To celebrate the holiday, we talked to a handful of women at Bugcrowd (who we affectionately refer to as “the ladybugs”) about their career journeys. In this blog, we’ve compiled career advice from 11 different women in cybersecurity, whose roles span across different areas from engineering to marketing to pentesting.

Career advice

Sara Travise, Manager of Support Never stop learning—Identify what you enjoy doing at work and build on that. Better yet, identify what has a need and work to build and expand that. Be someone who can get things done.  Invest in relationships—If you make the promise to yourself to never stop learning, meeting people will naturally occur. Invest in these relationships as they can easily develop into strong professional relationships that can last throughout your career.

Athena Peterson, Director of Customer Marketing Be your best advocate—Make sure to be your own cheerleader! Promote the wonderful work you do, share your voice and create a brand for yourself. Don’t be your own best kept secret.  Strive for the ‘challenge’—Experiencing challenges both personally and professionally is when transformation happens. Look for the challenges, push yourself to learn and grow so that you can continue to build the best version of yourself. And be confident in your knowledge and skills.

Jill San Antonio, Technical Customer Success Manager Invest in yourself—It is never too late to invest in yourself. Whether it be time, energy, money, or any resource to help fill your tank—do it.

Jordyn Jones, Global Social Media Manager Embrace the unknown—Yep, it’s scary! But it’s also incredibly exciting. Embrace the uncertainty and see it as an opportunity to learn and grow. Who knows, you might discover a hidden talent or passion along the way.  Confidence is key—When you believe in yourself, others believe in you too. It’s that unwavering self-assurance that propels you forward, even when faced with challenges or doubts. It’s not about being perfect or having all the answers. It’s about embracing your strengths, acknowledging your worth, and having the courage to take risks. Believe in yourself, and watch as the world opens its doors to endless possibilities.

Elle Green, Team Lead, Customer Success Grow from your mistakes—Getting into cybersecurity is not an easy task. Breaking into and staying in this field requires hard work, persistence, and determination. Roadblocks will occur, but what matters most is that you identify your mistakes and grow from them. Always remember, if it was easy…everyone would be doing it.

Ashley Schreiber, Field Marketing Specialist Make connections—Every person you meet is a potential door to a new opportunity. Work hard, make connections, and build good bridges now—because you never know how they may contribute to the bigger picture.

Swati Jalandra, Director of Engineering Foster a culture of innovation—Prioritize fostering a culture of innovation and collaboration within your team by encouraging open communication, idea sharing, and cross-functional cooperation to drive creativity and problem solving. Inspire and motivate your team as a leader—Focus on developing strong leadership skills to inspire and motivate your team toward achieving ambitious goals while providing mentorship and support for their professional growth. Remember, success as a director lies not only in technical proficiency, but also cultivating a cohesive and empowered community.

Emily Ferdinando, Chief Marketing Officer Say yes—Richard Branson once said, “if somebody offers you an amazing opportunity but you are not sure you can do it, say yes—then learn how to do it later.”  Surround yourself with people you can learn from—if you’re the smartest person in the room, you’re in the wrong room!

Danisa M. Baker, MIS. PMP, Technical Customer Success Manager Prioritize balance and energy—Make balance a requirement. Your tank should not be empty at the end of the workday. You should still have the energy, motivation, and desire to participate in the things that bring you personal joy. Your peace and mental health should never be sacrificed.  Focus on your goals—Don’t focus on the little things. Focus on what leads you to your ultimate goal. When you find that things are beginning to interfere with your ability to focus on that ultimate goal, make a plan to either be flexible, resolve and keep going, leave, or all of the above.

Samantha Andersson, Senior Director of Corporate Marketing ‘No’ doesn’t have to be definitive—Every ‘no’ is an opportunity to try again and again, because each ‘no’ offers a new perspective for learning and growth. No matter how many ‘nos’ you encounter in your career, embracing them leads to improvement. It’s only when you stop trying that a ‘no’ becomes definitive.

Aireal Liddle, Lead Technical Pentest Manager Shoot your shot—You miss 100% of the shots you don’t take. Women are less likely to apply for a role if there is a single skill on the job listing that they don’t fit, even if they have all of the other skills. As a result, we see more men in leadership roles because women doubt themselves and don’t take the shot. Don’t let a single skill that you can easily learn prevent you from applying to a role that you would otherwise be perfect for.

The post Career advice from women in cybersecurity for International Women’s Day appeared first on Bugcrowd.

On the day of the announcement, the Bugcrowd executive team had the opportunity to take a tour of the New York Stock Exchange (NYSE), be interviewed by Trinity Chavez on her “Taking Stock with Trinity Chavez” series, and a day later, we unveiled our brand new billboard on the Nasdaq tower in Times Square. Not a bad 48 hours, if I do say so myself. 

As the Head of Corporate Marketing at Bugcrowd, I lead our corporate brand efforts, which include public relations, social media, creative design, content, website strategy, and more. In this blog, I’ll walk you through how we got to this momentous milestone in cybersecurity history and give you a sneak peek into this amazing (and a bit crazy) time at Bugcrowd. 

An opportunity to be bold

About three weeks before the funding was announced, I was brought in with members of my team to build out and execute on a launch strategy from start to finish. My goal was to find opportunities to amplify the Bugcrowd story and celebrate a huge win in the cybersecurity community. 

There were a few very specific, bold things I wanted to do as part of this announcement. With my team, I started coordinating interviews and the logistics of getting a billboard up in Times Square. It was important to me that we make a big splash and go all-out with this announcement, while remaining tasteful and timely. 

