AJAX progress indicator
Search: (clear)
  • Application-Level Denial-of-Service (DoS)
    When an application contains functional / architectural flaws that allow for remote interactions to consume large quantities of the host system’s resources, which can lead to the system locking-up or otherwise failing to deliver content.
  • Bounty Brief
    Outlines the rules of engagement for a bounty program, thereby setting the expectations for how both parties will behave throughout the process.
  • Broken Access Control (BAC)
    Broken Access Control is when an application does not thoroughly restrict user permissions for appropriate access to administrative functionality. The consequences associated to broken access control may include viewing of unauthorized content, modification or deletion of content, or full(...)
  • Bug Bounty Program (BBP)
    A Bug Bounty Program utilizes a pay for results model, ensuring you only pay for valid results, versus paying for time and effort spent like with traditional testing methods. It’s also important to note that through these programs, companies authorize researchers to not only identify(...)
  • Common Vulnerability Exposure (CVE)
    A list of publicly known cybersecurity vulnerabilities commonly found on specific products and systems. 
  • Common Vulnerability Scoring System (CVSS)
    The Common Vulnerability Scoring System is a free and open industry standard for assessing the severity of security vulnerabilities. CVSS attempts to assign scores to vulnerabilities, allowing responders to prioritize responses and resources according to severity. The Common Vulnerability(...)
  • Common Weakness Enumeration (CWE)
    A classification and categorization of common software vulnerability types.
  • Cross Site Request Forgery (CSRF)
    Also known as one-click attack, CSRF is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts.
  • Cross-Site Scripting (XSS)
    Typically found in web applications, XSS enables attackers to inject client-side scripts into web pages viewed by other users.
  • Crowdcontrol
    A powerful platform connecting the global security researcher community to the security market.
  • Crowdsourced Security (CSS)
    Crowdsourced security is a security approach which uses a crowd to discover vulnerabilities in online systems. Some examples include bug bounty and responsible disclosure. Using a crowdsourced security approach, organizations can obtain information about vulnerabilities by enlisting a large(...)
  • Email Spoofing
    Email spoofing is the forgery of an email header with a false address. Email spoofing is often used in phishing and spam campaigns. The purpose of email spoofing is usually to obtain sensitive material about the recipient, or to get the recipient to install malicious malware.
  • Hacker
    If you do a Google Image Search against the word hacker, you’ll get images of scary-looking balaclava-clad cybercriminals hunched over a quintessentially green computer terminal. They’re up to no good… Stealing your data, crashing critical systems, or causing general Internet badness. In(...)
  • Internet of Things (IoT)
    Any device (often called a “smart” or “connected” device) that connects to and exchanges information over the internet.
  • Open Web Application Security Project (OWASP)
    A list of the most critical security risks to web applications.
  • Payout
    The money paid to a researcher once their vulnerability submission has been validated.
  • Penetration Test or Pen Test
    A penetration test, commonly known as a pen test, is an authorized test of a computer system, network or application where human operators attempt to find vulnerabilities that an attacker could exploit.
  • Points
    Points awarded or deducted for submissions to the researcher, builds status and used to measure the leaderboard.
  • Private Program
    A controlled testing environment with a small set of highly vetted and experienced researchers, ideal for targets that are not publicly accessible such as staging environments, applications that require credential access, or devices.
  • Public Program
    A bug bounty program that is publicly accessible to the researcher crowd, helping scale testing efforts and gain access to an extensive, diverse skill set.
  • Remote Code Execution (RCE)
    Whereby an attacker can remotely execute commands on someone else's computing device. We have a t-shirt that explains this phenomenon quite succinctly.
  • Researcher Portal
    A community platform for researchers to follow and join programs, submit and manage vulnerabilities and receive rewards for their work.
  • Rewards
    The payment for a valid vulnerability submission. This is defined in the scope of a program and can include anything from points to swag and cash.
  • Scope
    Outlines the rules of engagement for a bounty program. This includes a clearly defined testing parameter to inform researchers what they can and cannot test, as well as the payout range for accepted vulnerabilities.
  • Security Researcher
    Hacker or bug hunter are common terms used to describe a security researcher or any skilled computer expert that uses their technical knowledge to identify vulnerabilities. Our crowd of security researchers comes from all walks of life, most are working information security specialists by day(...)
  • SQL Injection: SQLi
    In a SQL injection attack malicious code is embedded in a poorly-designed application and then passed to the backend database. The malicious data then produces database query results or actions that should never have been executed.
  • Submission
    The report a researcher submits to Bugcrowd describing the vulnerability or bug they found.
  • Target
    A target is the thing (web or mobile application, hardware, API) that the crowd test for vulnerabilities.
  • The Crowd
    The global community of white-hat hackers on the Bugcrowd platform who compete to find vulnerabilities in bug bounty programs.
  • Triage
    The process of validating a vulnerability submission from raw submission to a valid, easily digestible report.
  • Valid
    Valid refers to the state of a vulnerability that has been tested and confirmed real.
  • Vulnerability
    A security flaw or weakness found in software or in an operating system (OS) that can lead to security concerns.
  • Vulnerability Disclosure Program (VDP)
    A Vulnerability Disclosure Program creates clear guidelines for researchers to submit security vulnerabilities to organizations while also helping organizations mitigate risk by supporting and enabling the disclosure and remediation of vulnerabilities before they are exploited.(...)
  • Vulnerability Priority
    P1 - Critical: Vulnerabilities that cause a privilege escalation from unprivileged to admin or allow for remote code execution, financial theft, etc. P2 - High: Vulnerabilities that affect the security of the software and impact the processes it supports. (...)
  • XML External Entity Injection (XXE)
    An attack against application(s) that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery,(...)
Does the SaaS that's helping you be more secure, really care about security?Register Today