skip to Main Content
This website use cookies which are necessary to its functioning and required to achieve the purposes illustrated in the privacy policy. To learn more or withdraw consent please click on Learn More. By continued use of this website you are consenting to our use of cookies.

Podcast – An Inside Look at the Crowd with Frans Rosen & Sam Houston

For me, one of the most enjoyable aspects of the security industry is the security community. The relationships I’ve been fortunate enough to build over the past couple of years have made this job very rewarding and of course, a ton of fun. I recently had the chance to record a podcast discussion with Frans Rosen, founder of Detectify and active bug bounty hunter to discuss our experiences in the security community:

Read More

Big Bugs Podcast Episode 2: ImageTragick Up Close

This morning we released the second episode of our new podcast series ‘Big Bugs’ hosted by me. This episode, embedded in this post and available on SoundCloud, takes a look at the recently popularized bug, ImageTragick. I discuss the detection and remediation time line of the widespread bug in the image processing suite, ImageMagic, as well as the implications it has for developers and researchers.

Read More

Discovering Subdomains

When coming across a *.target.com scope, it’s always a good idea to seek the road less travelled. Exotic and forgotten applications running on strangely named subdomains will quickly lead to uncovering critical vulnerabilities and often high payouts. Discovering such subdomains is a critical skill for today’s bug hunter and choosing the right techniques and tools is paramount.

Read More

Researcher Spotlight – Fuzzybear

Fuzzybear is #43 on the community leaderboard, with a 100% acceptance rate and an average bug priority of 2.55. In the short time he’s been on Bugcrowd and in bug bounties he has done quite well, successfully finding 65 bugs on Bugcrowd bug bounties, most of which was through private bug bounty programsHe also has one of my favorite usernames in the community!

Read below for our interview with Fuzzybear, where he shares some great practical advice for researchers.

Read More

Jet.com Increases Rewards to Match the Market Rate of Security Bugs

At the beginning of this year we released our ‘Defensive Vulnerability Pricing Model’ that answers the question “what’s a bug worth?”. This guide outlines how much organizations should budget for crowdsourced security programs, and what reward ranges attract the right talent. In short, this guide, informed by tens of thousands of vulnerability submissions and years of running public and private crowdsourced security programs, set the first market rates for security vulns by criticality, and now organizations are beginning to adopt this guidance.

Read More

Researcher Spotlight – Mico

This week’s Researcher Spotlight is on Mico! Mico ranks #5 on Bugcrowd’s leaderboard with over 1926 kudos points, 266 bugs found, a 91% acceptance rate and an average bug priority of 2.92. In a relatively short period of time we’ve seen Mico climb his way up the charts. Mico can be found on Bugcrowd and you can follow him on Twitter at @bugtest0101.

Screenshot_2016-05-09_14.17.17.png

Take us back to your early days, what got you started with technology?

Read More

April 2016 Leaderboard

Time for the April Hall of Fame announcement of 2016!  Big recognition once again goes to mongo, who topped the April leaderboard with an astounding 1039 points earned through multiple P1 submissions.

Read More

How to Write a Clear and Thoughtful Scope, A Deep Dive

We recently published a comprehensive but abbreviated guide ‘Anatomy of a Bounty Brief’ which explores each part of a bounty program brief and how organizations can write them more clearly and thoughtfully.

Once you’ve identified that you and your organization are ready to commit the necessary time and resources to running a bug bounty program, it’s time to start building out your program brief – the first step of which, is setting the program scope.

Read More

Big Bugs Podcast Episode 1: Auto Bugs – Critical Vulns found in Cars with Jason Haddix

Today we released our first episode of our new podcast series ‘Big Bugs’ hosted by me. Our first episode, embedded in this post and available on SoundCloud, provides an introduction to the car hacking space. With case studies of successful attacks and research from the past years, I also provide some technical resources for testing as well as technical resources for developers. Enjoy!

Read More
Back To Top