skip to Main Content

Topic: Bugcrowd News

XSS Bugs that Prove the Danger in ‘XSS-Fatigue’

XSS-Fatigue: Realities and Pitfalls

Cross-Site Scripting was ‘discovered’ in 1999, and since then, has appeared in just about every ‘top-ten most common vulnerabilities’ list. The frequency and longevity of XSS in headlines, POCs and vulnerability databases over the past 10+ years have thrown us into ‘XSS-fatigue.’ In our own annual report this year, we reported that of all vulnerabilities submitted through Bugcrowd programs, over 25% were classified as XSS. In this post, we’ll explore the idea of XSS-fatigue, why XSS bugs are still so prevalent, and some examples in which XSS were incredibly high impact, proving that XSS-fatigue is founded not in quality, but perception.

Read More

Q4 Researcher Promotion: Thick Client Targets

As the bug bounty space has matured, the range of targets to test against has expanded and diversified incredibly. Our programs offer a broad range of targets, from web and mobile, to APIs and IoT devices (even cars)! Over the last several months, Bugcrowd has launched more and more bounty programs that feature thick client applications.

Whether you have skills in testing thick client software, or want to expand your expertise, Bugcrowd has several public programs and numerous private programs available for you to hack on for fun and profit. This quarter we’re running a limited time promotion for all submissions found in thick client applications.  

Read More

Big Bugs | Episode 6: API Security and the Internet of Things w/ Fitbit

The unprecedented growth and adoption of connected devices have created innumerable threats for organizations, manufacturers, and consumers, while at the same time creating unprecedented opportunities for hackers. In this episode of Big Bugs, Jason Haddix joins Fitbit’s security team to explore what it takes to effectively hack connected devices through APIs, and how the role of defenders has evolved in this domain.

The speakers explore the growing prevalence of connected devices in our lives, the use of APIs, the increasing importance of API testing in its new form (REST vs older XML based testing), and how it’s a valuable skillset for researchers as well as organizations.

Read More

Inside the Mind of a Hacker: Bugcrowd’s 2016 Bug Hunter Community Report

Over the past four years that we’ve been helping organizations connect with the world’s top security talent to run crowdsourced security programs, a lot has changed. In our recent State of Bug Bounty Report, we examine that change with proof that more traditional organizations adopting the bug bounty model, more private programs being run, and so on and so forth. inside_the_mind_of_a_hacker_-_twitter_1.png

The crux of that change, however, lies in the community. Whether you call them hackers, bug hunters, or security researchers, they make the bug bounty world go ’round. As this niche grows and evolves from the small group it once was, it is becoming more nuanced, and the motivations of bug hunters vary widely.

Read More

July 2016 Hall of Fame

Bugcrowd is excited to announce our July 2016 Hall of Fame winners! Apologies for the delay in posting this, but we spent all last week in Las Vegas at Black Hat/DEFCON (you can read all about it here)!

Once again, mert has topped the June leaderboard with his amazing work across our platform. Following up, we’re happy to have VINOTHKUMAR in second place, and krbtgt rounding out the top three. To thank our top performers for their hard work, Bugcrowd is pleased to announce that all three researchers will receive bonuses for their performance.

Read More
Back To Top