A “threat actor” might sound like a character from some doomed Greek tragedy, but in today’s world they actually inhabit the digital stage, as individuals or groups that attack digital devices, networks or computer systems. 

“Fighting threat actors at T-Mobile is an all-day, everyday team sport,” says Mark Clancy SVP of cybersecurity at T-Mobile. “Like all major companies, we face actors from around the globe with the intent to steal information, abuse our systems, or disrupt our operations. Services we provide to customers and partners on the internet are a frequent target of interest by these actors and ensuring these free from security flaws with our bug bounty program is essential.”

Which is why the company turned to Bugcrowd, the leading provider of crowdsourced security, which provides a platform that uses something called a “bug bounty” program, which employs ethical hackers to locate platform vulnerabilities and address them before bad guys find them. And even just two months into their partnership, Clancy says T-Mobile is benefiting.

“The key to a good bug bounty program is to find things you did not know about before and mitigate them quickly,” he says. “We have been very happy with the rigor and velocity of execution as we ramped up the partnership.”

So how exactly does a bug bounty program work? Here, on the heels of both companies attending the preeminent cybersecurity conference Black Hat in Las Vegas recently, we talk to Casey Ellis, founder and CTO of Bugcrowd to find out more about bug bounty programs and how his company is working with T-Mobile to help keep its customers safe.

What is a bug bounty program and what kinds of companies have them?

A bug bounty program is a sponsored, organized effort that compensates ethical hackers for surfacing and reporting otherwise unknown network and software security vulnerabilities, enabling the digital connected business to manage and reduce their cybersecurity risks. The combination of the diversity of participants and the “pay on success” model is orders of magnitude more effective than traditional consulting approaches to risk discovery. 

Bug bounty programs have continued to grow in scope and popularity, partly due to current security resource models and cost. They can help close the gap between security and development.

Because of the nature of crowdsourced security, there is a misconception that only tech companies use bug bounty programs. This simply isn’t true. Most industries leverage bug bounty programs, even highly regulated industries such as financial services and government. 

Can you walk us through the concept behind crowdsourced security, and how that drives your particular bug bounty program?

The idea behind crowdsourced security is really a simple one — I wanted to build a platform that connects the latent potential of those who hack in good faith around the world with as much of the global cybersecurity community as possible. Crowdsourced security provides the internet builders and defenders with an army of allies to take back control and outpace threat actors.  

So many of the pain points that inspired crowdsourced security a decade ago still exist today — multiplying attack surfaces, under resourced and overburdened teams, and cutting-edge threat actors.

Crowdsourced security helps organizations stay ahead of attackers before they even think about striking, empowering organizations to proactively safeguard their brand and intellectual property while taking back control.

How does this all work with partnership between T-Mobile and Bugcrowd?

Here at Bugcrowd, we love working with customers like T-Mobile who are so committed to protecting their customers, employees, partners and brand. T-Mobile’s bug bounty program launched in July as an opportunity for hackers to hunt on T-Mobile’s applications and systems in order to find potential security vulnerabilities and report them. From there, T-Mobile evaluates the reported vulnerabilities and promptly takes appropriate action.

To encourage research and responsible disclosure of security vulnerabilities, T-Mobile is inviting ethical hackers to work on this program and have a chance to earn a range of payments, dependent on the criticality of the vulnerability submitted. 

It has been really amazing to watch the success of this program over such a short time since launch — we’re seeing incredibly fast remediation times. We’re proud to partner with T-Mobile to help keep their systems secure.

How do you see cybersecurity evolving over the next few years?

Traditionally in security, we fall back on the fundamentals, which is the right place to start. The simple things are vital for a reason. Do them well and ensure that your organization is capable of “outrunning the other guy” before it attempts to “outrun the bear.”

