Crowdsourced security testing and vulnerability disclosure programs require the right combination of policy, resources, and support to be successful. Bugcrowd’s leading platform and team bring years of experience facilitating success with whiteglove management of these programs. From the policy design, launch, and submission management our Operations team is a close partner of our talented researcher community and customers.
As part of a longer upcoming series on our Security Operations team I’d like to share some insight on who we are, our role in managing successful bounties at Bugcrowd, and how we also participate in the researcher community directly.
Who are we?
Security Operations is a globally distributed and highly experienced team of application security professionals with backgrounds ranging across pen testing, Fortune 50 enterprise security, static analysis, code review, and independent security research. Our team’s diversity reflects the community we serve and is a strength we leverage every day in triaging, validating, and enriching vulnerability submissions to our customer’s managed bug bounty programs.
In addition to technical review, we facilitate communication and collaboration between our researchers and customer analysts, ensuring mutual understanding and success. You’ll find us at security conferences where we teach, learn, and generally share our knowledge and experience with the community. We’ve also developed and open-sourced Bugcrowd’s Vulnerability Rating Taxonomy, and have contributed to several security tools, e.g. HUNT.
Our passion for security and a safer internet is driven by our hacker ethos and as part of Bugcrowd’s core values:
- Simple is strong
- Respect is key
- Build it like you own it
- Think like a hacker
The way we manage the sensitive vulnerability information to which we’re privy to and how we conduct ourselves in our own research, put these values into action. To support our team in this important effort, we have both a long standing policy and purpose-built platform features.
Who has access to vulnerability information in Bugcrowd?
As a security-conscious company, we operate on a principle of least privilege, accountability, and auditability. Access to bounty programs is restricted to operational and support staff that have a direct business need to engage with both the authorized company analysts and security researchers. Bugcrowd Application Security Engineers are provided limited access to bounties as assigned, with minimal supervisory staff having broader privileges. Within our Crowdcontrol platform, the provisioning, removal, and use of this access is also verbosely logged.
Why is this important?
Many of our broader team, inclusive of Security Operations, either have or currently participate in bug bounty programs. To ensure both appropriate protection of sensitive vulnerability data and a level playing field in our programs we enforce the following policies and access controls:
Employees may not participate in any bounty on which:
- They have had pre-existing knowledge of targets or existing submissions within the last 60 days
- The program has launched less than 72 hours ago (public)
- There are less than 50 community researchers (private)
- There is already another Bugcrowd employee participating (private)
Participation is limited to 2 On-Demand programs per quarter
Employees are not listed on nor eligible for leaderboard participation
These participation policies were developed in collaboration with community council and allow us to contribute to a safer internet both in our capacity as Bugcrowd employees and passionate security professionals.
As always, we both welcome and encourage your feedback. Collaborate with us on our taxonomy, reach out to our Support team, and stay tuned for more elaboration on the Security Operations team. We are just one part of a broader effort at Bugcrowd to make bug bounty programs successful for both our customers, and our researchers. As the front line of the war on bugs, we strive to ensure that all parties involved come away with a positive experience.