Guide

Help Wanted


Attention Hackers:

So, as you may or may not know, Bugcrowd runs a large number of private programs that aren’t publicly visible. These private programs range from testing webapps, to APIs, to reverse engineering binaries/desktop apps, to network pentests, and even some testing on IoT devices!

That said, sometimes these programs need some pretty specific skillsets that may not be too common – that’s where this page comes in. Listed below are some vague, but useful details on some private programs that Bugcrowd is running, that we’d like to add some more talented researchers to, if you’re interested.

If you’re looking to participate in any of the below, please fill out the associated Google form – and be sure to include your background, why you’re a good fit for the program, and so on (this is required – if you don’t put effort into explaining why you should be on a program, it’s unlikely that you’ll put effort into the program itself; we won’t respond to any request that doesn’t offer reasonable justification for why you’d be a good researcher to put on the program). From there, we’ll reach out directly and see about getting you added, or ask for additional information as needed.

Please note that these programs will change, and often some programs will only be available for a short period of time, since there’s often a limited number of devices, credentials, etc. Good luck and happy hunting!

 

Current Programs:

 

 

Open invitation and call for researchers skilled in the following areas: blockchain platforms, smart contract assessment, and static code analysis. (added 11/1/18)

As blockchain and smart contract platforms grow, Bugcrowd’s need for researchers specializing in these areas has (and will continue to) grow as well. Of note, there’s one particular program where Github links are provided and researchers are asked to install a local testnet for both the platform and home-grown smart contract implementation. There is also a live public testnet for those not inclined to install locally. Researchers skill in these areas will be added to other similar programs as they arise as well.

Focus areas include:

– Full Denial of Service to the testnet
– Remote code execution against the wallet

If you feel you have the relevant skills needed to be successful here, please fill out the following form, and we’ll be in touch if you’re a good fit. Thanks!

Maximum payout $5,000

Google form link

 


Open invitation and call for researchers with Amazon Web Services Certifications! [added 8/29/18]

We are actively looking for researchers with a deep understanding of AWS, specifically researchers who have obtained any of the following AWS certifications:

  • AWS Certified Solutions Architect
  • AWS Certified DevOps Engineer
  • AWS Certified Developer
  • AWS Certified SysOps Administrator
  • AWS Certified Developer
  • AWS Certified Cloud Practitioner

If you have any of the above AWS certifications, we’d like to put you on a wide-scope, high-paying program where your unique juxtaposition of skillsets will come in handy! Alternatively, if you don’t hold any of the above, but are particularly versed in AWS, we’d also like to hear from you. Please fill out the following form detailing which certifications you hold and why you’d be a good fit for this.

Please note that due to the sensitive nature of this client, researchers will be asked to complete a background check and sign an NDA.

Rewards: up to $10k for critical issues.

Google form link

 


Open invitation and call for researchers skilled in the following areas: IoT/embedded devices, APIs, and reverse engineering – [ongoing]

As the IoT/embedded devices space continues to grow, we’re seeing more and more programs run with a focus on testing these devices, as well as their associated binaries and APIs. As a result, researchers skilled in testing these devices and their corresponding attack surface are in fairly high demand, and are a crowd segment that we’re always looking to grow. These programs tend to pay higher rewards, and on occasion, will even send out physical devices for researchers to test directly against (depending on the given program’s target/objectives). If you feel you’ve got a solid skillset in the areas of reverse engineering, API, and/or IoT/embedded devices, please fill out the following form, and we’ll be in touch if we feel you’re a good fit for any of our upcoming programs.

Good luck and happy hunting!

Google form link

 


A program for researchers skilled in testing on/against enterprise printers – added on 8/1/18

Relevant skills for this program include:

– Reverse engineering
– Experience pentesting print-related protocols

For this program, researchers are given remote access to a commercially availabe enterprise printer – where they’re provided admin access to the device interface, and are also able to interact with all the available/exposed services running on the machine. Firmware for the device is freely available on the internet for more reversing.

Particular objectives for this program include (but the scope is open to any valid security issue that above a 2.0 on the CVSS scale):

– Remote code execution
– Remote DoS attacks
– Bypassing integrated controls intended to prevent the execution of malicious software/firmware

If you feel you have the relevant skills needed to be successful here, please fill out the following form, and we’ll be in touch if you’re a good fit. Thanks!

Maximum payout: $10,000

Google form link

 

 


 

An installed service + associated webapp

A well tested and mature enterprise application, this program consists of a binary + webapp that can be evaluated for both web issues, as well as issues such as buffer overflows, etc. This does require some setup to get going, but nothing complicated.

Objectives: code execution, privilege escalation, SSRF, any/all webapp vulnerabilities

Maximum payout: $10,000

Google form link

 


 

Learn the ins and outs of Crowdsourced Security, Managed Bug Bounty and Vulnerability Disclosure ProgramsDownload the Guide
+