skip to Main Content
This website use cookies which are necessary to its functioning and required to achieve the purposes illustrated in the privacy policy. To learn more or withdraw consent please click on Learn More. By continued use of this website you are consenting to our use of cookies.

Glossary of Cybersecurity Terms

Application-Level Denial-of-Service (DoS)

Photo by Michael Geiger on Unsplash Application DDoS attacks are distributed denial of service (DDoS) attacks designed to make online application services unavailable by overwhelming them with a virtual flood of internet traffic. The significant increase in traffic overwhelms machines and networks,...

Bounty Brief

Outlines the rules of engagement for a bounty program, thereby setting the expectations for how both parties will behave throughout the process.

Broken Access Control (BAC)

Broken Access Control is when an application does not thoroughly restrict user permissions for appropriate access to administrative functionality. The consequences associated to broken access control may include viewing of unauthorized content, modification or deletion of content, or full applicatio...

Bug Bounty Program (BBP)

A bug bounty program (BBP) is a sponsored, organized effort that compensates security researchers for surfacing and reporting otherwise unknown network and software security vulnerabilities, thereby enabling the digitally connected business to manage and reduce their cybersecurity risks. The phrase...

Code Injection

Photo by Sigmund on Unsplash Code injection is a technique that a threat actor uses to input or inject malicious code which takes advantage of a validation flaw in the software. Code injection is also known as remote code execution (RCE). The malicious code is usually "injected" in the same language...

Common Vulnerability Exposure (CVE)

Photo by Florian Olivo on Unsplash Common Vulnerabilities and Exposures (CVE) are a listing of security threats categorized within a standardized reference system. The CVE program was launched in 1999 by MITRE to identify and catalog vulnerabilities in software into a freely accessible set of data s...

Common Vulnerability Scoring System (CVSS)

CVSS (Common Vulnerability Scoring System) is an industry standard for assessing the severity of a security vulnerability. The characteristics of a vulnerability are assessed, and then a numerical score is produced, which weights the overall severity. This numerical score can then be assigned to a c...

Common Weakness Enumeration (CWE)

Common Weakness Enumeration (CWE) is a classification and categorization of common software vulnerability types. There are currently over 600 categories ranging from buffer overflows, cross-site scripting, to insecure random numbers.

Cross Site Request Forgery (CSRF)

Also known as one-click attack, CSRF is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts.

Cross-Site Scripting (XSS)

Photo by Sigmund on Unsplash XSS (cross-site scripting) is a type of cyberattack in which the threat actor injects malicious scripts into websites and web applications. The goal is to have these scripts executed on the users' end-point devices where the threat actors can bypass controls and imperson...


A powerful platform connecting the global security researcher community to the security market.

Crowdsourced Security (CSS)

Crowdsourced security is an organized security approach wherein a number of ethical hackers are incentivized to search for and report vulnerabilities in the assets of a given organization, with the full understanding and awareness of the organization in question. The power of crowdsourced security i...

Email Spoofing

Email spoofing is the forgery of an email header with a false address. Email spoofing is often used in phishing and spam campaigns. The purpose of email spoofing is usually to obtain sensitive material about the recipient, or to get the recipient to install malicious malware.


If you do a Google Image Search against the word hacker, you’ll get images of scary-looking balaclava-clad cybercriminals hunched over a quintessentially green computer terminal. They’re up to no good… Stealing your data, crashing critical systems, or causing general Internet badness. In reality, th...

Internet of Things (IoT)

Any device (often called a “smart” or “connected” device) that connects to and exchanges information over the internet.

ISO 27001

ISO 27001 is an international standard that dictates how companies design and implement an Information Security Management System. ISO 27001 was created by the U.S. Information Security Management Practices Act (ISMA) of 1994. Before this act, there was no set standard for managing information secur...

National Cybersecurity Awareness Month

Photo by Jefferson Santos on Unsplash National Cybersecurity Awareness Month (NCSAM) is an initiative by the US Department of Homeland Security to promote the importance of cybersecurity. Established in 2004, National Cybersecurity Awareness Month was started jointly by DHS's National Cyber Security...

Nessus® Vulnerability Scanner

The Nessus vulnerability scanner is a remote security scanner from Tenable, Inc. Nessus scans a computer and then generates alerts if vulnerabilities are discovered. Nessus runs over 1,000+ checks to see if vulnerabilities exist. First, you need to install Nessus. There are instructions on the Tenab...

