The Bugcrowd platform continued to evolve on our three key priorities to integrate better with your security workflows, provide security expertise on-demand, and personalize your user experience. Here’s a review of the platform capabilities that we built in 2020.
Security Workflow Integration
New API and Outgoing Web Hooks
The goal of the Bugcrowd platform is to provide you the ability to seamlessly integrate the crowd for the right security use case at the right time. In order to achieve this, it is critical that the platform integrates tightly with your workflows – both within your security organization and beyond. We’ve made significant enhancements to the Bugcrowd API last year. It is better designed than the previous one, and supports versioning. You can now continue to use the version you are on, and have control on when to upgrade to a new version.
As part of the new API, the documentation site has been completely redesigned as well. Take a look here. Reach out to the support team if you have any questions and we’ll be glad to assist you in getting set up with the new API!
Jira Integration Enhancements
Jira is an integral part of many of your workflows, so we have enhanced the 2-way integration to now allow for mapping to your internal projects. Check this out in your Integrations setup page.
@customer Notifications through Integrations such as Slack
For customers that wish to build Bugcrowd notifications into your security workflows through communications tools such as Slack, an @customer mention by the Bugcrowd team will now route the notification to the person on call from your organization.
Customizable Session Timeout for Customer Accounts
For customers with different needs on user session timeouts on the Bugcrowd platform, we’ve now built customizable rate limits. Depending on your compliance & security requirements, the defaults can be changed as needed.
Security Expertise On-demand
The Bugcrowd payments infrastructure received a boost last year, to allow for various options in the payment system. There were a multitude of features built out, the most important ones being daily researcher payments, easy tax and compliance checks for OFAC, etc., support for new countries (Afghanistan, Belarus, Congo, Eritrea, Ethiopia, Iraq, Myanmar, and Zimbabwe), and ability for international researchers to maintain their payouts in USD until conversion is required.
Bugcrowd’s proprietary matching engine took a step forward with additional data sources, and better matching and recommendations.
- Platform driven duplicate detection – This helps aid in faster triage times and quicker duplicate identification.
- A more holistic profile of researchers and customer assets, for better matching through external and platform data – Bugcrowd aims to provide the best matches to both customers and researchers. An integral part of this is to better understand your assets and the researchers in our crowd. Bugcrowd’s proprietary data infrastructure allows for ingestion and analysis of your assets & technology stacks on the one hand, and researcher expertise, skills, trust, and other behavioral data on the other.
- Program recommendations and discovery for researchers – Given the additional context Bugcrowd has about you and the researchers, we can ensure that your programs have the best matching researchers working for you. Programs are recommended to researchers automatically when there is a new program match for them, and as new data is discovered about the customer assets or the researcher.
- Penetration test attestation report for all pen test customers – Pen test customers are now able to receive a high level summary of their pen test results, in order to share with partners or auditors. The detailed pen test report is still available as always.
Personalized User Experience and Self-service
Our platform self-service will continue to surface additional capabilities that are currently offered by our service operations team. Some notable enhancements in this area include:
- Onboarding Welcome Center – The welcome center now helps you get situated after onboarding on to Bugcrowd. It includes quick links and videos for all the information you need to get started with managing your program on the platform.
- Scoping for Classic Pen Tests – If you need a traditional pen test for your assets in a pay-for-effort model, you can set one up easily! The scoping calculator will ensure we have all the scoping details captured, so that we can launch your program in as little as 72 hours after kick off!
- Target Groups – Many customers prefer to reward different amounts for the same severity based on the target. For eg. A P1 on a documentation website might get $500, whereas a P1 on an application with customer data might receive $10000. While you may have utilized the bounty brief for this, there is now a better way! Target groups allow you to group targets together and then set the reward ranges per severity. This enables researchers to quickly view the rewards they could potentially receive, and decide if they are interested in the program. Additionally, it allows you to quickly determine the correct payout amount while accepting a submission.
- Customer Initiated Reward Pool Top-ups – The platform now enables customer initiation of pool top ups. With this, you now have visibility into the total reward pool, and can initiate the process of moving funds from the org-level pool to a specific program. Your Bugcrowd team will follow up with you to then complete the transaction.
Enhancements to Submissions Workflows
Submissions now support private comments and the ability to edit them as needed. Cleaner submissions and better communication across all parties involved!
Customer Task List
The Customer task list is a single list of to-dos that allows you to quickly prioritize the actions you need to take while on the Bugcrowd platform. With many updates to our workflow rules, and a simpler layout that shows what’s needed to be done, you will find this to streamline your work on the platform. The task list is especially useful for our customers that have scaled to multiple programs, so that you can quickly action on your blockers and submission acceptance!
These were just the highlights in the past 12 months. There are many others that you may have discovered, or have seen in action. Do reach out to us if you have any questions or would like to discuss any capability in more detail.