That being said, we’re really entering a new era of cybersecurity, and I believe security is going to become a lot less predictable. One reason for this is the impact of generative AI becoming mainstream. Aspects of hacking are being automated, creating a swath of new techniques, threats, vulnerabilities and opportunities for impact. A broader variety of threat actors now have access to more powerful tools to create a bigger impact faster. If you want to learn more about this, I recommend checking out Bugcrowd’s newest report, Inside the Mind of a Hacker, which dives into the ways hackers are leveraging generative AI.

What makes you confident that Bugcrowd will be ready for this future, and able to continue to help companies like T-Mobile keep threat actors at bay?

At Bugcrowd, we talk a lot about the “burglars and locksmiths” of cybersecurity. Think of threat actors as burglars and the hackers helping organizations through crowdsourced security programs as locksmiths. Both parties use creative ways to try to open a locked door, but only locksmiths have good intentions.

Even though there are a lot of concerns out there about the ways threat actors are going to leverage generative AI, we can’t forget that the locksmiths have access to the same cutting-edge AI technology. According to the “Inside the Mind of a Hacker Report,” 94% of hackers plan to start using AI in the future to help them ethically hack. I’m really encouraged by the ways I’m seeing the hacker community leverage generative AI as a way to streamline their security research workflows.

It’s exciting to partner with industry leaders like T-Mobile, because together we can really make a difference in cybersecurity. By continuing to empower hackers on crowdsourced security platforms, we start to level the playing field, ultimately helping organizations keep their systems and data secure. 

T-Mobile and Bugcrowd launched a revamped public bug bounty program on August 30, 2023. Security researchers can earn up to $10,000 per vulnerability found. To learn more or sign up, check out Bugcrowd.com/T-Mobile.

The post How T-Mobile Is Using a New Bug Bounty Program to Keep Customers Safe from Harm appeared first on Bugcrowd.

Earlier this year we launched Pay with Ibotta, our first-ever payments solution to provide customers with instant cash rewards at the point of purchase. Leading global brands including AMC Theaters, Banana Republic, GameStop, Peet’s Coffee, Sephora, and more rely on Ibotta to keep the payments of their end-users secure. And we take that responsibility seriously. 

Trust is at the core of our mission to create a more secure payments ecosystem where every purchase is rewarding. We’ve done a good job to date of building this, but recognize we can’t do it alone. So today, we’re excited to announce the extension of our private security bug bounty program to a paid, public bug bounty program with Bugcrowd.

Bugcrowd leverages the combined skills and creativity of a global team of security researchers to help companies discover and remediate vulnerabilities more efficiently than traditional methods and before they can be exploited by bad actors. The expansion of our program is a natural followup to the success we’ve seen on the program to date. 

Launched in 2015, we immediately saw return on investment through our private program with the Crowd surfacing P1 and P2s. We also highly regarded the smaller bugs that could have been exploited for larger impact. These often helped to educate our developers by providing a clearer understanding about assets that weren’t previously considered as attack vectors. To date, we’ve rewarded more than $30,000 to the Crowd, and are looking forward to doubling down on application security to support the launch of Pay with Ibotta. 

Our Ibotta customers, who we refer to as “savers,” rely on their balances accrued within the platform. From saving up for family vacations to helping tide them over between paychecks, savers rely on the money they’ve earned with us to help them drive what’s important. So we’re looking to the Crowd to help us better understand — Are we exposing data that we’re not trying to? Can you log in as another user? What systems should we prioritize? 

All domains and properties of Ibotta are in scope, and we continually push out new code on a daily and bi-weekly for our web and mobile interfaces. To show our appreciation for your time, skills, and efforts, we’re offering monetary rewards up to $5,000 for any valid, non-duplicate submissions. 

Our team is excited to kickstart this renewed approach to security, tapping the combined experience and breadth of a crowd of security researchers. If you’re interested in participating in the program, visit the page on Bugcrowd — we can’t wait to collaborate.

_____

To learn more about Bugcrowd’s managed Bug Bounty programs, visit https://www.bugcrowd.com/products/bug-bounty/.