NIST Cybersecurity Framework

NIST CSF (The National Institute of Standards and Technologies Cyber Security Framework ) is a set of standards to help companies improve their overall cybersecurity posture. The NIST CSF defines a set of best practices that enables IT organizations to more effectively manage cybersecurity risks. Or...

Open Web Application Security Project (OWASP)

The Open Web Application Security Project® (OWASP®) is a nonprofit foundation that works to improve software security. The OWASP Foundation is a trusted resource for software developers and technologists seeking to secure the Internet. OWASP sponsors many community-led open-source software projects...


Photo by Shahadat Rahman on Unsplash OpenVAS is a widely used vulnerability scanner distributed by Greenbone Networks. OpenVAS includes a variety of built-in tests and a Web interface. In addition, OpenVAS makes setting up scanning user-friendly and highly configurable. OpenVAS is open source. When...


The money paid to a researcher once their vulnerability submission has been validated.

Penetration Testing

Penetration testing, commonly known as pen testing, is a simulated cyberattack done by authorized 3rd party ethical hackers, that tests and evaluates the security vulnerabilities of the target organization's computer systems, networks, and application infrastructure. Human penetration testing operat...


Points awarded or deducted for submissions to the researcher, builds status and used to measure the leaderboard.

Private Bug Bounty Program

Unlike public bug bounty programs, private bug bounty programs are programs that are not published to the public. Researchers on the Bugcrowd Platform can participate by invitation only. It is ideal for targets that are not publicly accessible such as staging environments, applications that require...

Public Program

A public bug bounty program is open to the entire researcher community to test for and report vulnerabilities in an organization’s software or digital assets. This means that all researchers on the Bugcrowd platform are given the right to hack your program.   Interested in learning more? Bugcrowd’s...

Qualified Security Assessor (QSA)

A Qualified Security Assessor or QSA is a person who is accredited by the PCI Security Standards Council to independently assess and validate an organization's security compliance with PCI DSS requirements. The qualified security assessor carries out his assignment in a business environment, supplyi...

Remote Code Execution (RCE)

Remote code execution is a cyber-attack whereby an attacker can remotely execute commands on someone else’s computing device. RCEs usually occur due to malicious malware downloaded by the host and can happen regardless of the geographic location of the device. We have a t-shirt that explains this ph...

Researcher Portal

A community platform for researchers to follow and join programs, submit and manage vulnerabilities and receive rewards for their work.


The payment for a valid vulnerability submission. This is defined in the scope of a program and can include anything from points to swag and cash.


Outlines the rules of engagement for a bounty program. This includes a clearly defined testing parameter to inform researchers what they can and cannot test, as well as the payout range for accepted vulnerabilities.

Security Researcher

Hacker or bug hunter are common terms used to describe a security researcher or any skilled computer expert that uses their technical knowledge to identify vulnerabilities in an organization’s SDLC.  Our crowd of security researchers comes from all walks of life, most are working information securit...

SQL Injection (SQLi)

In a SQL injection attack malicious code is embedded in a poorly-designed application and then passed to the backend database. The malicious data then produces database query results or actions that should never have been executed.


The report a researcher submits to Bugcrowd describing the vulnerability or bug they found.


A target is the thing (web or mobile application, hardware, API) that the crowd test for vulnerabilities.

The Crowd

The global community of white-hat hackers on the Bugcrowd platform who compete to find vulnerabilities in bug bounty programs.


The process of validating a vulnerability submission from raw submission to a valid, easily digestible report.


Valid refers to the state of a vulnerability that has been tested and confirmed real.


A security flaw or weakness found in software or in an operating system (OS) that can lead to security concerns.

Vulnerability Disclosure Program (VDP)

A Vulnerability Disclosure Program creates clear guidelines for researchers to submit security vulnerabilities to organizations while also helping organizations mitigate risk by supporting and enabling the disclosure and remediation of vulnerabilities before they are exploited. Vulnerability Disclos...

Vulnerability Priority

P1 - Critical: Vulnerabilities that cause a privilege escalation from unprivileged to admin or allow for remote code execution, financial theft, etc. P2 - High: Vulnerabilities that affect the security of the software and impact the processes it supports. P3 - Medium: Vulnerabilities that affect mul...

White Hat Hacker

Photo by Philipp Katzenberger on Unsplash A white hat hacker is a computer security expert who uses penetration testing skills to help secure an organization's networks and information system assets. A white hack hacker is also known as an ethical computer hacker. White hat hackers work with informa...

XML External Entity Injection (XXE)

An attack against application(s) that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port sca...
Back To Top