It is time for the July 2015 Hall of Fame, and this month we had an unusual situation. We ran an internal project for our Application Security Engineers, and jhaddix crushed it. But the performance bonus program is for the Crowd, not employees. As a result, in July we are awarding the 1st, 2nd, and 4th place researchers. To thank these individuals for their hard work, Bugcrowd is pleased to announce the following researchers will receive July 2015 performance bonuses:
1. harie_cool – 128 points – $2,500 bonus
2. securityidiots – 119 points – $1,500 bonus
4. NG – 78 points – $1,000 bonus
Want to see your name in the Hall of Fame?
How does a researcher earn Kudos points? High severity bugs earn the most points – see below for the priority and points break down. Submitting high quality bugs can also get you invited to private bounty programs – check out A Look At Private Program Invites to learn more about how to get chosen for private programs.
Thanks again to all Bugcrowd researchers for all of their hard work in July. We can’t wait to see who is in the Hall of Fame for August!
P1 – CRITICAL – 20 points
Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. Examples: Remote Code Execution, Vertical Authentication bypass, SSRF, XXE, SQL Injection, User authentication bypass
P2 – HIGH – 15 points
Vulnerabilities that affect the security of the platform including the processes it supports. Examples: Lateral authentication bypass, Stored XSS, some CSRF depending on impact
P3 – MEDIUM – 10 points
Vulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples: Reflective XSS, Direct object reference, URL Redirect, some CSRF depending on impact
P4 – LOW – 5 points
Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger. Examples: Common flaws, Debug information, Mixed Content
P5 – BIZ ACCEPTED RISK – 2 points
Non-exploitable weaknesses and “won’t fix” vulnerabilities. Examples: Best practices, mitigations, issues that are by design or acceptable business risk to the customer such as use of CAPTCHAS.