I come from a place of trying everything and being willing to take a risk. My first step was getting buy-in from our executive stakeholders. To do this, I built a business case for these ideas, focused on the outcomes that we were trying to achieve and the impression that this would leave behind. Opportunities for brand impact like this don’t show up every day, and I wanted to pounce on the chance to celebrate a milestone while making our brand story come alive. 

Crunch time

About a week before we went live, we still weren’t sure if a splash this big was going to be possible. We knew it was the right strategy, but we still weren’t sure how it was going to come together. With the help of the teams at the NYSE and Nasdaq, plus our PR and internal teams at Bugcrowd, we were able to make it happen. 

Part of this success can be contributed to a member of my team, Samuel Tyler, Director of Content and Creative. Building creative visuals with the correct specifications for something so big is a huge task anyway—not to mention, he only had the weekend to pull it off. Talk about a lot of pressure! 

As always, Samuel made it happen. Here’s what he had to say…

“Creating our design for the Nasdaq billboard was challenging! We needed to maximize impact and visibility from the street but this was tricky due to the distinctive structure, which has 26 “windows” (read: literal holes). Initially, we explored an anamorphic concept that centered on these windows. By playing with light, shadow, and motion, we created an illusion of depth on the screen. Inside, a ball of light symbolizing hacker creativity lit up, dispersing shadows as it moved. However, this approach came with risks. We had to ensure the animation appeared undistorted from all angles. Even with flawless execution, there was still a chance the design might not align perfectly with the actual windows, potentially compromising the effect. Fortunately, we gravitated towards a different concept inspired by the simplicity of classic ’70s and ’80s print ads. The bold typography and color blocking capture the vibrancy of those iconic decades, reminiscent of when creative first got its crown in the boardroom. This parallels modern cybersecurity culture, where organizations are increasingly looking to collaborate with hackers to leverage their clever thinking and diverse perspectives.”

Samuel Tyler Director of Content and Creative Bugcrowd

Touring the NYSE and a rainy day in Times Square

As the announcement was going live, I joined the executive team at Bugcrowd at the NYSE. The team at the NYSE welcomed us with open arms, which included a tour of the historical building. As we went through the tour, seeing pictures of world-renowned business leaders over the years, and getting the chance to be right in the center of such a historical place was a special moment for us all. In that type of situation, you really think about where your own company is going and the history that you’re in the middle of making. It was absolutely a bucket-list moment for all of us. 

This was especially true for our founder and Chief Strategy Officer, Casey Ellis. “In 2013, I remember pitching (and winning) a startup contest in SIlicon Valley against 300 other startups as ‘The Most Likely to Succeed.’ Fast forward to over a decade later, it was pretty surreal to stand on the floor of the New York Stock Exchange with Bugcrowd’s name up on the boards as we announced our funding,” Ellis said.

Casey Ellis, Bugcrowd founder and CSO, and Dave Gerry, Bugcrowd CEO, at the New York Stock Exchange.

The Bugcrowd executive team at the New York Stock Exchange.

The next day, the team gathered in the snow and rain in the center of the buzz of New York City—Times Square. As Bugcrowd’s funding announcement and logo shined on the massive Nasdaq tower, we were all in awe. I had the biggest smile on my face and just kept thinking, “wow, this is actually happening.”

The Bugcrowd executive team in Times Square.

Although this was absolutely one of the coolest moments in my career so far, it is about more than a tour or a billboard. It’s about impact. We are a new Bugcrowd, and we took advantage of an opportunity to truly assert ourselves as the leader in the crowdsourced security market.

Bugcrowd’s defining moment

This moment marks a reset in the security industry. It’s currently a tough market to get funding in, and I’m proud that others are recognizing the uniqueness of the Bugcrowd story. While other companies are fully relying on technology, we focus on the magic that can happen when you combine great technology with human ingenuity. It’s a whole new way of thinking. 

We’ve been viewed as a startup for a long time, but it’s clear that the market has transitioned to seeing us as a cybersecurity leader. I believe this is a testament to the work we’re all doing together as a team. We’re investing in our brand, we’re listening to our customers and hackers, and thinking about things in a more proactive way. We care about being fun and playful with the security community, but we’re really focused on providing the best experience possible to our customers and hackers. 

In the end, Casey says it best. “This is what you get when you combine vision, timing, execution, and persistence. I couldn’t be more proud of the Bugcrowd team, our hackers and cybersecurity community, and our customers and partners. This is a major milestone for the community and the market we pioneered.” 

This certainly doesn’t mark an end, but a beginning. We’re already thinking about where we go from here. I’m incredibly proud to be part of this team during this defining moment. 

Samantha Andersson and Dave Gerry at the New York Stock Exchange.

Emily Ferdinando, Chief Marketing Officer, and Samantha Andersson in Times Square.

The post Behind the Scenes: Bugcrowd in Times Square appeared first on Bugcrowd.

First, a little bit about me. I’m Elle Green, Team Lead of the TCSM team at Bugcrowd. In this blog, I’ll be giving you a sneak peek behind the scenes of the TCSM team, so you can see for yourself why so many Bugcrowd customers cite “Customer Success” as one of our key differentiators compared to other solutions. 

What does the TCSM team do?

The success of a program is a collaborative endeavor between TCSM and Program Owners (customers). Our responsibility encompasses program launch, understanding customer needs, and charting a path for growth and success. Given the diverse nature of programs, we assess individual requirements to guide customers towards achieving their goals.

Technical Customer Success plays a pivotal role in the customer lifecycle. We assist clients in understanding the platform, ensuring brief accuracy and readability for hackers, align reward ranges with expected hacker caliber, identifying areas of improvement, and proposing effective solutions. Above all, our focus is on client satisfaction, consistently exceeding their expectations.

