October 2018 Summaries
13 posts from Bugcrowd
Filter
Month:
Year:
Post Summaries
Back to Blog
The Bugcrowd team hosted a two-day Car Hacking Bug Bash event in Louisville, Kentucky, bringing together the world's top car hackers to search for vulnerabilities in cars that might be present in garages today. The event provided direct access to technology and security teams, resulting in high-severity bug discoveries and $15,000+ payouts. The combination of diverse hacker experiences led to exciting collaborations and finds, with multiple events planned in cities across the globe over the coming year. A recent Bugcrowd University hackathon also took place at the Cal Poly Cybersecurity Institute, focusing on Arlo products and featuring top researchers and students.
Oct 31, 2018
565 words in the original blog post.
This week, Bugcrowd is cutting the ribbon at Cal Poly's California Cybersecurity Institute in San Luis Obispo, donating an IoT Lab along with Arlo to support cybersecurity training. Reina Staley, Chief of Staff and Co-founder of the Defense Digital Service, will lead a presentation alongside CCI, Arlo, and Bugcrowd leadership. The event marks the kickoff to a two-day Bug Bash, where experts will collaborate with students and members of the National Guard to identify vulnerabilities in various IoT devices, including Arlo products.
Oct 30, 2018
312 words in the original blog post.
Cyber threats pose a significant risk to individuals and organizations alike, making it essential to understand how they occur and take measures to prevent them. The biggest hacks involve exploiting vulnerable assumptions, such as trusting client-side input or storing sensitive credentials in plain sight. These vulnerabilities can be mitigated by separating responsibilities, validating expected input server-side, and controlling sensitive secrets across development teams. By being aware of these risks and taking proactive steps, individuals and organizations can protect themselves from cyber threats and make the internet a safer place.
Oct 26, 2018
599 words in the original blog post.
The Trinity wallet bug bounty program is now open to the public, allowing security researchers from around the world to participate and potentially earn a bounty by discovering bugs in the wallet. The program follows the successful private beta with Bugcrowd, which was run for five months, and aims to make the Trinity Wallet the safest it can be. The IOTA Foundation has focused on security throughout the development process of the wallet, but recognizes that security is an ongoing process and encourages community engagement to help improve the product.
Oct 24, 2018
242 words in the original blog post.
The Department of Defense has awarded Bugcrowd a contract to expand its "Hack the Pentagon" Crowdsourced Digital Defense Program, which aims to boost the Pentagon's security posture by leveraging crowdsourced security programs and expanded bug bounties. The program enables the DoD to assess a broader range of assets, including hardware and physical systems, and bring valuable new security perspectives to combat adversaries. Bugcrowd has provided similar services to leading organizations across 50 industries and in 30 countries since 2012, and this new contract further demonstrates the power of crowdsourced security as a force multiplier to solve real-world cybersecurity issues.
Oct 24, 2018
464 words in the original blog post.
The Bugcrowd team has recently made significant improvements to the Insights dashboard, a key feature of their bug bounty services, aimed at enhancing customization options for searching submissions, reporting, and analyzing data. The new Intuitive Submission Search feature allows users to filter and sort submissions by various details, streamlining the triaging process. This update builds upon existing Crowdcontrol enhancements, providing valuable insights into submission trends, program performance, bounty spending, and custom reporting capabilities.
Oct 18, 2018
516 words in the original blog post.
As a major email service provider, Mailgun recognized the importance of security in their business, particularly when handling large volumes of email for prominent brands. To address this, they partnered with Bugcrowd to leverage crowdsourced testing and improve the quality of their bug reports. This collaboration has enabled Mailgun to accelerate their turnaround time for fixes, prioritize issues more efficiently, and gain fresh perspectives from external researchers. With a public partnership announcement, Mailgun is now inviting developers to participate in their security vulnerability program, offering rewards ranging from $100 to $1,500.
Oct 18, 2018
370 words in the original blog post.