The post [GUEST POST] Ibotta Launches Public Bug Bounty Program with Bugcrowd to Secure Payments Ecosystem appeared first on Bugcrowd.

Auth0, a global leader in Identity-as-a-Service (IDaaS), today announced the launch of a private bug bounty program to further reinforce its emphasis on security and ensure that its customers are protected from any vulnerabilities.

The private bug bounty is a specialized program that will allow Auth0’s security team to partner with selected researchers to source potential vulnerability discoveries in exchange for monetary rewards. The bug bounty will be run on Bugcrowd and will expand the company’s current Responsible Disclosure Program, which is already in place.

“We take the privacy and protection of our customers’ data very seriously and are dedicated to investing the time and resources into ensuring we adhere to the highest standards,” said Joan Pepin, CISO and VP of Operations at Auth0. “Our security program is maturing rapidly, and the launch of this bug bounty program reinforces our dedication to our customers and the highest level of security we offer them.”

Bugcrowd will select and invite security researchers registered on its platform based on skills and experience. Each report verified by Bugcrowd’s Application Security Engineer team will be then sent to the Auth0 Product Security team to assess the severity of the finding, assign the researcher a monetary reward, move the issue to its internal vulnerability database, and work with relevant Product and Engineering teams towards remediation.

“Bugcrowd deploys a global Crowd of diverse, creative, and highly-skilled security researchers to identify and solve security challenges,” said Ashish Gupta, CEO at Bugcrowd. “The result is our ability to provide highly specialized security expertise to the high caliber of companies we work with. We are really excited to be supporting the launch of Auth0’s Bug Bounty Program and serve as an extension of its security team.”

The program is launching with approximately 25 global researchers who have been identified and invited by Bugcrowd, and will increase in number later this year.

Auth0 is a trusted security partner to its customers and has achieved certification for many important compliance regulations, including HIPAA, SOC 2 Type II, ISO 27001, ISO27018, and more. Please visit Auth0 Security for more information.

About Auth0

Auth0, a global leader in Identity-as-a-Service (IDaaS), provides thousands of customers in every market sector with the only identity solution they need for their web, mobile, IoT, and internal applications. Its extensible platform seamlessly authenticates and secures more than 2.5 billion logins per month, making it loved by developers and trusted by global enterprises. The company’s U.S. headquarters in Bellevue, WA, and additional offices in Buenos Aires, London, Tokyo, and Sydney, support its global customers that are located in 70+ countries.

For more information, visit https://auth0.com or follow @auth0 on Twitter.

For more information on Bugcrowd’s managed Bug Bounty Programs, visit: https://www.bugcrowd.com/products/bug-bounty/

The post [GUEST POST] Auth0 Launches Bug Bounty Program appeared first on Bugcrowd.

Arkose Labs is thrilled to launch a private bug bounty program in conjunction with its public bug bounty program with Bugcrowd  —  the #1 crowdsourced security platform. The private program scope will be revealed to Elite hackers who are invited to participate, while the public program will continue to be open to all of Bugcowd’s hacker community.

Arkose Labs is an authentication system solving multimillion-dollar fraud problems for the world’s most targeted businesses. With a bilateral approach that combines telemetric decisioning and a proprietary challenge—response mechanism, Arkose Labs remove the economic incentive attackers rely on to commercialize inauthentic activity.

As a security company with an end-user facing product we’re likely targets from a wide range of attackers with a lot of financial incentive. To ensure maximum protection for our clients, these products must undergo the most stringent and thorough security testing throughout the development lifecycle and prove effective and efficient.

To that end, Arkose Labs does extensive testing on all its releases, including third-party security testing and internal testing of challenge mechanics. Because of the nature of the business, Arkose Labs deal with unique security challenges as well. Cracking our challenge–response mechanism, Enforcement, requires a very specific skill set that is not necessarily common in combination (machine learning + hacking), which makes hiring for the role difficult and may not be as effective. 

