Home / Companies / Bugcrowd / Blog / May 2019

May 2019 Summaries

12 posts from Bugcrowd

Filter
Month: Year:
Post Summaries Back to Blog
Today at BlueHat Shanghai, Microsoft announced a partnership with Bugcrowd to speed up payouts for vulnerabilities reported by security researchers. This collaboration aims to strengthen partnerships between Microsoft and the security community while making its bug bounty programs more rewarding. By partnering with Bugcrowd, Microsoft can offer faster payment options, including PayPal and Payoneer, allowing researchers to receive their bounty awards in a convenient manner. Additionally, this partnership enables researchers to collaborate on submissions and split payments easily, further enhancing the overall experience for security experts.
May 31, 2019 355 words in the original blog post.
Join us this Saturday and Sunday, June 1-2 for LevelUp 0x04!, a free online InfoSec conference series featuring leaders in the hacking and crowdsourced security space. The event will kick off with an opening address by Bugcrowd CEO Ashish Gupta, followed by two half-day sessions of live content on collaboration, teaming up with fellow hackers, and other topics such as car hacking and mobile hacking. The conference is designed to provide resources and opportunities for the community to develop new skills, and viewers can tune in on YouTube.com/bugcrowd and participate through the live chat.
May 30, 2019 293 words in the original blog post.
Bugcrowd's founder and CTO Casey Ellis discusses the evolution of bug bounty programs and their connection to penetration testing, highlighting the company's strategy of using crowdsourcing to improve pen testing through economics and resourcing models. He emphasizes that pen testing is a logical application of crowdsourcing and that the goal is to align expectations between researchers and companies when it comes to vulnerability disclosure. Ellis also stresses the importance of education on both sides, particularly for the researcher community, and announces Bugcrowd's partnership with Secure Code Warrior to provide training and developer education in secure coding practices. The partnership aims to shift left in the development process to help engineers understand how to code securely, reducing the introduction of bugs into production systems.
May 21, 2019 974 words in the original blog post.
We are excited to announce our April 2019 Hall of Fame winners, Nishtha123, Yonatan, and rubyroobs, who received bonuses for their top performance in submitting high-severity bugs, with Nishtha123 taking first place with 225 points. The company values its partners' contributions to making the programs successful and encourages them to continue submitting high-quality bug reports. A new leaderboard is now open for participants to submit high-severity bugs and earn kudos points, with a focus on critical security impact issues such as remote code execution or elevation of privilege.
May 15, 2019 153 words in the original blog post.
A well-defined scope is crucial in a crowdsourced security program, as it clearly tells researchers what they can and cannot test within the boundaries of the engagement. A narrow scope may result in coverage and testing gaps, while an overly broad scope may distract resources and time-constrained hackers from focusing on what's needed. It's essential to expose as much of your footprint as possible, tier assets based on their value, and evaluate how you'll handle submissions that are valid but out of scope. The focus areas section should include specific situations, such as new features or attack vectors, while providing high-level information and relevant documentation around in-scope assets. Out-of-scope sections clearly outline what is not allowed, including exclusions and ratings. Rewards should be linked to a specified priority level on the program brief, with rewards matching or exceeding market value, and growing over time. Finally, the disclosure and rules section outlines the policy on disclosure, as well as any supplemental guidelines for participation, ensuring clarity and consistency for all parties involved.
May 15, 2019 2,093 words in the original blog post.
The Financial Services Information Sharing and Analysis Center (FS-ISAC) cybersecurity summit in Orlando, Florida, brought together a diverse group of financial organizations to share security best practices and address common pain points such as the resource shortage and compliance woes. The event highlighted the need for more developer education and training to reduce vulnerabilities and improve security, with vendors like Secure Code Warrior presenting solutions that can help alleviate these issues. With malicious actors heavily incentivized by financial services data, regulators are cracking down on data security, and compliance conversations were prevalent outside scheduled sessions and on the showroom floor. The summit also emphasized the importance of elevating security to the C-level, with a focus on reporting metrics and methods to fuel executive conversations and measuring the value of existing solutions against competing priorities.
