July 2020 Summaries
10 posts from Bugcrowd
Filter
Month:
Year:
Post Summaries
Back to Blog
As researchers on the Bugcrowd platform, understanding performance metrics is crucial for growth and success in the Cybersecurity space. Researchers can earn Kudos/Points based on Priority levels of their submissions, with points awarded for valid, non-duplicate submissions. Accuracy is calculated by dividing valid vulnerabilities submitted over total submissions, while priority percentiles are determined by comparison to other researchers' submission volumes. Rank is calculated based on earned points compared to others, and earning private crowd invites requires meeting specific criteria such as four submissions, one accepted P1-P3 submission, and greater than 50% accuracy in the last 90 days. Researchers can use these metrics to compare their profiles, earn additional invitations, and participate in incentive programs and leaderboards. The Researcher Success team also reviews programs to find well-written submissions and professional interactions with customers, offering additional opportunities for researchers.
Jul 27, 2020
644 words in the original blog post.
Shrey Tewari, Lead Security Solutions Architect at Bugcrowd, brings his passion for soccer and improvement to cybersecurity posturing on every program he works with. He started in cybersecurity through auditing a security class while pursuing a master's in Electrical Engineering, where he was inspired by Dr. Daniel Ragsdale. Shrey joined Bugcrowd to address the industry-wide talent shortage in cybersecurity, using his skills as a Security Solutions Architect to work with customers and researchers to improve their security posture. He believes program success is driven by fair and responsive communication between program owners and researchers, who should strive for transparency, invested relationships, and detailed bounty briefs. Shrey enjoys learning from the weekly Security Now! podcast and playing soccer in his free time, offering advice to new hackers and InfoSec professionals to "go all in" and find a mentor to guide them.
Jul 23, 2020
636 words in the original blog post.
Maxim is a 21-year-old Bugcrowd Triager by day and an innovative Hacker (@m-qt) by night, with an Offensive Security Certified Professional (OSCP) certification. He joined Bugcrowd in March 2019 as an Application Security Engineer and has since provided value to hundreds of customers and researchers, working to make the internet a safer place. Maxim is currently earning his Offensive Security Web Expert (OSWE) certification and moderating a Penetration Testing Lab called Wizard-Labs. He partners with Bugcrowd to launch exclusive Capture the Flag challenges and enjoys triaging on programs like Dell, which offers a wide-open scope with interesting bugs. Maxim uses CTFs as a resource for learning and emphasizes perseverance in hunting, recommending that new hackers build their foundation in IT before entering bug bounty. When not hunting bugs, he builds vulnerable boxes for testing skills and is an avid fan of MotoGP and F1 racing.
Jul 16, 2020
855 words in the original blog post.
Our 7th LevelUp conference will take place on August 22nd, featuring informative talks on various infosec topics, CTF challenges, and a community of researchers for networking opportunities. The event is free and hosted by Bugcrowd, aiming to provide education, exposure, and uplift across the global security community. Researchers are invited to submit abstracts for talks until July 29th, with a focus on novel or compelling presentations on niche skills and techniques. The conference aims to drive conversation and discussions through Discord participation.
Jul 15, 2020
391 words in the original blog post.
ExpressVPN has a self-hosted, public bug bounty program that focuses on vulnerabilities in its client applications and VPN servers, with rewards ranging from $2,100 to $2,500 for P1 submissions. The program is designed to attract researchers with skills in web app security, API security, mobile device app security, browser extension security, router firmware security, and security protocol security. The ExpressVPN team will work with researchers to validate their reports, remediate discovered vulnerabilities, and recognize contributions to improving the company's security. The program has opportunities for researchers of all skill levels, from recon to deep-diving security vulnerabilities, and offers a variety of target assets and skill types.
Jul 15, 2020
488 words in the original blog post.
There was a glitch in the Matrix! When we announced the Q1 MVPs back at the end of May, our method for evaluating the data had some formulaic issues. We thank you for your patience while we went under the hood to figure out where we had gone wrong. Without further ado, here are the newly appointed Q1 MVPs! The program recognizes hackers that consistently bring their A-game across Bugcrowd bounty programs and has updated qualifications to ensure the best in class hackers are highlighted. The change made to the MVP qualifications includes achieving a priority percentile range for either P1s or P2s above 80%. Previously announced winners include individuals from various countries, who have been recognized for their hard work and dedication to making the world more secure. We will be reaching out to all MVP Q1 winners with our updated swag redemption process within the next few days.
Jul 14, 2020
472 words in the original blog post.
Vulnerability Disclosure Programs (VDPs) have become an essential tool for organizations to reduce risk while improving trust and loyalty amongst customers and the security community. By facilitating the voluntary reporting of vulnerabilities discovered outside of typical testing cycles, VDPs provide a framework for organizations to accept and prioritize externally-sourced vulnerabilities in a cost-effective and transparent manner. This approach allows companies to balance security and speed, share threat intel and security best practices with industry peers, and demonstrate commitment to rapid response and remediation. By adopting a VDP, organizations can improve their security posture, reduce the risk of breaches, and enhance their reputation, ultimately gaining trust and loyalty from customers and stakeholders.
Jul 10, 2020
1,601 words in the original blog post.
rqu, a seasoned hacker, has been actively participating in Bugcrowd programs since 2016, winning top awards at Bug Bashes and collaborating with Team Dumpster Fire. He initially got into cybersecurity through playing CTFs in high school and later met people who helped him grow his skills. Bug bounties have provided a steady income, allowing him to upgrade tools and equipment, and have led to job opportunities, including two full-time hires. Although he doesn't hunt bugs full-time due to time constraints, he uses bug bounties as a way to play with high-impact targets on the side. rqu emphasizes the importance of hands-on experience and learning by doing, and recommends taking good notes and joining communities like Bugcrowd for opportunities to hack unique targets.
Jul 08, 2020
795 words in the original blog post.
The study surveyed 3,493 security researchers to create an extensive dataset on global hackers and the economics of security research, providing insights into demographics such as age, national identity, income, and education level, as well as motivations behind security research and the desires and lifestyle of modern hackers.
Jul 07, 2020
132 words in the original blog post.
Caleb Kinney is an Application Security Enthusiast and Developer Hobbyist who has worked on several free, open-source tools to contribute to the InfoSec community. He recently partnered with Bugcrowd to rebuild and improve a Burp Suite extension called HUNT, which identifies and monitors Burp Suite's incoming traffic and highlights interesting targets for testing. Caleb's background in computer science and his passion for information security led him to start bug hunting in 2015. He has been impacted by bug bounty hunting, which has made him a better penetration tester, helped him focus on impactful issues, and honed his time management skills. Caleb currently takes a hiatus from full-time bug bounty hunting to spend more time with his family but is looking forward to returning to the field. He is a fan of tools like OWASP ZAP and Burp Suite and follows other hunters for advice and resources. Caleb's simple tip for hunting is to think outside the box, automate what can be automated, focus on what cannot be automated, and keep digging. He advises new hackers and those transitioning into bug bounty to be hungry for knowledge, give back to the community, not be afraid to fail, and enjoy the ride. When not hunting bugs, Caleb enjoys spending time with his family, learning new programming languages, and running.
Jul 02, 2020
667 words in the original blog post.