerabilities that slip through traditional testing methods.
Jun 08, 2018
841 words in the original blog post.
The Bugcrowd 2018 State of Bug Bounty Report highlights the growing crowdsourced security market, with a significant increase in vulnerabilities and payouts to hackers. The report shows that the total number of vulnerabilities submitted increased by 21% from last year, resulting in higher average payouts. Cross-Site Scripting (XSS) Reflected scripting remains the most common vulnerability type, while critical vulnerabilities make up 7% of all valid vulnerabilities. The report emphasizes the importance of awareness and information about disclosed vulnerabilities for security professionals to assess risk effectively. Ultimately, the report reinforces that the crowd is unparalleled in identifying risks, providing a safer internet as a result of more engaged hackers working together.
Jun 06, 2018
495 words in the original blog post.
Bug bounties have gained significant traction in recent years, but many misconceptions and misunderstandings persist. Contrary to popular belief, bug bounties do not only yield low-value results; instead, they can discover high-impact vulnerabilities that are often overlooked by traditional security assessment methods such as penetration testing and vulnerability scanners. The diversity of researcher demographics and motivations in bug bounty programs leads to a broader range of vulnerabilities being discovered than these traditional methods. Furthermore, bug bounties have been found to produce both a wide breadth and incredibly high-value vulnerabilities, making them an effective way to fill the gap left by automation in security assessment. By working with a diverse crowd of talented individuals, companies can achieve unprecedented results in their private and public bug bounty programs.
Jun 01, 2018
485 words in the original blog post.