Like Employee of the Month but better, I’m excited to tell you about the three Crowd members that earned top spots on the April 2015 Hall of Fame. We have a ton of amazing researchers contributing solid bugs every day, but these three top performers earned the most Kudos points in Bugcrowd bounty programs from April 1 to April 30 2015. To thank them for their hard work, Bugcrowd is pleased to announce they’ll receive performance bonuses.

1. serializingme – 175 points – $2,500 bonus

2. greyhat – 127 points – $1,500 bonus

3. deepankerchawla – 94 points – $1,000 bonus

How does a researcher earn Kudos points? High severity bugs earn the most points, which is how serializingme got to the top – he made multiple high priority submissions. Bugcrowd’s general guidelines for vulnerability priorities and Kudos points are:

P1 – CRITICAL – 20 points
Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. Examples: Remote Code Execution, Vertical Authentication bypass, SSRF, XXE, SQL Injection, User authentication bypass

P2 – HIGH – 15 points
Vulnerabilities that affect the security of the platform including the processes it supports. Examples: Lateral authentication bypass, Stored XSS, some CSRF depending on impact

P3 – MEDIUM – 10 points
Vulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples: Reflective XSS, Direct object reference, URL Redirect, some CSRF depending on impact

P4 – LOW – 5 points
Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger. Examples: Common flaws, Debug information, Mixed Content

P5 – BIZ ACCEPTED RISK – 2 points
Non-exploitable weaknesses and “won’t fix” vulnerabilities. Examples: Best practices, mitigations, issues that are by design or acceptable business risk to the customer such as use of CAPTCHAS.


Great work in April!

Discuss this announcement on the Bugcrowd Forum