When a customer decides to partner with Bugcrowd, they’ll be connected with their Technical Customer Success Manager. From there, the teams will come together for a launch call, where we’ll discuss client expectations, program scope, brief details, and the launch date. 

The TCSM team’s role actively maintains the ongoing health of programs, monitoring their activity closely. It falls upon us to identify and communicate any declines in activity, offering our proposed solutions to address such situations. Following the launch of programs, it becomes our duty to ensure their sustained success, delivering the anticipated value to our customers. Throughout this process, our team is dedicated to assisting and supporting our customers at every stage.

At Bugcrowd, our top priority is long-term customer satisfaction and success, and the TCSM team is a key part of that. It’s my job (along with my team) to help you launch, manage, grow, and get value from your programs. 

In the role of a TCSM, it’s crucial to recognize that clients possess varying levels of expertise. Some clients have experience in the security field, while others, newer to the domain, may be uncertain about their specific needs. Our duty is to ensure that every client is well-informed about the features of our platform and that we offer diverse solutions tailored to their requirements. We are responsible for providing thorough training to each client, ensuring they understand their expectations on our platform. Above all, it is our responsibility to convey to each client that they are not just a statistic; their significance is paramount to us. During the onboarding process, we meticulously gather details to formulate the best solutions that will drive their program(s) to success. 

With over a decade of experience in various engagements, Bugcrowd possesses a profound understanding of the strategic levers that propel customers to derive optimal benefits from their crowdsourced security programs.

Communicating with the TCSM team

Regular syncs that are held weekly, bi-weekly, or monthly, ensure that we remain aligned with our customers’ objectives. Maintaining close communication with each client is imperative to keep them on track and facilitating their growth on both a corporate and platform level.

Tips to maximize your investment in crowdsourced security with the TCSM team

I’ve been on the TCSM team here at Bugcrowd for almost three years, so I’ve seen the magic that happens when a customer works closely with their TCSM. Here are a few tips to maximizing your investment in Bugcrowd by partnering with your TCSM:

1. Regular communication—Lean on your TCSM’s advice and join regular syncs to identify quick-wins and areas for growth potential. 
2. Establish clear expectations—We are here to support you. However, you know your needs better than we do. It is important to discuss expectations because it would allow us to align with your needs and begin working towards a goal.
3. Ask questions—If you require additional clarity on something, ASK. Our job is to ensure you and your team are comfortable on the platform. Our goal is to build a strong partnership to maximize your value on our platform. 
4. Provide feedback—If you’re unhappy with your program’s results so far, let us know. If you’re happy with your results, also let us know. We will work with you to understand your concerns and goals and will develop a path that aligns with your definition of success. If your program is doing well, we will ensure we do everything possible to make it even better. 
5. Trust—The end goal for each of us is to ensure you are getting the value that you wish to receive on your program. We rely not only on your feedback, but that of internal teams who may identify additional areas of improvement. 

The post Partnering with Technical Customer Success Managers at Bugcrowd appeared first on Bugcrowd.

Bugcrowd sent to me 

Stickers all about bug bountiessssssss

There’s no denying it…Bugcrowd’s swag game has always been top tier. Over the past decade, we’ve prioritized rewarding hackers with the coolest stickers, t-shirts, and other swag, so our community can rep the brand that we’ve all built together.

Pic thanks to @rahul0x00 via X

During this festive season, we’ve decided to take a walk down memory lane, remembering swag classics and highlighting new fan-favorites. We asked our hacker community, customers, and employees to share their favorite Bugcrowd swag from the past ten years.

The 12 Days of Swagmas highlights include:

1. My Other Computer is your Computer
2. Grace Hopper has a Posse
3. Classic Horror Movie Series
4. This LAN is our LAN
5. P1 Warriors
6. The Bugcrowd Keyboard
7. Bug Bash Swag
8. Outhunt Them All
9. Top 100 MVP Hackers
10. Outhack Them All Series
11. It Takes a Crowd
12. Ingenuity Unleashed

Check out the pictures below! 

1) My Other Computer is your Computer

Nothing beats the OG Bugcrowd swag. “My Other Computer is your Computer” was an instant classic in the Bugcrowd community. Whether you prefer the English or Russian version, you can find this popular catchphrase printed on stickers, t-shirts, card decks, hats, and more.

This hat pic.twitter.com/Jj89A7DetW

— Ashish آشیش (@aashisham_) December 18, 2023

One of the coolest swag I have #Bugcrowd pic.twitter.com/ZDjTJ3VorO

— Ryx (@PadhiyarRushi) December 18, 2023

pic.twitter.com/UgvDlcIpSu

— Chitra A (@t3st37) December 18, 2023

2) Grace Hopper has a Posse

Another classic! Grace Hopper is known as a pioneer of computer programming. She developed the first compiler, A-0, and the programming language COBOL. She is also known for popularizing the computing term “bug.”

3) Classic Horror Movie Series

One of our most popular additions to the Bugcrowd swag family is the classic horror movie series. These stickers and t-shirts riff on classic horror movies like It and Jaws, showing the scary side of cybersecurity. 

This one pic.twitter.com/o0nYFTG9x3

— Ome Mishra (De.Hack3r) (@ome_mishra) December 18, 2023

4) This LAN is our LAN

Another old school classic!

5) P1 Warriors

The P1 Warrior incentive program rewards hackers for their total count of valid P1 submissions in a year. P1 Warriors get some seriously awesome swag!

