A few weeks ago I was tagged by Art Manion of the CERT Coordination Center (CERT/CC) in a tweet asking about Bugcrowd’s approach to disclosure policy defaults. The short version of the thread was concern around a statement in our…
Last week, the House voted to approve H.R. 6735, a bill that directs the Homeland Security Secretary to establish a vulnerability disclosure policy for the agency’s websites. This was a swift decision -- The House Homeland Security Committee advanced this…
This blog was written by Stu Hirst, Head Of Security Engineering, Photobox Group I’ve been a believer in the power of the bug bounty model since 2015 when I ran my first 2-week program with Bugcrowd. During that program the researchers…
Next week (March 1), new regulations from the New York State Department of Financial Services (DFS) will take effect, giving financial services firms licensed to operate in New York 180 days to improve their security based on new requirements. The…
In order for Researchers to be successful, it is vital to clearly communicate expectations. We have refined verbiage in both the Bugcrowd Standard Disclosure Terms and the Bugcrowd Researcher Code of Conduct, and these changes are highlighted below: In the…
Earlier this month, the National Institute of Standard and Technology’s (NIST) cybersecurity framework released a revision (1.1, Draft 2) of its Framework for Improving Critical Infrastructure Cybersecurity. The new release now includes vulnerability disclosure processes as part of the Framework Core…
If you’re reading this article, statistically speaking your organization might be getting hacked. Data breaches of U.S. government networks, once novel, have become pervasive over the past year. Take it from the Office of Personnel Management (OPM) or the IRS – no one is…
In talking with our customers, and particularly larger customers, we often hear of the need to establish an open, public, and passive channel for vulnerability disclosure from their users, customers, and the broader security community. These customers aren’t always ready for a public bug bounty but they may already have an existing security@ email address. They often have an existing security page and want the ability to accept disclosures directly from their website.
