The goal of Crowdsourced security is to enable customers to easily identify the highest value vulnerabilities, as quickly as possible, by engaging with those that have the most expertise in finding vulnerabilities – the Crowd!
The Bugcrowd platform enables this by connecting the right white hat hacker with the right customer engagement. A critical input to this matching process is the past performance and behavior of researchers. If you’re good at finding XSS, it’s likely you will get invited to another program that needs that skill set.
Skills and Points in Platform
Bugcrowd knows that when the right researcher is matched with the right program, we see amazing results. CrowdMatch ensures this is possible dynamically, ingesting information as we get to know you better.
One way we’ve kept track of past performance has been through kudos / Bugcrowd points. The purpose of Bugcrowd Points so far has been to recognize researchers on the Bugcrowd platform. Bugcrowd’s CrowdMatch technology now includes other data points about researchers, such as past submissions, priority of submissions, skills and interests. CrowdMatch provides a more multi-dimensional view of researchers and better captures information about a researcher’s performance.
Changes to Submission Points Allocation
As Bugcrowd grows and the researcher community grows with us, we’ve observed some creative approaches to acquiring points on the platform. After all, we are working with hackers here – some of the most resourceful and intelligent people on the planet!
In particular, we’ve recently seen a trend developing where a small number of researchers are submitting a large number of easily discoverable, low-severity findings to gain points from duplicates and inflate their score on the platform. Since these vulnerabilities are easily discoverable, they are nearly always duplicates and aren’t useful to program owners.
This behavior has a couple of undesirable side-effects:
- The overall value of points is diluted as a result of duplicate harvesting.
- Points awarded to these submissions don’t necessarily reflect their skill or impact as a researcher
- The time Bugcrowd spends on lower value dupes could be better used towards submissions of more value to program owners
With this in mind, we will no longer be awarding points for duplicate P3 and P4 submissions, effective immediately.
Long-term Benefits to Points Changes
We anticipate this change to be beneficial to all parties involved.
- The value of Bugcrowd kudos points will no longer be diluted by duplicate harvesting.
- Researchers are incentivized to submit higher value submissions
- Program owners receive higher value submissions, which will translate to higher-value payouts
- Ensure Bugcrowd’s best-in-class triage team can continue to focus on high value, unique findings and providing excellent service to the hackers submitting them.
If you do indeed believe that your P3 or P4 finding is not a duplicate, then we still encourage you to submit it to the program.
We’re excited to deliver higher quality triage due to these changes, and we’re looking forward to helping researchers of all skill levels continue to Level Up their hunting!
[vcex_divider color=”#dddddd” width=”100%” height=”1px” margin_top=”20″ margin_bottom=”20″]
If you have any questions about this change, please reach out to firstname.lastname@example.org