With a private crowdsourced security program, Arkose Labs gains access to Bugcrowd’s Elite Crowd, and is able to tailor its testing pool based on specific skill sets, has more direct communication with a smaller group of testers, and harnesses the power of the crowdsourced model while retaining more control. 

The Bugcrowd Elite Crowd is comprised of the top researchers, measured in two key areas:

• Skill — A standard of high-impact submissions, averaging only high and critical submissions across a range of specific attack surface areas. 
• Trust  — Proven trust through ID verification and success working on private programs for top customers.

After launching the public bounty program in the fall of 2018, we saw significant value in crowdsourced security, specifically around the value added to the development process. It’s not just the after-the-fact testing you get with traditional penetration testing. Utilizing crowdsourced testing as an additional validation step during development allows us to test features against “real world” attackers before release.We also gain continuous assurance of the stability and strength of our various product features and insight into how attackers might go about exploiting them. These benefits guide the future of our security design with working knowledge on the reliability of challenge mechanics deployed through Enforcement.

Of course, when we first set out on this journey, there were apprehensions. We worried that the Crowd wouldn’t consist of enough experts within our field, given that we are in a very narrow speciality, and we worried about making our systems available to potential “gray hats” who’d use the program to gain access to resources which would further allow them to exploit. However, we quickly found that Bugcrowd mitigated all those fears, demonstrating ROI and flexibility to work with our specific needs right from the onset. 

We’re excited to be launching this private bug bounty program to build on our defense-in-depth strategy. Bugcrowd is a valued partner in extending our security team with hundreds of highly skilled and diverse whitehat hackers, and a team of security experts that help us triage vulnerability submissions as they come and manage the ins-and-outs of our crowdsourced security programs.

The post [Guest Post] Arkose Labs Adds a Private Bug Bounty Program to Crowdsourced Security Breadth appeared first on Bugcrowd.

Protecting our customers, partners, and other stakeholders has always been the Okta Security Team’s top priority. We have invested heavily in our security infrastructure in support of this mission, building a top-of-class internal application, and instituting both offensive and defensive security teams.

But with every endeavor, it’s best to draw knowledge from a variety of sources. We launched our bug bounty programs almost five years ago, and have since benefited greatly from the wisdom and experience of the greater infosec community.

Community researchers play an integral role in ensuring we maintain the highest levels of security, and we want to make it as easy as possible to leverage the talent that this community has to offer.

Vulnerability Disclosure at Okta: Everything You Need to Know

To that end, I’m excited to announce we have a new Vulnerability Disclosure Policy (VDP), which draws on our lessons learned from past years.

We created this policy with the intent of standardizing our interactions with researchers and establishing clear expectations and guidelines with our community. It contains information on the scope, compensation details, legal considerations, and other details on what to expect when working with us to help improve our service.

The short version

You can review the full VDP document here, and our supplemental terms here. But below are a few high-level callouts to be aware of:

The basics

If you would like to publish your findings, the coordinated disclosure terms outlined in the document apply. Submit the report directly to us at disclosure@okta.com via PGP, or other secure communication (like keybase or Signal) which we can provide after a proper email introduction.

On the other hand, if you would like to be rewarded for your submission, submit via Bugcrowd instead of emailing us. The standard disclosure terms apply.

Program scope

In-scope and out-of-scope targets are described in our Bugcrowd program terms. The same scope applies whether you are submitting a finding under standard disclosure terms through Bugcrowd, or the coordinated disclosure terms outlined in our policy.

Reporting guidelines

When researching and reporting a vulnerability, we ask that you adhere to some standard best practices. These include respecting our current application, respecting the data and content of our users and customers, acting in good faith to avoid privacy violations and the interruption or degradation of our services, submitting reports as quickly as possible, and giving us due time to process and respond to your submission.

