Over the past six years, the bug bounty industry has exploded in size and changed a lot. As our community grows and expands to include more hackers and more organizations, new issues arise that present new challenges. At Bugcrowd we’ve also learned that with that growth, the importance of transparency has also increased.
Our goal today is to better explain several issues and topics that have been discussed within the bug bounty community. Going forward, we will be posting more community updates and create other ways to keep you up-to-date on what we’re working on at Bugcrowd HQ.
To make things easier, I’ve broken out the major topics that I’ll be addressing today.
Private Invite System & Program Launches
There has been some confusion around our private bounty invite system — I’d like to take some time to explain how private programs and invites work.
First, to be eligible to receive private bounty invites on Bugcrowd you need to meet all of the following requirements: at least one submission within the past 90 days, at least 50% of your bugs have been valid in the past 90 days, and your average submission priority score is between 1.0 and 3.99 in the last 90 days.
You can read more about our private bounty invite criteria here.
Once you have surpassed those minimum requirements, your activity on the platform does not impact you in a positive or negative way.
Bugcrowd’s private invite system distributes invites to researchers based on the set of above criteria and is not built to have a bias to a specific type of researcher. Instead, we’ve built a system that looks at the requirements of the program (NDA required?, specific skills required, countries required, background checks required?, etc) and the system distributes the number of invites available.
We are currently working on improving our private invite system on the backend, further enabling our researcher operations teams to pick the best group of researchers. We will be adding a skill system in the near future, allowing us to connect researchers with the programs that need their skills the most and more!
Generally speaking, we’ve heard from researchers that they’d like more private invites. Along with the system improvements, we also will investigate ways to create more opportunities with private programs and to better streamline the process internally at Bugcrowd.
Additionally, private invites and program launches can be heavily impacted by business seasonality (some companies code freeze during particular months, etc), national holidays or popular vacation times.
The biggest constraint is simple: the total number of invites. Most private programs invite a small number of researchers at launch. That’s where you can help us: spread the word about Bugcrowd to your friends and industry colleagues. Please reach out to us if you’d like to chat.
Kudos Programs and the Kudos Point System:
Kudos programs have been a hot button issue on Twitter for the past few months. We’ve received concerns from researchers that kudos programs are effectively a way to get cheap or free bugs. We disagree with this, as we see kudos programs as a great way to grow the bug bounty industry and create opportunities for new bug hunters across the community.
At their core, Kudos programs are “Vulnerability Disclosure Programs” (VDP) – The functional equivalent of a neighbourhood watch for the Internet. Our customers set these up to provide legal safe harbor, and a simple way for the Internet to report security vulnerabilities. We believe it’s in everyone’s best interest to have a VDP, and that it is becoming an expected responsibility of running an organization on the Internet.
Many companies first engage with both the researcher community and Bugcrowd with a VDP. It takes time for development and security teams to acclimate to accepting bugs from external researchers, learn how to have conversations at scale, and adjust internal processes to accept external security feedback. VDP’s can serve as a launching pad toward a full public bug bounty program and for many organizations we work with, it is our shared goal to steer them in that direction.
Not only are VDP’s great for companies and a positive thing for the broader security researcher community, we also view them as great proving grounds for new and aspiring hackers. Many new researchers use VDP’s as a great way to safely test and refine their skills.
We believe in the value of a vast, diverse researcher community that is made up of professionals who have their own skills and techniques. Bugcrowd is welcoming to both beginners, experienced researchers, and everyone in-between. We launched Bugcrowd University at DEF CON, with the launch set of content focusing on high impact bugs and a methodology that will lead researchers to success in their particular style of bug hunting, whatever that might be for that individual.
We’ve also heard concerns that kudos-only programs may be overly generous with their kudos – we think this deserves some looking into and are having our teams investigate. If it is indeed the case, we will find ways to remedy the situation.
Leaderboards & Researcher Competition
Last month we removed the points-based leaderboard. We believe this will encourage and reinforce bug hunters to continue to improve their skills, and will encourage our customers to incentivize them more aggressively. In addition to the overall P1&P2 submissions on paid programs, we have added one for overall P1-P4 submissions on paid programs.
We believe these leaderboards will create a new way for researchers to compete, putting more focus on the priority of the bug and less focus on the kudos points. If you have any feedback on the new P1/P2 leaderboards, please let us know on Twitter or email email@example.com. We plan to iterate on leaderboard ideas over time, so if you have any thoughts, send them over!
Researcher Platform Updates:
We realize that in the past we’ve been slow to make updates to the researcher platform. Sorry about that. We’ve made a lot of progress this year, including expanding our engineering and product teams. Recently, Jonathan Gohstand joined as VP of Product at Bugcrowd, and he is committed to improving the researcher experience on our platform.
Our teams are committed to tackling the biggest issues that our researcher community has on the platform. Right now, in addition to enhancing our private invite system, we are also making improvements to the platform that we hope will result in bugs being rewarded faster and remove much of the confusion and waiting involved when submitting a bug.
Today, many researchers ask us for updates on bugs they submitted days, weeks or months ago. We’re working on platform improvements that will create more transparency for researchers and help customers better understand which bugs they need to take action on when they log into the Bugcrowd platform.
In addition, we are going to find opportunities to release smaller updates alongside our large updates. We recently launched the P1/P2 leaderboards, and on September 24th we added a CSV export option for researcher payment reports. We think those are great examples of improvements that can make an impact and we plan to find more of those sorts of opportunities.
We’re going to increase our swag giveaways and the ways that researchers can earn swag, especially for our most passionate and active researchers. We’ve heard loud and clear that researchers would love to represent Bugcrowd out in the world. We will have more info on this late this year.
Is that it?
Nope. There are always more things to discuss and problems for us to tackle, but I think these are the major topics that we should address today. I appreciate your time, both in reading this post and your contribution to the Bugcrowd community. If you have any feedback, please contact us on Twitter at @Bugcrowd, or email us at firstname.lastname@example.org.
Also, listen to this podcast featuring me, Chairman, CTO and Founder Casey Ellis, and VP of Researcher Growth, Jason Haddix.