Earlier today we held the First Annual Buggy Awards hosted by our CEO and Founder Casey Ellis, our Director of Customer Success Abby Mulligan, and our Sr. Director of Researcher Operations Kymberlee Price. The aim of these awards was to honor the top bug hunters and companies running bounty programs in 2015. These two groups of people are essential to our company success and are advancing the bug bounty and vulnerability disclosure space.
Top Program Awards
For the awards given to our top public bounty programs, we recognized two companies who are truly committed to the Bugcrowd researcher community and running a great bounty program.
Top Program, Best Response Time
The first award we recognized is the public bug bounty program with the fastest response time. This award represents a customer who is truly on top of their program and communication with the researchers submitting bugs.
Runners Up:
- Jet.com
- Simple
Congrats to Fitbit to winning our 2016 Buggy Award for Top Program, Best Response Time
Since launching in September, they have accepted 70 submissions with a median time from triage to acceptance of less than one day.
Top Program, Researchers’ Choice
In a survey of our active 2015 crowd members, we asked what their favorite program was and “Why?” Some of the reasons given included… good and fair reward payouts, understanding communication, interesting targets, open scope, and a favorable disclosure policy.
Runners Up:
Congrats to Tesla Motors for winning our 2016 Buggy Award for Top Program, Researchers’ Choice
For those of you who aren’t familiar with the Tesla bug bounty program, it kicked-off mid last year, and today includes their web applications and all devices including the cars. Their program has received over 1200 submissions and had the second highest payout in 2015. You can view their program brief here.
Top Bug Hunter Awards
For the awards given to our top bug hunters, we recognized three individuals based on vulnerability submission data.
Top Bug Hunter, Responsible Disclosure Champion
This award went to the researcher with the highest Kudos points on Disclosure Only programs. This award is important because programs like ISC2, who are a not for profit security education and certification company, are extremely devoted to security but don’t offer cash bounties.
How do Kudos Points work? Each researcher that submits a vulnerability through Bugcrowd receives Kudos Points weighted by the severity of the submission – a Critical “P1” vulnerability earns 40 points, a Low severity just 5 points. You can read more about issue severity in Bugcrowd’s Vulnerability Rating Taxonomy. This is important to understand as we start talking about the accomplishments of our finalists in this category.
Runners Up:
- NG, a researcher who made 35 valid submissions to kudos only reward programs and has an average acceptance rate over 90%. Kudos points earned on disclosure only programs in 2015: 290
- Mico, who is all-time ranked 3rd place in the total Crowd, has an average submission priority of 2.90, and like NG, has an average acceptance rate over 90%. Kudos points earned on disclosure only programs in 2015: 505
Congratulations to Vishnu_Vardhan_Reddy for winning our Buggy Award for Top Bug Hunter, Responsible Disclosure Chamption.
Vishnu_Vardhan_Reddy started working on disclosure only programs to develop the performance history to get private program invitations. He achieved that goal with a number of P1 and P2 submissions in 2015. He earned 535 points on disclosure-only programs in 2015, delivering multiple high severity vulnerability reports to Bugcrowd programs.
Top Bug Hunter, Most Non-Duplicate P1’s
These researchers have gone above and beyond in submitting the highest quality bugs the most consistently in 2015, providing tremendous insights, feedback and value to organizations. So many hours have gone into the critical vulnerabilities over the past year – 1,029 were submitted across the entire Crowd. Today we’ll honor the three researchers who found the most of those P1s.
Runners Up:
- Bitquark, a UK based researcher is also a heavy hitter when it comes to P1’s, and is currently ranked 4th in the Crowd. Bitquark has been helping secure Bugcrowd customers since 2013. Non-duplicate P1 submissions made in 2015: 6
- Mongo, who joined the Crowd in June 2015 and is already ranked 2 in the crowd, with an acceptance rate of 99% and average priority of 2.67. He has brought the heat in a big way in just 7 months of 2015, and shows no signs of slowing in 2016. Nonduplicate P1 submissions made in 2015: 12
Congratulations to Nahamsec for winning our Buggy Award for Top Bug Hunter, Most P1’s.
Nahamsec is a US based researcher and university student that has been active with the Crowd since early 2014 and is ranked 9th in the Crowd overall. He delivered 14 critical vulnerabilities in 2015, helping multiple Bugcrowd customers to secure their web, mobile, and IoT applications.
Top Bug Hunter, Most Valuable Hacker
This award was given to the hacker demonstrating excellence in submitting high severity bugs, high volume of bugs, AND having a high rate of accuracy. The minimum criteria for this category are: acceptance rate greater than 95%, an average priority better than 3.0 and an invalid rate less than 10%.
Runners Up:
- Mongo has also qualified as a finalist in this category, as mentioned before, he joined the crowd in just June 2015 and is now ranked #2 overall. In 2015 Mongo had 44 valid submissions and only 7 invalid and an average priority of 2.45.
- Nijagaw, one of our European crowd members since 2013, who is ranked 10th overall in the Crowd. In 2015 Nijagaw had 53 valid submissions and only 6 invalid and an average priority 2.9.
Congratulations to Harie_cool for winning our Buggy Award for Top Bug Hunter, MVH.
Harie_cool is currently 6th place in the crowd, is based in India and has been with Bugcrowd since 2014 and submitted 90 valid submissions in 2015 with an average priority of 2.8.
While we only recognized a handful of people who delivered awesome work in 2015, we’d also like to thank the community as a whole for an awesome 2015, and for going above and beyond in 2016 so far. The year is young, but we’ve already seen some amazing research and can’t wait to see what the rest of the year brings to celebrate next year for our Second Annual Buggy Awards.