6) The Bugcrowd Keyboard

Shhhh. The iconic Bugcrowd keyboard can only be spoken about in hushed tones. Reverence is required when discussing this rare artifact. If you’re one of the hackers lucky enough to have this keyboard on your desk, consider yourself lucky.

7) Bug Bash Swag

Honestly, we could do a whole separate post about cool custom swag from bug bashes. From poker chips to boxing gloves to personalized jerseys and bobbleheads, nobody leaves a bug bash empty handed.

8) Outhunt Them All

This character that we refer to as ShadowBuggy perfectly embodies the badass nature of hacking. We’re ditching dated references to hackers in hoodies and showcasing hacking in all of its glory.

9) Top 100 MVP Hackers

Here’s a little throwback from 2018. Five years ago, we compiled the names of our top 100 MVP hackers into this incredible bug design. It was a hit with the hackers on the list, and we love seeing this shirt at conferences like DEF CON.

10) Outhack Them All Series

This series is a favorite within the hacking community. The samurai design was highly coveted when it was first released and is still a favorite giveaway on social media and in conference booths. The retro Outhack Them All t-shirt is another classic, most recently seen worn by hacker Erik De Jong at our BlackHat Europe booth.

11) It Takes a Crowd

Sometimes a design concept and t-shirt come together to create magic…and that is certainly what happened with this highly-coveted “It Takes a Crowd” shirt. The psychedelic space design and unique colors were a hit!

One of my favorite @Bugcrowd shirts and it was complimented by an Air Canada flight counter employee at DFW. pic.twitter.com/PNfvrZRovC

— Phillip Wylie (@PhillipWylie) April 19, 2023

12) Ingenuity Unleashed 

The newest Bugcrowd swag was launched at BlackHat this year. It includes our company mascot, Buggy, and our brand new tagline, Ingenuity Unleashed. Be sure to grab this swag while you have the chance, before it joins the ranks of vintage classics like some of the others on this list!

And that’s a wrap on the 12 Days of Swagmas. Did we miss any of your favorite swag items? Let us know on X (formerly Twitter)! Happy Holidays and Merry Swagmas from Bugcrowd.

The post The 12 Days of Swagmas appeared first on Bugcrowd.

Tell us a little bit about yourself.

I’ve been in the cybersecurity industry for almost 25 years, and I’ve seen a shocking amount of change. Before Bugcrowd, I served as executive general manager and CSO at National Australia Bank (NAB), one of Australia’s four largest financial institutions. At NAB, I was responsible for overseeing the enterprise security portfolio, which included cyber, physical security, investigations, and operational fraud capabilities to protect customers and employees, support business growth, and enable an operationally resilient bank. 

I currently serve as an advisory board member for Google, Amazon Web Services, Netskope, and Digital Shadows.  

What are the most demanding challenges that CISOs are currently facing in their roles?

CISOs juggle multiple responsibilities, including maintaining a secure foundation and protecting against ever-evolving threats while trying to attract top talent in a highly competitive environment. CISOs must strike a balance between enabling business agility and providing robust protection—all while navigating the intricacies of country-specific technologies and cyber regulations. 

How should CISOs approach working with hackers and implementing crowdsourced security?

By leveraging a select number of curated hackers with small-scope proof of value (POV), CISOs can safely and effectively mitigate the perceived risk of crowdsourced security. Running this POV gives a CISO’s team familiarity with the platform, triage services, and customer success capabilities. As CISOs become more accustomed to the crowdsourced model, they are likely to go wider and deeper—sometimes straight to a public program to glean the ultimate benefits from a bigger, more diverse community of hackers.

In my personal view, the adoption of crowdsourced security does not increase operational risk; instead, it only decreases risk, as it enables the earlier identification of vulnerabilities harvested by experts in the security community before attackers can discover and exploit them. 

In the age of AI, could generative technologies outpace an organization’s ability to establish effective cybersecurity measures?

AI has progressed to the point where it is being used to both weaponize and circumvent traditional controls in organizations’ defenses. For example, more advanced malware, phishing campaigns, deep fakes, and voice cloning are continually being developed. 

As AI advances, CISOs must adapt existing security measures—or introduce new ones—to counter the increasingly sophisticated threats posed by generative technologies. 

Given the potential misuse of generative AI by cybercriminals, should there be stricter regulations on its development and use by hackers, or would that hinder innovation?

Imposing restrictions on the use of generative AI for the hacking community would hinder creativity and create the opposite intended effect. Regulations should be put in place across industries and organizations; rather than restricted to hackers. 

How can CISOs strike a balance between enjoying the benefits of generative AI and ensuring they don’t inadvertently contribute to the rise of more sophisticated cyberattacks? 

CISOs must be aware of the duality of generative AI to both benefit from it and prevent its misuse by attackers or employers. Ultimately, it’s a tug of war between threat actors and defenders, who are constantly trying to evolve with the use of AI to outsmart each other. 

Could an increased reliance on generative AI displace human intelligence and diminish the value of hackers?

Generative AI will certainly help with speed and accuracy in vulnerability analysis, but it cannot replace the creativity and diverse perspectives of human hackers. Hackers spend long, arduous hours deconstructing a complex problem or unveiling an abstract vulnerability; presently, this is something that modern AI systems struggle with. 

Considering recent economic headwinds, what suggestions can you give to fellow CISOs who want to increase the ROI from security programs without significantly increasing their budgets?

CISOs should consider investing in newer frameworks and products such as bug bounty programs or penetration testing as a service, which improve time-to-remediation (TTR), digitize the experience end to end, and deliver continuous outcomes across an evolving attack surface. 

