August 2018 Summaries
10 posts from Bugcrowd
Filter
Month:
Year:
Post Summaries
Back to Blog
Traditional penetration testing has become less effective due to the rapid pace of application development and increasing data breaches. The traditional approach is often performed by a single person or team using standardized methodology, which may not be enough to find serious vulnerabilities given the vast number of adversaries. Additionally, traditional pen tests are periodic "point-in-time" exercises that leave new code untested for months, lack true insight into actual risk, and are not cost-effective. To address these pain points, crowdsourced security methods such as bug bounty programs have emerged, which leverage human intelligence at scale to deliver rapid discovery of high-risk vulnerabilities and provide constant coverage necessary in today's modern software development life cycle.
Aug 24, 2018
408 words in the original blog post.
The Apache Struts framework has been identified with a critical remote code execution vulnerability due to an unvalidated input injection into its expression language called OGNL, which is used by a few Java-based frameworks including itself and Spring Web Flow. The vulnerability was discovered in April 2022 and affects versions 2.3 to 2.3.24 and 2.5 to 2.5.16 of Struts. This bug has the potential for widespread impact as many web applications use Apache Struts, similar to the Equifax breach in 2017 which was caused by a similar vulnerability. It is highly recommended that anyone using Apache Struts patch immediately to prevent exploitation.
Aug 23, 2018
358 words in the original blog post.
Bugcrowd has announced its July 2018 Hall of Fame winners across three leaderboards, recognizing the hard work of its Researchers. A Private user topped the Total Points Leaderboard with 1912 points, while a Private user swept first place on the P1 P2 Paid Programs Leaderboard with 360 points. mert dominated the P1 P2 Unpaid Programs Leaderboard with 1750 points. The top performers will receive bonuses ranging from $500 to $1250, as Bugcrowd thanks its Researchers for their contributions to making the programs successful. High severity bugs can earn significant rewards and even invitees to private bounty programs.
Aug 21, 2018
325 words in the original blog post.
Team Blinkerydoo's experience at DEF CON was a learning curve for them, and they're excited to share their top lessons learned from designing and developing the #bugcrowdbadge. They sold out of badges raising $3,820 for Hackers for Charity, but also faced challenges such as power management, charging, and QA issues with their batteries. They'll consider selling more assembled badges next year to satisfy both kit buyers and those who prefer a ready-to-use badge. The team will also explore add-on ideas, random sales locations, and publicity strategies, and encourage collaboration on future badge challenges. Additionally, they learned the importance of teamwork, soldering skills, and sharing feedback with the community, and invite users to share their thoughts and suggestions for next year's badges.
Aug 20, 2018
1,311 words in the original blog post.
Organizations in nearly every industry are feeling pressure to deliver value faster, get to market ahead of the competition, and continuously improve their customer experience. For software applications built and deployed today, it is all about velocity and automation. This can lead to inconsistencies, vulnerabilities, and problems with upgrades and code review. Agile development has brought many advances, including faster iteration and software that quickly aligns with business needs, but maintaining a secure continuous deployment environment remains problematic for developers and security teams. Securing the continuous environment requires a mindset shift on every level. Companies are focused on driving revenue, yet limited security resources put all of this at risk. Integrating crowdsourced security into the software development lifecycle is an efficient approach to addressing this challenge. Crowdsourced security provides access to thousands of independent security researchers who can identify and report high-priority vulnerabilities to teams quickly. Bug bounty and vulnerability disclosure programs bring organizations continuous coverage, allowing them to test their apps continuously and gain peace of mind at a cost-effective rate. Fluid communication between security and development teams is critical for good application security, and integrating vulnerability data directly into developers' day-to-day workflow is essential for success.
Aug 15, 2018
403 words in the original blog post.
Bugcrowd is proud to recognize its top-performing researchers who have achieved MVP (Most Valuable Player) status for 2018, with a minimum average submission acceptance rate of 80% and an average submission priority between 1.0 and 2.99. The custom-designed logo reflects the names of these Researchers, who have made significant contributions to Bugcrowd's platform by approving submissions and maintaining high standards. This year's MVPs include Researchers who qualified for the third time, as well as those earning their first or second MVP status, with a total of 18 new Researchers added to the list, including those who preferred to remain anonymous. The recognition is part of Bugcrowd's efforts to highlight its partner researchers and reward their outstanding work.
Aug 10, 2018
424 words in the original blog post.
At Bugcrowd, we're launching Bugcrowd University, a free, open-source educational platform providing training and content for infosec professionals. The initiative is spearheaded by Jason Haddix, VP of Trust and Security, with support from his team. The first set of modules focuses on web hacking techniques and strategies, with links to other experts' content in the field. Bugcrowd aims to expand BCU with more content over time, encouraging feedback and community engagement through social media channels.
Aug 07, 2018
305 words in the original blog post.
The bug bounty economy is a rapidly growing field where companies engage with security researchers to identify vulnerabilities, but it poses legal risks for white hat hackers. The current lack of clear laws and regulations creates ambiguity, leading to chilling effects on the security researcher community. To address this issue, standardizing safe harbors and protocols for "good faith" security testing is crucial, requiring collaboration among companies, platforms, and security researchers. A new project called Disclose.io aims to provide a framework that expands on existing work to protect security researchers while establishing clear language for bug bounty programs, which has already been adopted by 19 companies. The success of this effort relies on the participation and collaboration of all stakeholders involved.
Aug 02, 2018
586 words in the original blog post.
Michael Jordan once said, “Champions are made, not born.” This statement emphasizes the importance of hard work and determination in achieving success. At Bugcrowd, researchers are considered champions due to their tireless efforts to deliver high-value contributions to customers. The current leaderboard system rewards top-performing researchers with cash rewards for their submissions. However, this system may overlook the diversity of research styles among contributors. To address this, Bugcrowd is introducing two new leaderboards that will display separate rankings for paid and kudos-only programs, providing additional ways for researchers to compare their skills and achievements. These leaderboards will also come with monthly cash bonuses, offering more opportunities for top performers to earn rewards.
Aug 02, 2018
376 words in the original blog post.
The Bugcrowd team has successfully created their first-ever DEF CON badge, which combines hardware hacking, firmware development, design, and a touch of Bugcrowd culture. The badge was initially conceived as an internal hackathon project but evolved to include multiple components, such as LEDs, IC chips, and software challenges. To make it more engaging, the team has incorporated a badge challenge with cash prizes for solving puzzles, aiming to promote collaboration among attendees and support Hackers for Charity. The badges will be sold throughout DEF CON, with all proceeds going to this organization.
Aug 01, 2018
382 words in the original blog post.