Over the past few months, the widespread popularity and adoption of bug bounties and vulnerability disclosure have grabbed headlines. This rapid adoption paired with recent incidents have hastened the need to make sure things are defined clearly—specifically, the difference between bug bounty and extortion, a good hack versus a bad one. This has drawn the
The bug bounty market is growing quickly. While an increasing number of organizations are embracing the concept, there still remains some confusion and ambiguity around paying hackers for vulnerabilities. Events like recently disclosed Uber breach illustrate this confusion. I’ll take this opportunity to clarify and define this rapidly evolving market.
Last week, we released our second annual Inside the Mind of a Hacker 2.0 report. We dove into different hacker profiles, their motivations for hacking, and the impact building a relationship makes on a successful bug bounty program. We found lots of interesting stats on our bug hunting community, both expected and surprising.
It’s common knowledge that the security industry has been facing a massive shortage of resources. Add the fact that companies are accelerating their cloud presence and growing an API ecosystem of their own. CISOs are up-leveling their security strategy by adding bug bounty programs to their toolbox.
Since I started Bugcrowd, the one constant has been continual amazement at the pace of growth of the crowdsourced security movement we initiated back in 2012.
Google recently announced that the company has raised its top reward for remote code execution bugs in its Google, Blogger and YouTube domains by 50 percent, saying “Because high-severity vulnerabilities have become harder to identify over the years, researchers have needed more time to find them. We want to demonstrate our appreciation for the significant
Earlier this year, I wrote extensively about vulnerability disclosure policies and benefits as well as how trust impacts the disclosure process between researchers and vendors. While writing these posts, I looked for publicly available (free!) literature on product security incident response (PSIRT) processes to share. I thought I’d find vendors publishing their PSIRT best practices on operations or how to publish an
In short, Yes. A list of POCs are provided below. If we’re missing anything let us know via Twitter @bugcrowd, and we’ll add it to the list and credit you for helping out. Last update: 30 April 2014 6:07 PDT Unless you spent yesterday and this morning under a rock you’ll have heard about a very serious