As a leader in crowdsourced security, Bugcrowd is committed to building a secure digital world—a commitment that has been a foundational element of our mission for years. The principles outlined in CISA’s “Secure by Design” Pledge resonate deeply with our long-standing philosophy and the practices reflected in our corporate DNA. Over the past year, we’ve continued to advance and reinforce these principles across our operations and offerings in alignment with the Pledge. Our compliance status against secure by Design goals is as below.
| Secure by Design Goal | Bugcrowd status as of April 2025 |
| Eliminating default passwords | Compliant |
| Implementing multi-factor authentication (MFA) | Compliant |
| Reducing entire classes of vulnerabilities | Compliant |
| Comprehensive security patch management | Compliant |
| Public vulnerability disclosure policy | Compliant |
| Common Vulnerabilities and Exposures (CVE) adoption | Compliant |
| Evidence of intrusions | Compliant |
Read on to learn how Bugcrowd is specifically rising to the challenge of meeting the Pledge’s principles.
1. Eliminating default passwords
We love this foundational starting place from CISA, as it will enhance the security of the B2C segment. Ultimately, this step will improve device security for enterprises and end users of software and hardware platforms.
At Bugcrowd, credentials are managed at the platform level, as our DevOps teams make use of configuration variables and tokens. The hardening and deployment process is where we would see this priority addressed.
2. Implementing multi-factor authentication (MFA)
We firmly believe that MFA is a cornerstone of modern security. It’s 2025—it’s time. We have long advocated for and implemented robust MFA across our platforms and services. Recently, we even made the move to require MFA for all Bugcrowd platform accounts. While we encourage customers to federate to their corporate SOO, we do have some planned updates that will expand the types of MFA supported.
3. Reducing entire classes of vulnerabilities
This is our bread and butter at Bugcrowd: removing the noise, bringing higher-signal findings to security teams, and enabling our customers (including the Bugcrowd Security and Engineering teams!) to attack classes of vulnerabilities across our service inventory.
This involves investing in secure coding practices, leveraging memory-safe languages where appropriate, and employing architectural patterns that seek to prevent, quickly identify, and aggressively resolve defects that found their way into and through the pipeline.
4. Comprehensive patch management
Maintaining up-to-date systems is critical in the fight against evolving threats. We have established robust and efficient security patch management processes for our own infrastructure. Additionally, we actively assist our customers in finding and resolving patch-related issues.
5. Public vulnerability disclosure policy
Transparency and collaboration are essential in strengthening the security ecosystem, and vulnerability disclosure is at the core of what we do here at Bugcrowd. We have maintained a clear and accessible public vulnerability disclosure policy for years. As a result, we have helped thousands of companies get their VDPs and bug bounty initiatives online.
We remain committed to acknowledging, investigating, and remediating reported issues in a timely manner, fostering trust and collaboration across the security community, as well as driving public policy protections for all aspects of research and disclosure.
6. Common Vulnerabilities and Exposures (CVE) adoption
Adhering to industry standards is crucial for effective communication and vulnerability tracking. We fully support the CVE system by assigning CVE identifiers to publicly disclosed vulnerabilities in our products. This practice ensures consistent and standardized reporting, facilitating a better understanding and the management of security risks across the industry. Furthermore, this allows for cross-ecosystem vulnerability scoring.
That said, Bugcrowd adheres to the VRT in our crowd-powered ecosystem to address priority scoring and edge cases across vulnerabilities identified by the Crowd. We prioritize responsive vulnerability scoring needs harmonized with the nuances of security research and the impacts within each classification.
7. Evidence of intrusions
Detection and response (D&R) requires eternal vigilance, and we’re all in. While our proactive measures aim to prevent intrusions, we also recognize the importance of D&R capabilities. We strive to maintain comprehensive monitoring and logging systems, looking unrelentingly for anything out of the ordinary. Our incident response processes are designed to quickly identify, contain, and eradicate threats, minimizing potential impact and providing valuable insights for the continuous improvement of our security posture. We place a heavy emphasis on blameless retrospective and learning opportunities.
Why this matters
Our commitment to these seven principles of CISA’s “Secure by Design” Pledge is nothing new—these practices are deeply embedded in Bugcrowd’s DNA. By signing the Pledge and sharing our expansion on these principles, we are taking the opportunity to double down on our ethos and invest in safe and secure collaborations across our organization, in partnership with the Crowd.