What do you predict the next two years of crowdsourced security will look like, and how is Bugcrowd planning to give hackers and customers the best experience?

In the next two years, crowdsourced security will become the preferred model for continuous assurance, incorporating generative AI to improve customer experiences—through things like improved triage and increased integration capabilities—and eventually expand the usage of hacker data. 

The post Q&A with Nick McKenzie: CISO Advice, Generative AI, and Security Predictions appeared first on Bugcrowd.

The Bug Bounty Program Unveiled 

We are thrilled to reveal Aleo’s fully live Bug Bounty Program, hosted on the Bugcrowd platform. This program invites talented and passionate hackers from around the globe to put Aleo’s security defenses to the ultimate test. 

To kickstart the Bug Bounty Program, Aleo has allocated an initial reward pool of $500,000 USD. This substantial amount underscores Aleo’s commitment to recognizing and rewarding the valuable contributions made by hackers (otherwise known as security researchers or white hat hackers). This substantial amount is divided into two tiers, ensuring that efforts of varying magnitudes are duly rewarded. Tier P1 offers rewards ranging from $10,000 to $25,000 for the discovery of critical vulnerabilities, while Tier P2 grants rewards ranging from $5,000 to $10,000 for significant findings. 

Take on the challenge

Are you up for the challenge of securing the Aleo network? Join our Bug Bounty Program, showcase your skills, and help us enhance the privacy and security of Aleo. By actively participating, you become an integral part of the Aleo community, working towards a common goal of building a robust and resilient blockchain ecosystem.

Some key points to keep in mind as you hunt:

• The program scope currently only focuses on Aleo’s snarkOS and snarkVM repositories.
• Bounties will be paid based on severity of the bug using the Bugcrowd VRT scoring system.
• Aleo must remain compliant with OFAC programs, and thus cannot pay out bounties to residents in OFAC-sanctioned countries.

How to Get Started

To participate in the Aleo Bug Bounty Program with Bugcrowd, simply login to the Bugcrowd platform and look for the Aleo program. There, you’ll find detailed instructions, guidelines, and the necessary resources to embark on your bug hunting journey. For more information, visit the Aleo program brief on the Bugcrowd platform.

Aleo and Bugcrowd: A Powerhouse Collaboration

Aleo’s Bug Bounty Program, in collaboration with HackerOne and Bugcrowd, is an invitation to security researchers and white hat hackers worldwide to help fortify the Aleo network. With Aleo’s security-first mindset and a generous $500,000 USD reward pool, we are committed to fostering a strong and secure blockchain ecosystem. Join us in this exciting journey into the world of blockchain, contribute your expertise, and together, let’s pave the way for a safer digital future with Aleo.

The post Hackers Wanted for Aleo’s Inaugural Bug Bounty Program! appeared first on Bugcrowd.

A duplicate (in the bug bounty world), is a report for an issue that was previously known or identified. However, when determining whether or not a given finding is truly a duplicate, the solution isn’t always cut and dried. Many situations require a non-trivial amount of nuance and context. To help with duplicate evaluation in these cases, we’ve put together a guide for a few common duplicate scenarios, where we explain how Bugcrowd looks at these situations, and how we recommend clients approach them as well. As we go through these scenarios, there are three key principles to keep in mind:

• Touch the code (or make a change), pay the bug

1. 1. • If a finding causes you to make a change—and is in scope + is a vuln that’s rewarded as part of the program brief—it should be rewarded.

• Similar != same

1. 1. • If a finding is similar to another finding, but requires a separate change, it is a unique issue that needs to be rewarded independently.

• Many != systemic

1. • Just because there are many of a particular vulnerability type, that doesn’t mean they’re all part of the same root issue.

The importance of context and nuance in duplicate evaluation

As a quick note, when triaging findings, Bugcrowd’s engineered triage takes all of the above into account (to the best of our abilities—as there are extenuating circumstances in some cases that we don’t have visibility into). We leverage our ML-powered de-duplicate detection, contextual intelligence from over a decade’s worth of data on vulnerabilities, and human validation to perform a thorough review of any and all findings that come into the platform to ensure (1) duplicates are properly identified; and (2) all unique issues are elevated for review by the client. 

Scenario #1: Multiple SQLi Vulnerabilities

• A researcher has identified ten SQLi vulnerabilities across your application for a number of different queries and resources. Since they are all SQLi, you decide to pay for one finding and mark the others as duplicates.

This approach is misguided because multiple vulnerabilities of the same vulnerability class does not equal them all being the same vulnerability. Seeing a large amount of the same vulnerability class reported on a single asset is fairly common—when there are one or two of a vulnerability type, there are usually a lot more. This may be due to the same developers making the same mistake(s) in different places across the attack surface. Like birds, vulns of a feather commonly flock together. 

Assessing Vulnerability Clusters and Determining True Duplicates

In situations like this, it’s important to realize that even though there are many of the same type of vulnerability, they’re sprinkled across the application in different contexts. This means that it’s highly unlikely that they’re all one fix. 

Some of them might be true duplicates. If fixing one removes the need to fix another, refer back to principle #1 from above, “touch the code / make a change, pay the bug.” If, as a result of fixing a vulnerability, one no longer needs to touch the code or make a change to fix another finding, then the latter is truly a duplicate of the former. 

