Guide

Help Wanted


Attention Hackers:

So, as you may or may not know, Bugcrowd runs a large number of private programs that aren’t publicly visible. These private programs range from testing webapps, to APIs, to reverse engineering binaries/desktop apps, to network pentests, and even some testing on IoT devices!

That said, sometimes these programs need some pretty specific skillsets that may not be too common – that’s where this page comes in. Listed below are some vague, but useful details on some private programs that Bugcrowd is running, that we’d like to add some more talented researchers to, if you’re interested.

If you’re looking to participate in any of the below, please fill out the associated Google form – and be sure to include your background, why you’re a good fit for the program, and so on (this is required – if you don’t put effort into explaining why you should be on a program, it’s unlikely that you’ll put effort into the program itself; we won’t respond to any request that doesn’t offer reasonable justification for why you’d be a good researcher to put on the program). From there, we’ll reach out directly and see about getting you added, or ask for additional information as needed.

Please note that these programs will change, and often some programs will only be available for a short period of time, since there’s often a limited number of devices, credentials, etc. Good luck and happy hunting!

 

Current Programs:

 


A mobile application used for sending/receiving money (Android and iOS) – added 11/21/17

This mobile application is used for quickly and easily sending/receiving money to/from other individuals. The one caveat is that it does require the use of a U.S. bank account to be able to test (most major, and even mid-level banks are able to be used – as well as some credit unions). Strong mobile skills are highly encouraged.

Objectives: any/all valid mobile security issues.

Maximum payout: $10,000

Google form link


 An endpoint desktop application (windows only)

This application can be run inside a VM, but it must be a windows VM. This is an endpoint desktop application that will require strong reverse engineering skills to be effective against.

Objectives: local privilege escalation; code execution; DoS/crashing/bypassing the endpoint service.

Maximum payout: $40,000

Google form link


A desktop antivirus application (windows only)

This windows AV application can be run inside a VM, is remarkably large and complex, and will require significant reverse engineering skills to be effective against.

Objectives: local privilege escalation; code execution; DoS/crashing/bypassing the AV service.

Maximum payout: $20,000

Other notes: requires a background check to participate

Google form link


An SSO webapp used by a large enterprise

This program includes testing the SSO setup and custom SAML 2.0 and OpenIDConnect flows of a large enterprise organization.

Objectives: Any/all web findings

Maximum payout: $5,000

Other notes: requires a background check to participate

Google form link


An installed service + associated webapp

A well tested and mature enterprise application, this program consists of a binary + webapp that can be evaluated for both web issues, as well as issues such as buffer overflows, etc. This does require some setup to get going, but nothing complicated.

Objectives: code execution, privilege escalation, SSRF, any/all webapp vulnerabilities

Maximum payout: $10,000

Google form link