June 2018 Hall of Fame & Researcher Highlight

Bugcrowd is pleased to announce our June 2018 Hall of Fame winners.

todayisnew swept first place! Private User rocked second place, and coming in strong is ahmedehane in third place! Congratulations to our winners and we appreciate all your hard work.

Bugcrowd would like to thank our top performers by awarding bonuses!

  1. todayisnew – 1533 points – $2,500 bonus
  2. Private User – 480 points – $1,500 bonus
  3. ahmedehane– 476 points – $1,000 bonus

Think you have what it takes to come out on top?
High severity bugs that result in critical security impact such as remote code execution or elevation of privilege earn the most kudos points – check out our blog for a breakdown of points and priority, as well as some other great resources such as bug bounty tips and hacker advice from our top researchers.

Submitting high severity bugs not only gets you bigger rewards, it can also help you get invited to private bounty programs faster.

Thanks again to all of the Bugcrowd Researchers for all of their hard work and contributions! We look forward to our July Hall of Fame results! 

June 2018 Researcher Highlight:

This month we would like to highlight one of our up and coming Researchers who is doing awesome work and contributing to the success of our programs – dr0v3r. From February 2018 to early July 2018, dr0v3r went from being ranked 254 to 86! Additionally, dr0v3r has a 100% bug acceptance rate and an average priority rating of 2.62 over 78 bugs.

Let’s now hear directly from dr0v3r:

Take us back to your early days, what got you started with technology?

I first was given an ancient laptop to play with…weighed about a ton but it allowed me to play around with DOS games as well as being introduced to the CLI which I had to figure out myself. Then, over the years, I had a bunch of various desktops and game consoles that I got into.

What do you enjoy about participating in bug bounties?

It is a bit of fun that offers me the ability to try new things across a wide range of technologies and applications. Additionally, in my situation, I do not have a lot of time throughout the working week to spend on bug bounties, however, the knowledge that there is always a program available to try something new, and potentially get some sweet, sweet cash on, is fantastic. 

Do you have a favorite type of vulnerability you like to hunt for?

In recent times, SQLi, Blind XSS, authorization issues and LFI. Low hanging fruit is nice, but usually already picked off by other researchers, so I start with attacking the more juicy issues first and see where that takes me.

What is the number one thing that makes you decide to test on a bounty program?

As a pentester, you generally get the feeling whether a web application, as an example, is going to be susceptible to a bunch of issues when you start interacting with it. Given my time limitations throughout the week, I use this as an indication of whether I should invest time in testing on a particular program. Things like a lack of input sanitization (resulting in XSS) could also infer other impactful issues such as SQLi may be evident, or the use of sequential numbers (brute forcible) within URL parameters, in certain circumstances, could mean IDOR / authorization concerns.

Any tips or suggestions that you would give to other bounty hunters?

Be efficient with your time, enjoy the challenge and don’t burn yourself out.

What would be the ultimate piece of swag you would want?

A new snowboard or GoPro would be fantastic.