A few weeks ago I was tagged by Art Manion of the CERT Coordination Center (CERT/CC) in a tweet asking about Bugcrowd’s approach to disclosure policy defaults. The short version of the thread was concern around a statement in our product documentation which infers that Bugcrowd actively recommends Non-Disclosure as the default policy for our
Last week, the House voted to approve H.R. 6735, a bill that directs the Homeland Security Secretary to establish a vulnerability disclosure policy for the agency’s websites. This was a swift decision — The House Homeland Security Committee advanced this bill just last week — as well as a timely one. Crowdsourced security has been
This blog was written by Stu Hirst, Head Of Security Engineering, Photobox Group I’ve been a believer in the power of the bug bounty model since 2015 when I ran my first 2-week program with Bugcrowd. During that program the researchers found 149 vulnerabilities! Nearly 50 of which were valid and in scope. That was a
Next week (March 1), new regulations from the New York State Department of Financial Services (DFS) will take effect, giving financial services firms licensed to operate in New York 180 days to improve their security based on new requirements. The regulations cover a slew of issues ranging from the maintenance of written policies, testing, governance
In order for Researchers to be successful, it is vital to clearly communicate expectations. We have refined verbiage in both the Bugcrowd Standard Disclosure Terms and the Bugcrowd Researcher Code of Conduct, and these changes are highlighted below: In the Bugcrowd Standard Disclosure Terms, we made the following change to clarify our policies for uploading
Earlier this month, the National Institute of Standard and Technology’s (NIST) cybersecurity framework released a revision (1.1, Draft 2) of its Framework for Improving Critical Infrastructure Cybersecurity. The new release now includes vulnerability disclosure processes as part of the Framework Core (on page 43). This revision contains an important addition, the result of an industry effort. Last
If you’re reading this article, statistically speaking your organization might be getting hacked. Data breaches of U.S. government networks, once novel, have become pervasive over the past year. Take it from the Office of Personnel Management (OPM) or the IRS – no one is safe anymore. In private sector, the Equifax hack and Intel’s processor vulnerabilities have hit mainstream media by storm. The
In talking with our customers, and particularly larger customers, we often hear of the need to establish an open, public, and passive channel for vulnerability disclosure from their users, customers, and the broader security community. These customers aren’t always ready for a public bug bounty but they may already have an existing security@ email address.