April 2019 Summaries
12 posts from Bugcrowd
Filter
Month:
Year:
Post Summaries
Back to Blog
The Bugcrowd community has been recognized for their outstanding work in making the internet a safer place. The 2019 Buggy Awards honored companies and researchers who have gone above and beyond to create successful bounty programs, provide quality responses, and contribute to the wider security community. Winners included Atlassian, Fiat Chrysler Automobiles, Netflix, and several individuals such as codingo, plwylie, and mongo, who were recognized for their exceptional contributions to the Bugcrowd community. The awards also acknowledged researchers who have made significant impacts on the industry, including those who focus on technically severe vulnerabilities and those who are new to the scene but have shown great promise in 2018.
Apr 30, 2019
1,014 words in the original blog post.
Setting up a crowdsourced security program requires careful consideration of rewards, including determining suitable ranges for vulnerabilities against different target types, considering market rates, and establishing a budget. Bugcrowd's Vulnerability Rating Taxonomy (VRT) provides a standardized framework for rating vulnerability severity, making it easier to set consistent reward ranges across programs. The recommended starting reward ranges vary depending on the type of targets, with lower ranges suitable for untested web apps and higher ranges for well-hardened and sensitive systems. A moderate attack surface and some past security testing can help estimate the initial reward pool budget, which may need to be adjusted based on program performance. Ultimately, the key to a successful program is attracting the right hackers with attractive incentives, making it essential to balance rewards with business needs and security maturity.
Apr 23, 2019
1,355 words in the original blog post.
SoundCloud has launched its public bug bounty program with Bugcrowd, the #1 crowdsourced security platform. The company is committed to keeping its community and content safe, particularly given its unique set of security issues related to processing user-generated content and detecting malware distribution. As a leading audio streaming platform, SoundCloud is focused on building state-of-the-art security monitoring and protection solutions while also improving efficiency in handling vulnerability reports. With Bugcrowd's community-driven testing, the company has seen several benefits including a lowered barrier to reporting vulnerabilities, increased quality in reports, dedicated time to focus on specific services, known platforms with clear processes, and increased confidence in addressing critical issues.
Apr 18, 2019
455 words in the original blog post.
Penetration testing is a critical security assessment that answers two key questions: Is my stuff secure? How do you know? A thorough pen test report provides an objective assessment and measures taken to assess the environment, even if no vulnerabilities were found. Organizations can benefit from using standardized evaluation methods like penetration testing to demonstrate their commitment to security and provide valuable insights for internal proceedings. Managed crowdsourced security programs and Next Gen Pen Tests offer better depth and breadth of coverage by leveraging a wider pool of resources and researchers, providing organizations with the results they need to stay ahead in security challenges.
Apr 16, 2019
544 words in the original blog post.
Arne Swinnen, a Belgian Bugcrowd Ambassador, shares his journey from being a curious 12-year-old who automated game elements to becoming a full-time bug bounty hunter. He studied Computer Science at KU Leuven and worked as a security consultant before discovering bug bounties in 2015. After connecting with Bugcrowd at Bsides SF, he transitioned to a full-time career in bug hunting, leveraging tools like Burp Suite Pro, Amass, Subfinder, and SQLmap. Arne advises building a financial buffer, managing work-life balance, and utilizing tools like the Burp Collaborator Client to automate tasks. He recommends reading "The Web Application Hacker's Handbook" and "Web Hacking 101" for beginners and values flexibility, freedom, and challenging experiences in his career.
Apr 12, 2019
1,022 words in the original blog post.
At Bugcrowd, researchers will now be able to submit well-written reports with images embedded in the bug submission form, allowing customers to easily understand the impact of the vulnerability discovered, providing a more compelling and clear story of their findings. The platform's submission form has been improved with image embedding, enabling researchers to explain bugs with text and images side by side, making it easier for them to tell their story. This feature was requested by many researchers in past surveys and feedback sessions, and is now live, thanks to the efforts of the Bugcrowd Engineering group and the Researcher Development team, led by Glenn 'devalias' Grant, who has a background as a bug bounty hunter and security researcher. The updated platform aims to reduce friction in the reporting process, allowing researchers more time for hunting and improving the overall user experience.
