Home / Companies / Bugcrowd / Blog / August 2019

August 2019 Summaries

13 posts from Bugcrowd

Filter
Month: Year:
Post Summaries Back to Blog
The U.S. Air Force collaborated with Bugcrowd, a crowdsourcing platform for cybersecurity testing, to conduct a bug bounty program as part of the Common Computing Environment (CCE) initiative. The program aimed to identify and remediate security vulnerabilities in the CCE platform, which provides an enterprise-wide cloud environment for the Air Force's cloud-hosted applications. Through Bugcrowd's engagement, security researchers found 54 vulnerabilities, including those related to access and configuration issues, which were promptly remedied and resulted in payouts of over $123,000, with a top prize of $20,000. The program showcased the value of crowdsourced security testing, focused testing, and researcher grants in strengthening the security of the CCE platform, and demonstrated the Air Force's commitment to prioritizing security in its IT operations.
Aug 29, 2019 708 words in the original blog post.
The auto insurance industry is heavily regulated and requires a great deal of customer information to accurately measure risk, which HiRoad aims to protect through robust cybersecurity measures. The company's goal is to respect and honor the trust customers place in their insurance company by ensuring their data is safe. To achieve this, HiRoad has implemented a defense-in-depth approach to its program, including internal security testing and QA measures, as well as crowdsourced security through Bugcrowd, which provides access to top vulnerability researchers and helps focus attention on actionable submissions.
Aug 27, 2019 422 words in the original blog post.
The 2019 Hacker Summer Camp was a significant event in the cybersecurity world, showcasing the growing popularity of crowdsourced security testing and the increasing adoption of ethical hacking by major tech companies. The event highlighted the need for a culture shift within cybersecurity teams, where every security team is seen as a software team, promoting communication, cooperation, and mutual education between engineering and security teams. The growing attack surfaces due to the proliferation of IoT devices and cloud environments pose significant challenges, but finding vulnerabilities can be a key feedback loop that helps security and development teams improve over time. The event also saw notable announcements, such as Apple's opening up its bug bounty program and increasing rewards to up to one million dollars. Overall, the Hacker Summer Camp 2019 was a celebration of the cybersecurity community and a testament to the power of collaboration and innovation in the field.
Aug 23, 2019 657 words in the original blog post.
The attack surface of many organizations has grown exponentially, making them more susceptible to weaknesses. To combat this, security teams are using crowdsourced security solutions, such as bug bounty programs, which have expanded their scope to include more assets. However, when the attack surface expands but the scope remains the same, it creates a gap in coverage and grey areas for security researchers who identify issues outside of the program's scope. This can lead to ambiguity for researchers on where to report out-of-scope findings, potentially causing stressors for both parties. To alleviate this issue, organizations can consider having an expansive bounty program that includes all assets owned by the organization or running a Vulnerability Disclosure Program (VDP) in conjunction with their bug bounty, providing a clear and open scope for researchers to report security concerns. By offering bounties for all findings or implementing a VDP, organizations can encourage more active bug hunting and ensure their entire attack surface is being secured.
Aug 22, 2019 684 words in the original blog post.
The inaugural 2019 Priority One Report by Bugcrowd reveals that the number of security vulnerabilities reported and bug bounty payouts per vulnerability nearly doubled this year compared to last. There was a major shift in vulnerability classes found by security researchers in 2018, with four-out-of-five top Vulnerability Rating Taxonomy (VRT) classes revolving around vulnerabilities that are difficult for machines to find. The average payout for a critical vulnerability has reached nearly $2,700 this year. Web vulnerabilities continue to rise, and there was a nearly 4x increase in vulnerability submissions for IoT targets with average payouts surpassing $8,500. New technology environments will require more skills and education to combat the new vulnerabilities that will appear alongside.
Aug 20, 2019 708 words in the original blog post.
We are excited to announce our July 2019 Hall of Fame winners, including Nahamsec who took first place with 780 points, todayisnew came in second with 585 points, and CharlieEriksen secured third place with 360 points. To recognize their outstanding performance, we awarded bonuses ranging from $3,000 for the top spot to $1,000 for the third-place finisher. We appreciate all contributors' efforts and invite others to submit high-severity bugs that could impact our programs, potentially earning them a spot on the Leaderboard.
Aug 14, 2019 153 words in the original blog post.
The author of this guest blog post, Matt Hillary, Vice President of Security at Instructure, highlights the importance of collaboration and community engagement in addressing security threats. The company's security team attends DefCon to learn from the security community and stay updated on the latest security trends. One notable talk that resonated with them was "Are Your Child's Records at Risk?" which shed light on vulnerabilities in educational software companies. In response, Instructure is working closely with security researchers to test their systems and has established a bug bounty program through Bugcrowd, providing a platform for researchers to disclose vulnerabilities and receive rewards. The company is committed to transparency and publishes its annual bug bounty results, demonstrating its commitment to protecting student data. By extending an invitation to all security researchers to join the bug bounty program, Instructure aims to foster a collaborative environment that prioritizes security.