May 14, 2019 826 words in the original blog post.
We are modifying the existing MVP program to provide more prominent rewards for reaching MVP status. For each quarter that you qualify, you will receive exclusive swag that gets bigger and better with each quarter. The first two pieces of swag are a hat and sunglasses, with additional designs to be revealed in the coming months. Researchers who achieved MVP status in Q1 2019 have been recognized and qualified for both pieces of swag, which will be sent out shortly. The program is not an ongoing one, running annually from January 1, 2019, to December 31, 2019.
May 09, 2019 482 words in the original blog post.
The Bugcrowd Bounty Slayers program recognizes outstanding researchers who contribute valuable work to the platform by submitting high-quality bug reports and vulnerabilities. In Q1 2019, the program was rolled out for the first time, and it gathered significant results, with a large number of participants submitting valid submissions. The current reward structures have been tweaked for Q2, introducing bigger stretch goals, such as requiring at least 40 valid P1 to P4 submissions for standard rewards and at least 60 for Power Up bonuses. Bugcrowd acknowledges the value of its researchers and aims to provide a challenging and rewarding experience through this program, with plans to continue refining it based on community feedback.
May 08, 2019 1,026 words in the original blog post.
The Bugcrowd team has announced new incentives for its P1 Warriors program, which rewards valid P1 submissions made since January 2019. The program includes badges, swag, and recognition for top researchers. Researchers who have submitted a certain number of valid P1 submissions are eligible for exclusive badges, sticker packs, and challenge coins. The first six badges were revealed, along with the designs of the sticker packs and challenge coins. Additionally, the top P1 researchers in Q1 2019 were announced, including those who have submitted five, ten, or twenty-five valid P1 submissions. The team is sending out order links for swag to qualified researchers and invites others to learn more about the incentive program.
May 07, 2019 331 words in the original blog post.
The report highlights the growing interest in DevSecOps adoption among organizations, with nearly 4 out of 5 having adopted DevOps and planning to integrate cybersecurity processes into their CI/CD pipelines. Cybersecurity automation is a key trend, with organizations seeking to automate security and integration with software development life cycles. The study reveals that large enterprises have the greatest need for application security help due to operational complexity and the number of applications. A community-based approach to identifying vulnerabilities also shows promise, as does the adoption of next-generation pen test and security automation solutions.
May 03, 2019 387 words in the original blog post.
Bugcrowd has released `disclose.io`, an open-sourced safe harbor project, to provide a safer and easier-to-navigate legal environment for whitehat hackers. The company's first step was to launch new programs on the Bugcrowd platform with safe harbor as an opt-out default, which has been widely adopted by companies. To further promote the use of safe harbor, `The List` has been rebooted and now includes advanced filtering options for researchers to find programs that offer this protection. Additionally, Bugcrowd's team has been actively promoting safe harbor at conferences worldwide, with high acceptance rates. The project aims to have every organization adopt a proactive vulnerability disclosure policy with safe harbor for good-faith hackers, and encourages users to submit PRs to include missing programs on `The List`, add safe harbor terms to their own VDPs, or advocate for establishing a vulnerability coordination process in their organizations.
May 02, 2019 593 words in the original blog post.
In July 2017, Atlassian launched its Bug Bounty Program, which has since rewarded nearly 400 vulnerabilities and over $400,000 in total, earning it "Program of the Year" at the 2018 and 2019 Annual Buggy Awards. The program's success can be attributed to responsible security researchers who have made the internet a safer place through their participation. To address concerns about researchers facing legal action for acting in good faith, Atlassian has adopted a safe harbor clause in its program rules, ensuring that participants will not face repercussions as long as they follow all other rules and act with integrity.
May 01, 2019 275 words in the original blog post.