Points are everywhere, however, they could be detrimental . . . 

For years, researchers have relied on points as an easy, single flat metric for gauging one’s success on the platform – those with more points were ranked higher than those with fewer points.  This view of points led to the infamous kudos farmers, and a whole lot else – such as duplicate abuse, vuln sharing, VDP misconceptions, and so on. And now, despite the great run we’ve had with kudos points, we’ve reached a point in time where points as we know them no longer properly reflect a researcher’s ranking, status, or aptitude.  

As was announced in our previous blog post, Bugcrowd has removed the points system for VDPs. We have adopted a new invite system in which points play no part whatsoever in getting new invitations to private programs. View Private Program Invite opportunities HERE

You’re likely asking yourself, “so, how do I get more invites to private programs or to the extremely desirable fresh launches?” The answer:  Invitations are given out based upon two parameters:

  1. Proven skills that are specific to the program targets
  2. Dollars earned on the platform

What does this mean for VDPs?

Private program invitations are now determined either through a researcher’s proven skills that meet the requirements of a program target or by dollars earned on the platform. While VDPs do not include bounty rewards, they are a great route to demonstrate one’s skills. A non-duplicate priority one (P1) or priority two (P2) submission on a VDP will put your skills into the running for private programs and launches where those skills are needed. Earning dollars will enhance your probability of getting invites, but aren’t required.

Why the change? 

Points are 2018’s primitive way of putting any talent on any program. In 2021, we’re doing things a little more intelligently to put the right talent on the right program. To say we’re massively excited about the future would be putting it lightly; as Bart Scott said in one of the best sports interviews of all time “can’t wait!”

As well, CrowdMatch, our invite system and recommendation engine, has gotten a lot smarter and more sophisticated at matching the right skill sets with the right programs.  We’ve been working behind the scenes to get away from invites based purely on points, and now that we’re there, it’s time to move on. 

Furthermore, this change allows us to honor researchers who have delivered significant value through their findings. Let’s look at this example; a researcher who spends two weeks reverse engineering a binary to find an RCE that’s rewarded $20k would net 40 kudos points under the points system. The very same 40 kudos points one would get for submitting 8 low-hanging P4s on a VDP. The disparity is obvious and by bucketing based on dollars, it enables Bugcrowd to give the respect to top performers that they deserve.

How do I prove I have the right skills?

Regardless of the type, all our programs have tags and traits (e.g.: iOS, Web App) associated with them. When researchers make submissions to different programs, Bugcrowd tags their skills. If the submission is a P1 or a P2, we know that the researcher is highly skilled in finding vulns in that particular area. Using these associated traits and skill ratings, our system automatically places a researcher in one of many skills-based tiers. And ultimately, when a program launches or requires additional researchers, CrowdMatch provides researcher recommendations based on how close their skills match a program’s target(s), along with other applicable criteria (i.e.: geographic constraints, certifications, etc.)

For example, if a program includes a web app as a target, researchers who have previously submitted P1s and P2s for web app targets have demonstrated their proficiency in web apps. Hence, this researcher will most likely receive an invite when another program requiring the same traits and skills is available.

How does “money earned” contribute to getting more invites?

Depending on how much money researchers have made on the platform, regardless of how (e.g. getting paid for Microsoft, Facebook, or any of our other payment processing-only customer’s findings qualify and earn researchers invites), researchers are placed into one of many tiers based on total bounty rewards. From these tiers, CrowdMatch provides researcher recommendations based on applicable criteria (skills, geographic constraints, certifications, etc.). 

For example, if a program includes an iOS app as a target, researchers who have demonstrated proficiency in testing iOS apps are first sub-segmented by dollars earned in totality, weighted, and then randomly selected based on percentages assigned to their respective bucket. In the above instance, someone with iOS experience who has earned $5k on the platform all-time is placed into a tier with others who have similar all-time earnings, and demonstrated experience with iOS. And of those in that tier, they’re randomly selected, weighed depending on how many iOS issues they’ve found (with a greater weighting for having found P1 issues vs. P4s, and so on). 

If one wants more invites on the platform they need only: 

  • Find more issues in their area of specialty/expertise (Web app, Android, Network, etc). It’s worth emphasizing that P1s will be weighted more than P2s, and so on. In addition, unique (i.e. non-dupe) findings will also be weighted more heavily than duplicates, etc.
  • Input competencies, interests, certifications, and qualifications into the platform to increase your visibility and likelihood of getting matched with the programs that are the best fit for your unique blend of interests and capabilities.
  • Earn more total dollars (which is representative of the value one has provided via their findings; the more dollars earned, the fewer people to compete within the segment for invites). The more the platform knows about you, the more effective it’ll be, and the better experience you’re likely to have as a researcher. 

Will my existing points expire?

Your existing points will not expire. In fact, we’re in the process of revamping our points systems as well. However, existing points have no influence or bearing on getting invites. We encourage researchers to provide their feedback via support@bugcrowd.com or share ideas on our Discord. We’ve got a lot of great ideas in motion, but the input and feedback from our researchers has been, and will always be central to the development of any new feature(s)! 

Summary

Points play no part in receiving private program invites. Researchers are invited to private programs based on:

  1. Proven skills that are specific to the program targets
  2. Dollars earned on the platform

The fastest way to receive private program invites is by making high-priority, unique submissions against paid targets. The time is right to come out and let the world know that points aren’t what they used to be – they don’t determine invites – your skills do. And that’s as it should be.