Aug 13, 2019 543 words in the original blog post.
Bugcrowd is addressing the global cybersecurity skills shortage by providing a platform for crowdsourced security testing, with features such as self-serve onboarding, premium SLAs, auto-accept and payout functionality, and a work queue to prioritize tasks. This enables organizations to optimize their time and resources, improve efficiency, and reduce costs. The platform is backed by an elastic crowd of over 100k trusted whitehat hackers and provides intelligent skill matching, workflow standardization, and remediation advice to help companies protect their critical assets. With these updates, Bugcrowd aims to change the way organizations think of security at scale, providing a true SaaS solution for on-demand and continuous crowdsourced security testing.
Aug 06, 2019 940 words in the original blog post.
Bugcrowd is enhancing its platform with new features aimed at making it easier for organizations to demonstrate their commitment to security best practices. The company's new Secure Marketplaces solution simplifies the adoption and management of Bug Bounty, Vulnerability Disclosure, and Next Gen Pen Test solutions for applications and app stores, providing individual program health visibility, fully-managed crowdsourced security programs, and purpose-built methodologies. Additionally, Bugcrowd is introducing enhanced reporting, benchmarking success, and scaling capabilities to help organizations assess their security posture, monitor program health, and compete in the market. The platform leverages an elastic crowd of over 100k trusted white hat hackers to provide intelligent skill matching, workflow standardization, and remediation advice, allowing companies like Tesla and MasterCard to protect their critical assets at a fraction of the cost per vulnerability.
Aug 06, 2019 632 words in the original blog post.
Bugcrowd has launched five new modules for its online learning program, Bugcrowd University, which offers free access to a library of hacking tutorials co-curated by security experts and whitehat hackers. The new content includes modules on Burp Suite Advanced Module, Server Side Request Forgery, XML External Entity Injection, GitHub Recon and Sensitive Data Exposure, and Recon & Discovery. Additionally, the platform has enhanced its skills matching capability, allowing researchers to upload relevant training certifications for faster program participation. Bugcrowd has also introduced a new collaboration feature, Researcher Collaboration, which enables security researchers to work together on vulnerabilities, share rewards, and strategize their approach. This feature has seen significant success in previous events, with almost half of all submissions at the recent Atlassian Bug Bash coming from collaborative efforts. By fueling its community of whitehat hackers and providing accessible education, Bugcrowd aims to change the way organizations think of security at scale.
Aug 06, 2019 490 words in the original blog post.
Def Con 27 is coming up and it's packed with numerous presentations, panels, and speakers, making it challenging to attend all of them. Bugcrowd has curated a list of top must-see talks for attendees to experience the best of DEF CON. The talks cover various topics such as car hacking, pen testing strategies, bug bounty hunting, cybersecurity in medical devices and cars, public interest technology, fuzzing techniques, and more. These expert speakers will provide valuable insights into the world of security, bug detection, and hacking, helping attendees gain a deeper understanding of these topics and stay ahead in their careers.
Aug 05, 2019 1,315 words in the original blog post.
The global security threat landscape is evolving rapidly, with new attack vectors emerging due to the shift to cloud computing, mobile apps, and IoT devices, creating a surge in new security vulnerabilities. Enterprises must reassess their vulnerability management approaches to mitigate these risks. The 2019 Priority One Report reveals an upward trend in security vulnerabilities and payouts to crowdsourced security, with significant increases in critical bug bounty payouts and adoption across various industries, including Financial Services, Retail, and Healthcare. These findings suggest that crowdsourced security is becoming a crucial defense mechanism against security incidents, particularly for sensitive data-intensive industries like Healthcare. As the market matures, it's essential to develop the necessary skills and education to combat new vulnerabilities and shifting technology environments, while also addressing the growing cybersecurity skills shortage.
Aug 01, 2019 664 words in the original blog post.
Black Hat 2019 is a premier cybersecurity conference that promises to deliver an impressive lineup of talks, events, and parties. Researchers and security experts will share their findings on various topics such as Windows service vulnerabilities, cybersecurity risk assessment for safety-critical systems, hacking for the greater good, and more. The conference also features panels and presentations on bug bounty programs, social media awareness, IoT security, physical security, software development, and DevOps and security. Attendees can expect to learn from industry leaders and experts, including Bruce Schneier, Chloe Brown, Ray Michael Huebler, and Kelly Shortridge, among others. The conference is expected to be a valuable resource for professionals looking to stay up-to-date on the latest cybersecurity trends and best practices.
Aug 01, 2019 1,337 words in the original blog post.