Clarity and formatting

We ask that you write clear and concise reports to enable us to make a determination. Make sure to include your methodology, step-by-step instructions, and only submit after you verify your bug. We have included a recommended reporting template within the VDP to help provide guidance as to what we are looking for.

Let’s get started

Now, let’s see what you’ve got! We appreciate all security submissions from the research community and will address them as quickly as possible. Thank you for helping us make Okta the best it can be.

The post [Guest Post] Vulnerability Disclosure at Okta: Everything You Need to Know appeared first on Bugcrowd.

We’re excited to launch our new Vulnerability Disclosure Program with Bugcrowd today! You can find the VDP page here.

Bigbank’s managed Vulnerability Disclosure Program enables the company to scale its crowdsourced security approach by providing a coordinated channel and framework for engaging and maintaining a positive relationship with the security researcher community.

Bigbank specializes in consumer loans and term deposits, and is 100% Estonian-owned, with its parent company and main office located in Estonia. The group has branches in Latvia, Lithuania, Finland, Sweden and Spain and operates as a cross-border service provider in Germany, Austria and the Netherlands. Given the nature of the business, cybersecurity has always been top of mind.

We first launched a self-managed vulnerability disclosure program about a year ago, and quickly realized that even without the monetary incentives in place that a bug bounty has, we could not handle the barrage of vulnerability submissions. Add to that, the fact that the reports were not consistent, did not include all the right information, and came from different channels.

With Bugcrowd onboard as our partner, we can streamline the process for intaking vulnerability submissions. Much like a “neighborhood watch” for an organization’s internet assets, the program encourages security researchers to report something if they see something. Bugcrowd helps us handle incoming requests, filtering out false positives and duplicates, and unifying submission reports.

We use the vulnerability data security researchers submit to us via our VDP program, and layer it with the findings we have from other sources. As a result, we have been able to identify systemic issues that we might not have otherwise discovered – and at a much faster rate. We are excited to expand this approach with Bugcrowd.

The post Bigbank Launches Vulnerability Disclosure Program appeared first on Bugcrowd.

SoundCloud is excited to announce the launch of its public bug bounty program with Bugcrowd — the #1 crowdsourced security platform. SoundCloud’s public program is open to Bugcrowd’s full Crowd of top, trusted whitehat hackers, and the company will award up to  $1,500 per vulnerability identified on its website, API and mobile apps.

SoundCloud is the world’s largest open audio platform, powered by a connected community of creators, listeners, and curators on the pulse of what’s new, now, and next in culture. SoundCloud is home to the largest catalog in the world, with more than 200 million tracks from over 20 million creators.

Security is a top priority at SoundCloud, and we’re committed to keeping the community and its content safe. And, as a leading audio streaming platform, we’re prepared to handle an extremely unique set of security issues. These span from processing, transcoding, and formatting user-generated content without risking remote code executions, to detecting and blocking malware distribution, preventing illegitimate downloads and streaming accessibility. Additionally, since the platform offers a highly social streaming experience with user-generated content and integration, we have to be mindful of potential XSS and CSRF attacks.  

As part of our commitment to our users, we’re focused on building state-of-the-art security monitoring and protection solutions for our platform. In order to balance that focus with the team’s operational work, we’re always looking at ways to improve our efficiency. And one of those ways is to have additional support for handling top-of-funnel security work for vulnerability reports. Examples of this work include triaging, reproducing, prioritizing, and resolving duplicates.

This is where Bugcrowd comes in. Bugcrowd’s community-driven vulnerability testing is a key tool for us to receive external testing on our services and platform, along with explicit pentesting by security agencies and our various internal automated tests and peer reviews. With Bugcrowd, the quantity and quality of vulnerability reports is higher than ever before. Many of Bugcrowd’s security testers follow the same news and read the same forums as malicious users, so they help us react to new attack vectors much faster.