Bugcrowd has announced its September 2018 Hall of Fame winners, honoring top performers on previous leaderboards that were removed in early October. A todayisnew topped the Total Points Leaderboard with 8827 points, while Mrpeuch won the P1 P2 Paid Program Leaderboard with 445 points and HackerHero took first place on the P1 P2 Unpaid Programs Leaderboard with 3425 points. Bugcrowd is awarding bonuses to top performers, ranging from $750 for second place to $500 for third place. The company thanks its researchers for their hard work and encourages others to submit high-severity bugs for bigger rewards and faster access to private programs.
Oct 16, 2018
367 words in the original blog post.
The text discusses the creation of a list of notable hacker movies, curated by Bugcrowd, following a Twitter poll that garnered a significant response. The Big Three mentioned are "WarGames," "Hacker," and "Takedown," which were selected based on their cultural impact and relevance to hacker culture. The list includes other movies such as "The Girl With The Dragon Tattoo" that feature hackers or cybersecurity themes, inviting users to suggest additional titles through Twitter using the hashtag #hackermovies.
Oct 15, 2018
363 words in the original blog post.
The Researcher experience on Crowdcontrol has been enhanced with new features and improvements, including a visual update of Known Issues, the addition of Payments Export, and changes to prioritization and point allocation for valid bug submissions. The platform now provides more transparency around why a submission may or may not qualify for points, clarifying the process for submissions that move directly from "New" to "Won't Fix". These updates aim to provide a better experience for Researchers and improve the overall security vulnerability reporting process.
Oct 04, 2018
601 words in the original blog post.
The midterms are just a month away, and with the potential impact of election hacking still unresolved, it's unsettling that more hasn't been done to ensure election day is secure. The machines used in voting systems are vulnerable to known flaws, and hackers have already demonstrated their ability to breach these systems during DEFCON events. Despite efforts to identify vulnerabilities, many remain unaddressed due to a lack of urgency from companies manufacturing the machines. To mitigate this risk, there should be requirements for test beds to be made available between election cycles and for companies to establish clear vulnerability disclosure programs. Proactive measures, such as bug bounty programs, can also encourage findings and fixes, but ultimately, detecting how systems have already been hacked is crucial in preventing election hacking. As consumers, it's essential to stay vigilant and demand transparency from the companies manufacturing these machines.
Oct 03, 2018
660 words in the original blog post.
Bug bounties have seen a 40% growth in engagements over the last year, indicating their increasing importance as a necessity rather than a nice-to-have. A successful engagement starts before its launch and is a continuous process that requires knowledge of core concepts and fundamentals to run it effectively. To achieve success, one must get buy-in early from internal stakeholders, own the engagement by investing in its success, consider the power of scope and rewards, set clear expectations, and have a plan in place for various scenarios. By following these tips, organizations can create a well-run bug bounty engagement that attracts researchers and encourages repeat participation.
Oct 02, 2018
738 words in the original blog post.
Homeland Security to Establish Vulnerability Disclosure; House Pushes for Formalization of CISO role
The US House has approved a bill that directs the Homeland Security Secretary to establish a vulnerability disclosure policy for the agency's websites, following a trend of crowdsourced security being adopted in Washington. The White House's National Cybersecurity Strategy emphasizes the importance of coordinated vulnerability disclosure and crowd-sourced testing to improve resiliency ahead of exploitation or attack. This marks an important shift as progress on cybersecurity had been slow since the appointment of the first federal CISO in 2016, which remains unfilled due to a change of administration. The bill's approval is also seen as part of a broader effort to upgrade and secure federal technology, including formalizing the roles of CIO and CISO, with the goal of achieving the National Cybersecurity Strategy's objectives. The adoption of crowdsourced security in the private sector has been accelerating, with more than 50 industries adopting it, which is now influencing public sector initiatives.
Oct 01, 2018
356 words in the original blog post.