Ensuring Fair Recognition and Reward for Unique Findings

However, it’s imperative that we only mark something a duplicate if it’s truly a duplicate (e.g. fixing the parent finding removes the need to fix the duplicate finding). In the case of having ten SQLi scattered across the application, if we try to reward only one finding and dupe the rest, that’s tantamount to saying that only one change to one area of the codebase was made as a result of those issues. If we look at the situation honestly, had the researcher only reported one of the ten SQLi issues, and that issue got fixed, there would likely still be at least nine other vulnerabilities floating around even after the first one was remediated—because each requires a unique fix. It may be tempting to assert that they’re all one-in-the-same, but that is very rarely the case.

THINGS TO KEEP IN MIND

In some cases, some might assert that implementing a WAF (or WAF rule) could count as a single “fix.” For instance, one could implement a WAF rule that blocks any injection of double quotes that were otherwise required for the SQLi vulnerability. In doing so, all the SQLi issues are no longer exploited, and are thereby “remediated.” However, from Bugcrowd’s view, findings need to be rewarded from the perspective of how they would be remediated in the underlying codebase, and not at the WAF layer. Adding a WAF rule or similar blocking mechanism is a half-measure that will invariably have a hole of its own at some point in the future that will leave the still-vulnerable application underneath exposed. There’s no shortage of WAF bypasses or other creative mechanisms that researchers have found to get around these controls, and as such, (1) any remediation should always start at the application layer; and (2) rewards should be administered based on fixes to the codebase, and not the WAF.

Scenario #2: Reflected XSS Vulnerabilities with Common Parameters

• A researcher identifies 15 reflected cross site scripting (XSS) vulnerabilities across a number of pages on your application—however, they usually end in one of three parameters “page=”, “id=”, and “utm=”. Since they are all on unique pages (e.g. /view, /news, etc), and we previously talked about how it’s important to pay for all unique issues, you decide to pay for each finding independently.

This is partially correct, and partially incorrect. It is correct in that we want and need to reward for all the unique findings, given that these issues appear to be originating from three unique parameters. The most common outcome here is that there would be three unique findings (one for each vulnerable parameter), and the rest would be marked as duplicates of the initial issue for each parameter. 

Understanding Duplicates in Multi-Parameter Vulnerability Scenarios

But this is not always the case. Sometimes the same parameter name may be handled differently by different pages—this can be evaluated by looking at where the injection is reflected back on the page, and if it’s the same place for each parameter on each page. If that’s the case, they’re likely the same issue / underlying function applied on the different pages—despite appearing on unique urls. In cases like this, fixing the underlying function will remediate the issue on every page where that function is called, and so Bugcrowd will automatically mark each initial finding as unique per parameter, and then mark all subsequent ones for those parameters as duplicates. 

THINGS TO KEEP IN MIND

It’s worth noting that in a good number of cases, even multiple parameters will be duplicates of the other parameters across the same or multiple pages if they’re fundamentally part of the same issue. A good example of this is when the page url is printed in the page content. In such cases, the url could have 30 parameters, or even a fake parameter added to it would all be reflected back in the page via the same function on the backend—which again would only take a single fix to remediate, and thereby only be eligible for a single reward across all the parameters and pages that have this issue.

In doing so, we’re adhering to the principles outlined earlier: paying for all the places where the code is being changed (once per underlying function that will be fixed per parameter), and also keeping in mind that “similar != same.”

Scenario #3: CSRF Findings on Multiple Pages/Endpoints

• A researcher submits 50 cross site request forgery (CSRF / XSRF) findings against the application for every available page/endpoint, since there is no anti-CSRF token present anywhere on the app. Since they’ve identified 50 points where there’s an issue, should they be paid out for 50 findings? 

This is where our third principle of duplicates comes into play: many != systemic. As we saw in the first and second example, many issues of a vulnerability class doesn’t mean that it’s automatically systemic, or that it should be condensed to a single finding. With certain bug classes though, it is possible to have systemic issues—CSRF being a notable example.

Clarifying Systemic Vulnerabilities and Their Influence on Payouts

If the application had anti-CSRF protections in 45 of the 50 places, and was just missing it in five of them, then each instance of missing CSRF protection would be a unique finding. This is because the protection exists, it just didn’t on those specific endpoints. However, since in our example there was no anti-CSRF anywhere on the application, it’s possible that once they turn it on (especially in modern frameworks), it’ll automatically apply itself to all of the pages/endpoints for the application, and resolve the many with a single code change. Now, this isn’t always the case, but very commonly is (specifically with CSRF). In such situations, we’ll label the issue as “systemic,” reward the first report, and mark all subsequent reports as duplicates. 

THINGS TO KEEP IN MIND

After the mitigation is applied, if there are places where the systemic fix doesn’t cover all the bases, then those would be net-new unique vulnerabilities that should be rewarded independently.

Other examples of systemic issues include subdomains that are load balanced or resolve to the same host. This is where reporting an issue on one will make it immediately applicable to all other subdomains that share the same codebase or host, etc. This isn’t an exhaustive list—just a couple examples of how/where vulnerabilities can be systemic.

Navigating Duplicates with Confidence

Hopefully this guide provides some context around how, when, and why duplicates are duplicates. It’s important to remember that in all cases relating to duplicates, it’s critical to interrogate and evaluate the situation, as context matters significantly. Many times it requires reviewing the codebase to see how many fixes a given bug will take to remediate. So, remember the three principles mentioned earlier:

1. Touch the code (or make a change), pay the bug
2. Similar != same
3. Many != systemic

As long as you’re taking these principles to heart in each situation, it’s unlikely that you’ll get it wrong. If you have any questions, the Bugcrowd team is always here to help and provide advice. 

Finally, if nothing else, always remember, whether it’s updating documentation or the codebase—“touch the code or make a change, pay the bug”. 

Good luck and happy hunting!

