Bugcrowd is excited to announce both the September and October 2016 Hall of Fame winners!

September Hall of Fame Winners

In September, we experienced some last minute shuffling at the end of the month that ended up jumbling our ‘Top 3’ researchers (please see below for the full details). As you can see, it was an extremely close race for the top this month! All three researchers did amazing work and delivered multiple critical vulnerabilities to programs, so we are pleased to award a 3-way first place tie.

  1. nijagaw – 530 points – $2,500 bonus
  2. zseano – 525 bonus – $2,500 bonus
  3. mongo – 522 points – $2,500 bonus


October Hall of Fame Winners

Our October leaderboard is now live, and we’d like to give a shout out to zseanomongo, and Harie_cool for being on our leaderboard once again!

To thank our top performers for their hard work, Bugcrowd is pleased to announce that all three researchers will receive bonuses for their performance.

  1. zseano – 816 points – $2,500 bonus
  2. mongo – 612 bonus – $1,500 bonus
  3. Harie_cool – 359 points – $1,000 bonus


*So what happened in September?
During the first week of October, we closed out an On-Demand program that  bumped nijigaw’s point total to 528 points putting him in first. When we identified why the leaderboard changed and deployed a fix, the leaderboard changed a second time and put zseano up to 525 and nijigaw up another 2 points to 530.

Why did this happen? Normally when a duplicate vulnerability is reported, the original vulnerability [bug1] report has been validated by the customer and is not still in a ‘triaged’ state. When the duplicate report [bug2] is validated, points are awarded based on the priority of the first report.

In this case, a vulnerability report [bug2] from nijigaw was duped against an original vulnerability report [bug1] that was still in ‘triaged’ state.  These bugs were reported in September. On October 4th, the original submission [bug1] was validated, enabling nijigaw’s duplicate submissions to receive points – points that were applied to the date the duplicate bugs were triaged in September, not when the points were awarded in October.  This changed the September leaderboard results.  

We’ve made modifications to when duplicate points are awarded so this unusual situation doesn’t happen again and have confirmed that it did not change the results of any prior month’s leaderboard. Given the difference in first place points is so narrow and we changed code as a result of the situation, we’ve decided to call it a tie.  

Think you have what it takes to come out on top?

High severity bugs that result in critical security impact, such as remote code execution or elevation of privilege, earn the most kudos points – check out our blog for a break down of points and priority and for other great resources on our blog and forum.

Submitting high severity bugs not only gets you bigger rewards, it can also help you get invited to private bounty programs faster – check out A Look At Private Program Invites to learn more about how to get chosen for private programs.

Thanks again to all of the Bugcrowd researchers for all of their hard work in September and October. We look forward to the November Hall of Fame results!