This is the second post in our new series: “Bug Bounty Hunter Methodology”. Today we explore bounty scopes, disclosure terms & rules, and how those guide you in your hacking. If you have any feedback, please tweet us at @Bugcrowd.
Posts by Sam Houston
This is the first post in our new series: “Bug Bounty Hunter Methodology”. Over the coming weeks, we will share information and resources that will help any aspiring security researcher or bug bounty hunter get their start. If you have any feedback, please tweet us at @Bugcrowd.
The new year is a great time to reflect on the past year and set new goals for the year ahead. To help the Bugcrowd community achieve success in 2017, we’ve outlined a few New Year’s resolutions for bug hunters and bug bounty program managers. Have other resolutions? We want to hear what they are! Tweet us.
As the world’s leading product design platform with over two million users, InVision has developed a best-in-class security strategy since day one.
Today we’re thrilled to announce that they’re taking the next step toward bolstering their product security with the launch of their public bug bounty program.
Yesterday we shared how some of Bugcrowd’s top-ranked bug hunters fit bounties into their schedule and maximize payouts, and today we’re going to dive a bit deeper with one of those researchers. In today’s post, Brett Buerhaus, ranked 16 on Bugcrowd and experienced security researcher, shares his method for approaching new bug bounties and writing bug submissions.
In our recently published report on the bug hunting community, we asked all kinds of bug hunters what motivates them to participate in bug bounties, and how they decide what programs to participate in. Amongst several of the groups identified in the report, time was a huge factor. With a full-time job, family and a social life, how does one fit bug bounty hunting into their busy schedule?
Over the past four years that we’ve been helping organizations connect with the world’s top security talent to run crowdsourced security programs, a lot has changed. In our recent State of Bug Bounty Report, we examine that change with proof that more traditional organizations adopting the bug bounty model, more private programs being run, and so on and so forth.
The crux of that change, however, lies in the community. Whether you call them hackers, bug hunters, or security researchers, they make the bug bounty world go ’round. As this niche grows and evolves from the small group it once was, it is becoming more nuanced, and the motivations of bug hunters vary widely.
Now that we’ve rested our feet, drank some water, and adjusted from the Las Vegas time warp, we thought we’d give a brief recap of our week. In the six days we spent boots down in Vegas, we caught some great talks with some of our favorite people, threw, sponsored and attended awesome events, and as always, met amazing folks from the InfoSec community.
Putsi is #38 on the community leaderboard, with a 97.14% acceptance rate and an average bug priority of 3. Putsi just recently entered the top 40 on Bugcrowd and has had success with many private and public bounty programs on the platform.
Read below for our interview with Putsi and make sure to follow @Putsi on Twitter.
Nikaiw is #58 on the community leaderboard, with a 96.88% acceptance rate and an average bug priority of 2.37. Nikaiw has been on Bugcrowd for less than 6 months and in that time he’s found 31 valid vulnerabilities, with 10 of those being P1’s.
Read below for our interview with Nikaiw and make sure to follow @Nikaiw on Twitter.