So, as you may or may not know, Bugcrowd runs a large number of private programs that aren’t publicly visible. These private programs range from testing webapps, to APIs, to reverse engineering binaries/desktop apps, to network pentests, and even some testing on IoT devices!
That said, sometimes these programs need some pretty specific skillsets that may not be too common – that’s where this page comes in. Listed below are some vague, but useful details on some private programs that Bugcrowd is running, that we’d like to add some more talented researchers to, if you’re interested.
If you’re looking to participate in any of the below, please fill out the associated Google form – and be sure to include your background, why you’re a good fit for the program, and so on (this is required – if you don’t put effort into explaining why you should be on a program, it’s unlikely that you’ll put effort into the program itself; we won’t respond to any request that doesn’t offer reasonable justification for why you’d be a good researcher to put on the program). From there, we’ll reach out directly and see about getting you added, or ask for additional information as needed.
Please note that these programs will change, and often some programs will only be available for a short period of time, since there’s often a limited number of devices, credentials, etc. Good luck and happy hunting!
Open invitation and call for researchers skilled in the following areas: IoT/embedded devices, APIs, and reverse engineering – [ongoing]
As the IoT/embedded devices space continues to grow, we’re seeing more and more programs run with a focus on testing these devices, as well as their associated binaries and APIs. As a result, researchers skilled in testing these devices and their corresponding attack surface are in fairly high demand, and are a crowd segment that we’re always looking to grow. These programs tend to pay higher rewards, and on occasion, will even send out physical devices for researchers to test directly against (depending on the given program’s target/objectives). If you feel you’ve got a solid skillset in the areas of reverse engineering, API, and/or IoT/embedded devices, please fill out the following form, and we’ll be in touch if we feel you’re a good fit for any of our upcoming programs.
Good luck and happy hunting!
A program for researchers skilled in testing on/against enterprise printers – added on 8/1/18
Relevant skills for this program include:
– Reverse engineering
– Experience pentesting print-related protocols
For this program, researchers are given remote access to a commercially availabe enterprise printer – where they’re provided admin access to the device interface, and are also able to interact with all the available/exposed services running on the machine. Firmware for the device is freely available on the internet for more reversing.
Particular objectives for this program include (but the scope is open to any valid security issue that above a 2.0 on the CVSS scale):
– Remote code execution
– Remote DoS attacks
– Bypassing integrated controls intended to prevent the execution of malicious software/firmware
If you feel you have the relevant skills needed to be successful here, please fill out the following form, and we’ll be in touch if you’re a good fit. Thanks!
Maximum payout: $10,000
A data management system (reverse engineering/webapp/general pentesting) – updated 4/16/18
We’re running a program on a data management system that researchers will VPN into, and then have access to their own custom environment with a variety of available targets. There’s a webapp interface, command line interface, and a number of hosts running on a /26 subnet.
The system will be a UNIX based storage appliance with the following services:
Additionally, the system offers multi-tenant capabilities and we’re specifically interested in multi-tenancy violations such as administrators crossing tenants allowing for information disclosure.
Strong penetration testing, reverse engineering, and exploit development skills are advised. Feel free to reach out to firstname.lastname@example.org if you have any questions. Thanks!
Objectives: any/all valid security vulnerabilities.
Maximum payout: $15,000
An iOS only car management application – added 12/5/17
This mobile application is used for managing and interacting with one’s vehicle. It’s important to note that a) only issues relating to the app itself are in scope (e.g. the services it interacts with are not in scope); and b) this app is protected by Arxan, and as such, places where researchers are able to bypass the obfuscation to find security issues are of particular interest. Strong mobile skills are highly encouraged.
Objectives: any/all valid mobile security issues.
Maximum payout: $5,000
An endpoint desktop application (windows only)
This application can be run inside a VM, but it must be a windows VM. This is an endpoint desktop application that will require strong reverse engineering skills to be effective against.
Objectives: local privilege escalation; code execution; DoS/crashing/bypassing the endpoint service.
Maximum payout: $40,000
An installed service + associated webapp
A well tested and mature enterprise application, this program consists of a binary + webapp that can be evaluated for both web issues, as well as issues such as buffer overflows, etc. This does require some setup to get going, but nothing complicated.
Objectives: code execution, privilege escalation, SSRF, any/all webapp vulnerabilities
Maximum payout: $10,000