The post The Three Principles of Bug Bounty Duplicates appeared first on Bugcrowd.

In 2023 alone, Bugcrowd, and in particular these new PTaaS capabilities, has won five distinct industry awards. This recent string of wins demonstrates Bugcrowd’s persistence in delivering industry-leading solutions to the market and validation as an accomplished and preeminent organization throughout cybersecurity.

Most recently, our team was recognized by Cyber Defense Magazine’s Global InfoSec Awards as a Hot Company in the Penetration Testing Category for our PTaaS capabilities, along with being recognized as a Gold Winner in the 19th Annual Globee® Cyber Security Awards for the technology. Additionally, Bugcrowd PTaaS was recognized as the Gold Winner in the Pentest-as-a-Service category in the 2023 Cybersecurity Excellence Awards among North American companies between 1,000 and 5,000 employees.

As an organization, we took home two more wins in the Cybersecurity Excellence Award program with recognition as Gold Winner for Cybersecurity Provider of the Year and Silver Winner for Best Cybersecurity Company.

For one, I am so proud to see all of these incredible wins. It’s a huge testament to our stellar team and technology! At Bugcrowd, we are committed to delivering the very best crowdsourced solutions to our customers and ultimately fulfilling our mission to democratize security testing for all.

Our team has taken major strides over the course of the past year to walk out this mission, including a major upgrade to our PTaaS offering, all aimed at staying at the forefront of innovation and leadership within a very saturated cybersecurity market. With a surge of vendors offering security testing solutions, a common concern that we hear is that vulnerability assessments in the market today are often shallow and low impact. 

Our goal was to provide a human-driven, high-impact pen test with a team matched to their precise needs with just a few clicks, cutting configuration time from days to hours. These recent award wins validate our work and the direction we’ve been laser-focused on. By focusing our priorities on our employees, the hacker community, partners and vendors, we are excited to build upon this momentum throughout 2023!

To learn more about our award-winning PTaaS offering, which is now available globally, visit https://www.bugcrowd.com/products/pen-test-as-a-service/.

The post Bugcrowd PTaaS Takes Home Five Awards for Cybersecurity Excellence appeared first on Bugcrowd.

Tell us what you do for a living!

“I try to hack things and, when successful, I get paid for it. Sometimes that works, often it doesn’t…but, failure is part of the process, right? I also enjoy writing security-related tools, and have a few public ones on my GitHub profile.”

There’s no success without failure. 

What sparked your interest in hacking?

“I have always been fascinated by computers and software in general. When I was younger I wanted to become a developer, but over time I realized I was more attracted by the security implications of writing code in certain ways. From there, hacking software made by some of the largest companies in the world felt like a great challenge, so I did just that.”

Way to step up to the challenge!

How did you get into Cybersecurity? How long have you been hunting?

“I got seriously into cybersecurity when I realized bug bounty platforms were a thing, around 3 years ago: I wish I had started earlier! It felt great to figure out I could make money doing the things I loved.”

It’s never too late to start. If you’re thinking about getting into Bug Bounty, go for it! 

How have bug bounties impacted your life?

“Quite frankly, bug bounties made my life a lot better on multiple levels. The most important thing is that they allowed me to get in touch and collaborate with many of the best hackers in the world. This was (and it still is!) a great opportunity to make new friends and learn new things, some of which you can’t just grasp by reading books or blog posts.”

Making us emotional over here.

Are you a part-time or full-time hacker? How much time do you spend hacking?

“I’m a full-time hacker thus I spend most of my work time hacking. However, “hacking” doesn’t only mean directly attacking a target. It also means reading books, learning new things, writing code, and even randomly chatting with other hunters on Slack. Doing many different things helps not to get bored, and in this field, there are many options available!”

What has been your biggest challenge while hacking? How did you overcome it?

“There are many tough challenges to overcome when doing bug bounties, but one of the hardest ones for me is staying focused. That’s easy when you have a super cool bug you’re working on, but it becomes harder when it has been a while since the last time you had found something interesting. When that happens, I try to hack something else or, if needed, take a small break and come back at it later.”

See… Breaks are important. Make sure you give yourself time to rest and recharge. 

Do you have any favorite tools or resources to learn? Why?

“I really like uncommon bugs. Bugs that you know the other side (triage) will enjoy reading and likely won’t be duplicates. Weird edge cases that nobody had deeply studied before. Any resource from people like James Kettle (@albinowax) or Frans Rosen is good material on that front.”

Save these #BugBountyTips.

Do you have any advice for new hackers or people transitioning into bug bounty?

“Read a lot, be curious, and don’t forget to network with the right people! Also, when making the jump, don’t expect to make money from day one (or month one). Always have a backup plan during the transition.”

What’s an important lesson that you wish you learned early on in your hacking career?

“Quick dirty scripts can sometimes work just as well as well-written software. And often, that means saving a lot of time, which is a scarce resource. This has been difficult to accept but it’s one of these things that separates software engineering from bug bounty hunting: breaking stuff doesn’t have to be elegant!”

How do you avoid burnout? How do you take care of yourself and your mental health?

“Thankfully, I’m not one of those people that regularly suffer from burnout: in fact, I don’t think I can say I ever experienced a serious one. However, as I said before, I do lose focus and interest in hacking from time to time. I think the best way to overcome these challenges is to leverage the freedom that bug bounties give us and take breaks when needed: this is why it’s crucial to have some spare money to make that possible.”

Where do you see your journey going from here? What are some goals you have for this year?

“Finding more bugs is always the goal, but more specifically, I want to focus on my automation so that it can find unique behaviors that normal scanners miss. Time will tell if that works or not!”