Since using Bugcrowd, we’ve seen several benefits, including:

• A significantly lowered barrier to reporting security vulnerabilities and increased quality in security vulnerability reports
• Additional dedicated time to focus on building services specific to our needs
• Having a known platform with clear processes, taxonomy, and rules that attract more professional researchers with more expertise
• Increased confidence that critical issues are continuously being probed, identified, and addressed

We’re excited to take this next step in our crowdsourced security journey, taking our bug bounty program public. To engage in our program, take a look at our program brief: https://bugcrowd.com/soundcloud

The post [Guest Post] SoundCloud Takes its Bug Bounty Program Public appeared first on Bugcrowd.

Zilliqa is the first public blockchain that has successfully implemented a sharded smart contract architecture. The trustless connections formed on Zilliqa’s blockchain are creating new ways of interacting and trading with each other, and we’ve only just begun unfolding its possibilities. Built with scalability in mind, we also hope to scale the adoption of this nascent technology by building an ecosystem that caters to the needs of the general public.

Given that blockchain handles important financial transactions, security is paramount for all the applications on blockchain and for the core protocol. Therefore, Zilliqa invites you to test and help secure our primary publicly facing assets – focusing on our cryptocurrency platform and smart contract language/implementation.

The bounty for the bugs range from $150-$5000 and are valid for a variety of public facing applications and platform. You can find more details here: https://bugcrowd.com/zilliqa

Given the blockchain’s decentralized nature, we’re huge believers in the power of community and have seen some really good examples of security improvements done with the help of the community of Bugcrowd.

Bugcrowd matches the world’s most elite hackers to help leading organizations solve security challenges, protect customers, and make the digitally connected world a safer place.

We appreciate your efforts and hard work in making the internet (and Zilliqa) more secure, and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck and happy hunting!

The post Zilliqa Launches Public Bug Bounty Program appeared first on Bugcrowd.

Cyber criminals from around the world are continuously finding new and i̶n̶t̶e̶r̶e̶s̶t̶i̶n̶g̶ terrifying ways of breaking into websites that we rely on every day — stealing our personal information that is typically made public for the world to see! Businesses are breached so often that we now have websites to track these data breaches and to help customers discover if their personal information has been stolen. Personally Identifiable Information (PII) could be used to take over your identity and allow criminals to get into your bank account, apply for credit cards in your name or login to your online accounts using breached website credentials, so it’s critical to keep this information safe!

SEEK has been protecting our customers’ information by running a Vulnerability Disclosure Program. It allows a whitehat security researcher that discovers a bug in our software, to responsibly inform the product team so they can remediate the issue.

Our program has evolved over the last three years, starting out as a static website titled “Reporting Security Vulnerabilities”, that directed researchers to use a security@seek.com.au email address to report vulnerabilities. Now, we have a service that offers researchers monetary rewards and recognition for reporting valid, security vulnerabilities. Commonly called a Bug Bounty Program.

Our private, invite-only Bug Bounty Program, run through Bugcrowd has been a great addition to our software security program, with hundreds of top researchers from around the world selected to participate. So far researchers have reported over 100 valid vulnerabilities within our systems. And we’ve rewarded them with over $100,000 USD. The highest single reward is currently sitting at $10,000 USD, after we increased the rewards for discovering higher risk vulnerabilities.

This year we are taking our Bug Bounty Program public to ensure our websites and services are secure. This means that anyone can now sign up and start testing our websites.

If you want to get involved, head to Bugcrowd and start testing!

https://bugcrowd.com/seek

For more information on setting up and running a Vulnerability Disclosure Program (VDP) or Bug Bounty Program (BBP), check out the guide here. Or to find out more about how our program has evolved, including examples of bugs submitted, check out the slides and recorded presentation from NDC 2017.

The post Get involved with SEEK’s $10K Bug Bounty Program appeared first on Bugcrowd.

The post ARK and Bugcrowd Go Hunting! appeared first on Bugcrowd.