Guide

Help Wanted


Attention Hackers:

So, as you may or may not know, Bugcrowd runs a large number of private programs that aren’t publicly visible. These private programs range from testing webapps, to APIs, to reverse engineering binaries/desktop apps, to network pentests, and even some testing on IoT devices!

That said, sometimes these programs need some pretty specific skillsets that may not be too common – that’s where this page comes in. Listed below are some vague, but useful details on some private programs that Bugcrowd is running, that we’d like to add some more talented researchers to, if you’re interested.

If you’re looking to participate in any of the below, please fill out the associated Google form – and be sure to include your background, why you’re a good fit for the program, and so on (this is required – if you don’t put effort into explaining why you should be on a program, it’s unlikely that you’ll put effort into the program itself; we won’t respond to any request that doesn’t offer reasonable justification for why you’d be a good researcher to put on the program). From there, we’ll reach out directly and see about getting you added, or ask for additional information as needed.

Please note that these programs will change, and often some programs will only be available for a short period of time, since there’s often a limited number of devices, credentials, etc. Good luck and happy hunting!

 

Current Programs:

 

Open invitation and call for researchers with Amazon Web Services Certifications! [added 8/29/18]

We are actively looking for researchers with a deep understanding of AWS, specifically researchers who have obtained any of the following AWS certifications:

  • AWS Certified Solutions Architect
  • AWS Certified DevOps Engineer
  • AWS Certified Developer
  • AWS Certified SysOps Administrator
  • AWS Certified Developer
  • AWS Certified Cloud Practitioner

If you have any of the above AWS certifications, we’d like to put you on a wide-scope, high-paying program where your unique juxtaposition of skillsets will come in handy! Alternatively, if you don’t hold any of the above, but are particularly versed in AWS, we’d also like to hear from you. Please fill out the following form detailing which certifications you hold and why you’d be a good fit for this.

Please note that due to the sensitive nature of this client, researchers will be asked to complete a background check and sign an NDA.

Rewards: up to $10k for critical issues.

Google form link

 


Open invitation and call for researchers skilled in the following areas: IoT/embedded devices, APIs, and reverse engineering – [ongoing]

As the IoT/embedded devices space continues to grow, we’re seeing more and more programs run with a focus on testing these devices, as well as their associated binaries and APIs. As a result, researchers skilled in testing these devices and their corresponding attack surface are in fairly high demand, and are a crowd segment that we’re always looking to grow. These programs tend to pay higher rewards, and on occasion, will even send out physical devices for researchers to test directly against (depending on the given program’s target/objectives). If you feel you’ve got a solid skillset in the areas of reverse engineering, API, and/or IoT/embedded devices, please fill out the following form, and we’ll be in touch if we feel you’re a good fit for any of our upcoming programs.

Good luck and happy hunting!

Google form link

 


A program for researchers skilled in testing on/against enterprise printers – added on 8/1/18

Relevant skills for this program include:

– Reverse engineering
– Experience pentesting print-related protocols

For this program, researchers are given remote access to a commercially availabe enterprise printer – where they’re provided admin access to the device interface, and are also able to interact with all the available/exposed services running on the machine. Firmware for the device is freely available on the internet for more reversing.

Particular objectives for this program include (but the scope is open to any valid security issue that above a 2.0 on the CVSS scale):

– Remote code execution
– Remote DoS attacks
– Bypassing integrated controls intended to prevent the execution of malicious software/firmware

If you feel you have the relevant skills needed to be successful here, please fill out the following form, and we’ll be in touch if you’re a good fit. Thanks!

Maximum payout: $10,000

Google form link

 


A data management system (reverse engineering/webapp/general pentesting) – updated 4/16/18

We’re running a program on a data management system that researchers will VPN into, and then have access to their own custom environment with a variety of available targets. There’s a webapp interface, command line interface, and a number of hosts running on a /26 subnet.

The system will be a UNIX based storage appliance with the following services:

http
dns
rpc
msrpc
netbios
ntp
smb
nfs
iscsi

Additionally, the system offers multi-tenant capabilities and we’re specifically interested in multi-tenancy violations such as administrators crossing tenants allowing for information disclosure.

Strong penetration testing, reverse engineering, and exploit development skills are advised. Feel free to reach out to support@bugcrowd.com if you have any questions. Thanks!

Objectives: any/all valid security vulnerabilities.

Maximum payout: $15,000

Google form link

 


An iOS only car management application – added 12/5/17

This mobile application is used for managing and interacting with one’s vehicle. It’s important to note that a) only issues relating to the app itself are in scope (e.g. the services it interacts with are not in scope); and b) this app is protected by Arxan, and as such, places where researchers are able to bypass the obfuscation to find security issues are of particular interest. Strong mobile skills are highly encouraged.

Objectives: any/all valid mobile security issues.

Maximum payout: $5,000

Google form link

 


 An endpoint desktop application (windows only)

This application can be run inside a VM, but it must be a windows VM. This is an endpoint desktop application that will require strong reverse engineering skills to be effective against.

Objectives: local privilege escalation; code execution; DoS/crashing/bypassing the endpoint service.

Maximum payout: $40,000

Google form link

 


 

An installed service + associated webapp

A well tested and mature enterprise application, this program consists of a binary + webapp that can be evaluated for both web issues, as well as issues such as buffer overflows, etc. This does require some setup to get going, but nothing complicated.

Objectives: code execution, privilege escalation, SSRF, any/all webapp vulnerabilities

Maximum payout: $10,000

Google form link