Apr 11, 2019
414 words in the original blog post.
As the amount of software powering our lives continues to increase, developers are churning out code faster. While this makes consumers' lives easier, we still need to bake in security well before code is released. With consumers demanding more and the move to DevOps, new code is being released constantly, making it challenging to keep up with security vulnerabilities. Most applications use pre-built blocks of code, known as libraries and frameworks, which are often open source, increasing the risk of vulnerability exploitation across multiple applications. However, identifying and updating vulnerable components can be done relatively easily, thanks to publicly disclosed vulnerabilities, allowing developers to focus on fixing issues faster with the help of security teams like Bugcrowd.
Apr 11, 2019
385 words in the original blog post.
Bugcrowd has announced its March 2019 Hall of Fame winners, recognizing top performers who earned significant points through bug submissions. Mikee took first place with 660 points, followed by todayisnew in second place with 585 points, and a private user taking third place with 300 points. Bugcrowd is awarding bonuses to these top performers, with the highest reward going to the first-place winner at $3000. High-severity bug submissions, which can result in critical security impacts, are particularly valuable and can earn significant rewards. The company values its researchers' contributions and looks forward to announcing its April Hall of Fame results.
Apr 10, 2019
184 words in the original blog post.
The ESG Research Insights Report and Security Leadership Study – Trends in Application Security have revealed that organizations are increasingly adopting proactive approaches to security, with a notable increase in the awareness and adoption of next-generation solutions such as crowdsourced cybersecurity. The majority of organizations currently run or plan to run crowdsourced security programs, particularly those focused on cybersecurity and technology sectors. Crowdsourced security is seen as complementary to traditional security methods, delivering unique benefits and yielding better results when combined with other approaches. As a result, businesses are embracing this non-traditional method for defense, allowing them to keep pace with the fast and disruptive nature of today's business cycles.
Apr 09, 2019
379 words in the original blog post.
Here's a neutral and interesting summary of the provided text in one paragraph:
To create an effective and engaged program, it's crucial to respond promptly and fairly to vulnerability submissions, reward findings in a timely manner, and treat researchers with understanding and respect. This approach is encapsulated by the FRUIT acronym, which stands for Fairness, Responsiveness, Understanding, Investment, and Transparency. By adopting these characteristics, program owners can establish trust with researchers, foster meaningful relationships, and ultimately improve the security of their scope and contribute to a safer internet.
Apr 04, 2019
1,074 words in the original blog post.
Hagai Sason, a Bugcrowd Ambassador from Israel, has a unique background that led him to become a penetration tester and hacker. His affinity for logical puzzles and human behavior developed into an interest in solving problems, which he now combines with hacking as a pen tester. After studying web technologies and taking courses on information and network security, Hagai found his passion in breaking systems and became an incredible red team member. He manages his personal life, work, and bug bounties by balancing his time between these activities, and recommends using BurpSuite and reconnaissance tools like manual Google dorks for effective hacking. Hagai's experience has taught him that logical attacks and advanced server-side injections are key to finding vulnerabilities, and he advises beginners in bug bounties to avoid searching for obvious findings and instead focus on complex ones. Bug bounties have made a significant impact on his life by providing an additional source of income and extending his knowledge and professionalism. In his free time, Hagai enjoys traveling, watching TV, learning new things, playing football, and supporting his favorite team LFC.
Apr 02, 2019
733 words in the original blog post.
Advanced Program Search is a new expansive search feature launched on the Programs list page, allowing researchers to easily surface programs that suit their interests by leveraging tokenized search functionality. Researchers can narrow down the search results using 10+ filter keys and logic operators OR & AND to build complex queries. The feature is part of several upcoming releases this quarter, highly requested by the researcher community, and feedback is encouraged on the Forum Feedback thread.
Apr 01, 2019
158 words in the original blog post.