Why do you hunt with Bugcrowd?

“Like most full-time hackers, I hunt on all major bug bounties platforms as a way to maximize the scope I’m legally allowed to hack. However, Bugcrowd is certainly the platform I enjoy most and where things go very smoothly most of the time. I love the crazy fast triage times for critical bugs, all the good things Bugcrowd does for researchers, and interacting with the people working there.”

We feel the same about you, sw33tLie, you’re awesome! 

What does your life look like outside of hacking (family/hobbies)?

“I’m 21 and, apart from spending too many hours in front of a computer, I am not very different from my peers. In my free time, I enjoy playing the piano and hanging out with friends. Life outside hacking can often be interesting, especially when you get asked what you do for a living. Career advice: it seems there are many people out there that would love to hack somebody else’s Instagram account. Instead of the word “hacker”, use “security engineer”…it will help!”

Who is your hero? (hacking and/or life)

“Hero is a big word, but if there’s a person I truly admire in the field it has to be Guillermo Gregorio (@bsysop). I collaborate with him most of the time because it just works well for us, and trust my words, he’s crazy, in a good way. I sometimes ping him at the weirdest times, and he always replies quickly: I’m not sure if he even sleeps! bsysop always has your back. He truly is a good vibes guy and I’m sure everyone in the community agrees on this. Super recommended, but please, don’t steal my collab buddy too much! I feel I will regret these words…”

Bsysop, if you’re reading this, we also think you’re pretty cool. We love to see all of you researchers collaborating, as it will always improve your skills and possibly create long-lasting friendships.

Want to stay caught up with all things Bugcrowd? Follow our Twitter and join our Discord! Ready to join sw33tLie as a bug hunter? Sign up for a researcher account today and start hacking!

The post Researcher Spotlight: Paolo Arnolfo (sw33tLie) appeared first on Bugcrowd.

How did you end up working in cybersecurity?

Adrian: I started out at the NSA – mainly because they offered to pay for me to go to college, which was an opportunity I might have missed out on otherwise. I was originally interested in cryptography, but then I discovered something even more exciting – ethical hacking. Following my time at the NSA, I had security roles at Adobe Systems and Android. I also spent several years consulting, which involved helping to find vulnerabilities in various web apps and operating systems. In 2018, I joined Atlassian as CISO, so now I’m responsible for protecting assets from the inside.

How has cybersecurity changed over the years in your experience?

Adrian: For me, cybersecurity has always been about trying to solve interesting problems, but the landscape has evolved, which has demanded a different approach. Early on, security was primarily seen as a technical issue, whereas now, a lot of the problems in the security space are organizational, so that’s where I try to focus – on people, process, and organization.

Having been on both sides, can you share any insights into the relationship between hackers and security personnel?

Adrian: Twenty years ago, the two communities didn’t interact much – the hackers and the people building defenses were pretty separate. Most people didn’t have a very good grasp of bug hunters at all, to be honest – there was just their glorified image in movies like Hackers or The Matrix. Now, I think there’s a much better understanding of what attackers do and how they work, and greater interaction between those communities.

You’re responsible for security for a large and diverse IT environment – how do ensure everything gets fixed?

Adrian: I don’t think it’s always necessary, or even possible, to fix absolutely everything. My job is more about identifying the right things to fix. A lot of it is pretty basic – making sure you’re updating and patching systems on a regular basis and frequently checking your infrastructure. With continuous updates, you create an environment that’s much harder for an attacker to get to grips with, and if you’re interacting with the environment regularly you’re more likely to identify anomalies that could indicate a problem. One of the key lessons I’ve learnt over the years is that it’s impossible to know about everything in a modern enterprise, so I don’t expect to. I trust in my team and each member’s ability to handle their specific area of responsibility. It’s a strategy that’s working so far – we’re well-equipped to defend against any potential attack.

Why do you use crowdsourced security?

Adrian: We’re bound to have some blind spots, and they’re what concern me the most. But that’s where diversity comes into play. With people from various different backgrounds and with a multitude of experiences, we’re more likely to pick up issues faster. That’s why working with a broad set of people outside the Atlassian environment to look at our systems is incredibly important. No matter how much pen testing we do, no matter how many internal evaluations or analysis tools we run, it’s always going to be beneficial to have other people checking our environment. It’s a win-win situation – either the Crowd finds something we didn’t see, in which case we can fix it. Or they don’t find anything, which validates our efforts.

How are you bringing crowdsourced security to the wider community?

Adrian: At Atlassian, we have a whole ecosystem of partners creating applications that plug directly into the Atlassian infrastructure to extend its functionality, and we make their applications available via our ecosystem marketplace. Many of these partners are fairly small development companies that don’t necessarily have enough employees to warrant a CISO or even a full-time security person – certainly nobody that’s dedicated their life to security. We’ve put a lot of effort into working out how to give those smaller developers access to security talent and robustness. Some of this involves proactive reviews on our part, but we’re also starting to expand our bug bounty program to include coverage for the marketplace as well, so they can leverage the benefits that we’re getting. It’s good for them, good for us, and of course better for our customers as they know they can trust the security of marketplace products as much as our own.

“It’s a win-win situation – either the Crowd finds something we didn’t see, in which case we can fix it. Or they don’t find anything, which validates our efforts.” Adrian Ludwig, CISO, Atlassian

To find out more about Adrian and his work at Atlassian, go to https://www.atlassian.com/blog/technology/a-conversation-with-adrian-ludwig-our-ciso

The post Atlassian’s CISO tells the story of his journey from hacker to security executive appeared first on Bugcrowd.