AJAX progress indicator
Search: (clear)
  • Application-Level Denial-of-Service (DoS)
    When an application contains functional / architectural flaws that allow for remote interactions to consume large quantities of the host system’s resources, which can lead to the system locking-up or otherwise failing to deliver content.
  • Bounty Brief
    Outlines the rules of engagement for a bounty program, thereby setting the expectations for how both parties will behave throughout the process.
  • Broken Access Control (BAC)
    When an application does not thoroughly restrict user permissions for appropriate access to administrative functionality.
  • Bug Bounty Program (BBP)
    A proactive extension to a Vulnerability Disclosure Program (VDP), where  a cash incentive is added to reward the first white hat hacker to find and report each unique vulnerability within the scope of the program. The more severe the flaw and the greater the business impact, the greater the(...)
  • Common Vulnerability Exposure (CVE)
    A list of publicly known cybersecurity vulnerabilities commonly found on specific products and systems. 
  • Common Vulnerability Scoring System (CVSS)
    A scoring model for assessing the severity of security vulnerabilities.
  • Common Weakness Enumeration (CWE)
    A classification and categorization of common software vulnerability types.
  • Cross Site Request Forgery (CSRF)
    Also known as one-click attack, CSRF is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts.
  • Cross-Site Scripting (XSS)
    Typically found in web applications, XSS enables attackers to inject client-side scripts into web pages viewed by other users.
  • Crowdcontrol
    A powerful platform connecting the global security researcher community to the security market.
  • Crowdsourced Security (CSS)
    Similar to the bug bounty program model, participation is invite-only, conducted under NDA, and includes other privacy/security controls. Compliance reporting and other features are added to address existing penetration testing and scanning market requirements.
  • Hacker
    If you do a Google Image Search against the word hacker, you’ll get images of scary-looking balaclava-clad cybercriminals hunched over a quintessentially green computer terminal. They’re up to no good… Stealing your data, crashing critical systems, or causing general Internet badness. In(...)
  • Internet of Things (IoT)
    Any device (often called a “smart” or “connected” device) that connects to and exchanges information over the internet.
  • Open Web Application Security Project (OWASP)
    A list of the most critical security risks to web applications.
  • Payout
    The money paid to a researcher once their vulnerability submission has been validated.
  • Penetration Test or Pen Test
    A penetration test, commonly known as a pen test, is an authorized test of a computer system, network or application where human operators attempt to find vulnerabilities that an attacker could exploit.
  • Points
    Points awarded or deducted for submissions to the researcher, builds status and used to measure the leaderboard.
  • Private Program
    A controlled testing environment with a small set of highly vetted and experienced researchers, ideal for targets that are not publicly accessible such as staging environments, applications that require credential access, or devices.
  • Public Program
    A bug bounty program that is publicly accessible to the researcher crowd, helping scale testing efforts and gain access to an extensive, diverse skill set.
  • Remote Code Execution (RCE)
    Whereby an attacker can remotely execute commands on someone else's computing device. We have a t-shirt that explains this phenomenon quite succinctly.
  • Researcher Portal
    A community platform for researchers to follow and join programs, submit and manage vulnerabilities and receive rewards for their work.
  • Rewards
    The payment for a valid vulnerability submission. This is defined in the scope of a program and can include anything from points to swag and cash.
  • Scope
    Outlines the rules of engagement for a bounty program. This includes a clearly defined testing parameter to inform researchers what they can and cannot test, as well as the payout range for accepted vulnerabilities.
  • Security Researcher
    Hacker or bug hunter are common terms used to describe a security researcher or any skilled computer expert that uses their technical knowledge to identify vulnerabilities. Our crowd of security researchers comes from all walks of life, most are working information security specialists by day(...)
  • SQL Injection: SQLi
    In a SQL injection attack malicious code is embedded in a poorly-designed application and then passed to the backend database. The malicious data then produces database query results or actions that should never have been executed.
  • Submission
    The report a researcher submits to Bugcrowd describing the vulnerability or bug they found.
  • Target
    A target is the thing (web or mobile application, hardware, API) that the crowd test for vulnerabilities.
  • The Crowd
    The global community of white-hat hackers on the Bugcrowd platform who compete to find vulnerabilities in bug bounty programs.
  • Triage
    The process of validating a vulnerability submission from raw submission to a valid, easily digestible report.
  • Valid
    Valid refers to the state of a vulnerability that has been tested and confirmed real.
  • Vulnerability
    A security flaw or weakness found in software or in an operating system (OS) that can lead to security concerns.
  • Vulnerability Disclosure Program (VDP)
    Neighborhood watch for the internet. Communication channels are set up and a policy—which contains an invitation—is published to encourage reactive security feedback from the white hat hacker community.
  • Vulnerability Priority
    P1 - Critical: Vulnerabilities that cause a privilege escalation from unprivileged to admin or allow for remote code execution, financial theft, etc. P2 - High: Vulnerabilities that affect the security of the software and impact the processes it supports. (...)
  • XML External Entity Injection (XXE)
    An attack against application(s) that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery,(...)
Learn the ins and outs of Crowdsourced Security, Managed Bug Bounty and Vulnerability Disclosure ProgramsDownload the Guide
+