A lot of factors are involved in a crowdsourced security program’s success. But perhaps most important among them is making it easy, productive, and rewarding for security researchers and hackers to participate–because without their success, the program owner can’t be successful, either.
Hi. I’m Farah Hawa and I’m a part-time bug bounty hunter. I have worked in cyber security for over three years and currently lead the Indian triage team at Bugcrowd.
When I’m not busy triaging your bugs, I create content on technical bug bounty topics and web application hacking on Youtube. On Instagram, I raise awareness on cybersecurity, data leaks, data breaches, and security hygiene – mostly about how to keep people safe.
As a hacker myself, I’m proud of the fact that the Bugcrowd Security Knowledge Platform has a ton of cool features to make bug hunting and the entire submission process a breeze for security researchers, whether you’re a beginner who wants to level up your skills or an experienced hunter that’s been in the game for a while.
In this post, we’ll go over my top 5 favorite features for researchers on the Bugcrowd Platform:
1. Researcher Submission Templates
A good bug report makes the biggest difference in getting your submission triaged faster! Something I’ve found to make the report writing process easier is using a submission template. The Bugcrowd platform includes more than 50 templates covering the most common vulnerabilities to ensure accurate and efficient reporting. This is one of my favorite features because I can focus more on finding those juicy bugs than writing the report!
All you have to do is select the VRT category for your vulnerability and the submission form will populate with the appropriate template for that category. You’ll be able to find a template for most bug types. You can read more about the template feature and also find an exhaustive list of templates that are currently available here.
JR0ch17 sums it up well; “The ‘Researcher Submission Templates’ are really great. They allow us researchers to submit vulnerabilities in a matter of a minute or two or even in seconds, depending on the bug type. By spending less time reporting bugs, we can spend more time hacking and finding more bugs!”
CrowdMatch™ employs proprietary machine learning (ML) technology that gives you personalized program recommendations and invites according to your skill set, interests, availability, and numerous other factors.
You can update your ‘Skills and interests’ under Account Settings to rate yourself and select the kind of programs in which you’re interested, whether it is social engineering, mobile application testing, API testing, web testing, and so on.
As a member of the Bugcrowd Triage Team, we rate your skills like API testing or authorization with every report you submit, and those scores go into the Security Knowledge Graph data that’s used to train the CrowdMatch ML model.
CrowdMatch™ also plays a part in receiving invites to private programs and penetration tests. Every time a valid report is submitted, CrowdMatch gets more insight into your skill level, experience, interests, etc. This is great because you get invites to private programs that are the best fit for you. That customized fit pays off for you in almost 2x the payouts, on average.
3. Vulnerability Rating Taxonomy (VRT)
Bugcrowd’s Vulnerability Rating Taxonomy (VRT) is a resource outlining Bugcrowd’s baseline priority rating, including certain edge cases, for common vulnerabilities. It’s great because it creates a foundation for consistent engagement between researchers and program owners. It covers most of the commonly reported categories, specifically in bug bounties so when you submit a report, you can select the exact type of bug reported and the CVSS will automatically be calculated.
Of course, sometimes the priority might vary depending on additional impact or the Program Owner’s review but overall, this helps provide increased transparency around how priorities are assigned for everyone in the Bugcrowd ecosystem.
The VRT is open-source, so if you feel like a category is missing or if you’d like to add a variant to an existing bug, then feel free to open a pull request!
P.S.: Sometimes, I also use it as a checklist while bug hunting or pentesting!
I’ve found that bug bounty can often cause burnout, and that taking good care of my mental health in the process is of utmost importance. Occasionally, this might mean taking a break or slowing down.
Bugcrowd’s `Availability` feature (found in the researcher dashboard) allows you to submit your available hours and schedule busy periods so that CrowdMatch can pair you with interesting programs when it suits you. This also helps Bugcrowd to schedule program launches according to when researchers are available.
I love what my fellow researcher, OrwaGodfather has to say about the Availability feature, “The ‘Availability’ feature is a very good thing on Bugcrowd. Also, the reporting form is very clear and easy to understand and the VRT is amazing!”
5. Bugcrowd University
While this next one isn’t technically a “feature”, it’s one of my go-to resources on the Bugcrowd platform. Bugcrowd University (BCU) features content from some of the top researchers in the game. They’ve got videos and blogs on a wide range of topics from performing recon to iOS testing so you can brush up your skills or even pick up a new one!
Some of my favorite pieces are the ones where researchers drop practical bug-hunting advice on avoiding duplicates and writing good reports. Bugcrowd University is continuously adding new content so make sure you stay updated with the latest resources here.
If you want to learn more about these 5 features, I recommend logging in to your researcher account as the best form of exploration, education, and understanding. You can also take a look at the Bugcrowd Blog page here, which includes a variety of articles giving you more insight to the features we offer. No matter your skill level, interests or ambition, there’s something for everyone at Bugcrowd. Take a look at Why You Should Hack on Bugcrowd and get started here.
Get Started with Bugcrowd
Every minute that goes by, your unknown vulnerabilities leave you more exposed to cyber attacks.