Over the past few months, the widespread popularity and adoption of bug bounties and vulnerability disclosure have grabbed headlines. This rapid adoption paired with recent incidents have hastened the need to make sure things are defined clearly—specifically, the difference between bug bounty and extortion, a good hack versus a bad one. This has drawn the
Earlier this month, the National Institute of Standard and Technology’s (NIST) cybersecurity framework released a revision (1.1, Draft 2) of its Framework for Improving Critical Infrastructure Cybersecurity. The new release now includes vulnerability disclosure processes as part of the Framework Core (on page 43). This revision contains an important addition, the result of an industry effort. Last
Several recently-published research articles have demonstrated a new class of timing attacks (Meltdown and Spectre) that work on modern CPUs. Variants of this issue are known to affect many modern processors, including certain processors by Intel, AMD and ARM. For a few Intel and AMD CPU models, Google’s Project Zero has provided exploits that work against real
Bugcrowd is excited and very pleased to announce the appointment of Ashish Gupta as our new Chief Executive Officer. With this addition, I’ll be transitioning to Chairman of the Board and Chief Technology Officer.
BSidesLV, Black Hat and DEF CON week is “that time of year” in the security industry; when hackers, suits, feds and anyone else interested in our craft descend on Las Vegas. The goal? To teach, demonstrate, learn, connect, and enjoy the company of fellow members of the village.
Since I started Bugcrowd, the one constant has been continual amazement at the pace of growth of the crowdsourced security movement we initiated back in 2012.
As a founder there is nothing better than watching the company I started grow and evolve. In the four and a half years I’ve watched Bugcrowd grow by leaps and bounds – the team has grown threefold in the past year alone. While our guiding principles, core values, and vision of the future of cybersecurity
Can bug bounty programs replace penetration tests? This question has come up a lot in the past several months and today we released a guide that begins to answer it.
[Update] Active attacks now include: MongoDB, Elasticsearch and Hadoop. Two weeks ago the Internet was hit with the first in what has become a frightening trend of ransom attacks. This first attack affected fewer than 200 MongoDB installations and for the most part flew under the radar given the meager sum requested by the attacker