03 Jan BugCrowd: A Comprehensive Guide for Companies and Hackers
Bug bounty programs have become an increasingly popular way for companies to identify and fix vulnerabilities in their systems and applications.
These programs offer financial rewards to white hat hackers who can find and report bugs rather than take advantage of them. Several platforms facilitate bug bounty programs; one of the most well-known is Bugcrowd.
What is Bugcrowd?
Bugcrowd is a crowdsourced security platform that connects companies with a global network of white hat hackers. Hackers can participate in a wide range of bug bounty programs and earn rewards for finding and reporting security vulnerabilities.
History of Bugcrowd
Bugcrowd was founded in 2012 by Casey Ellis, who saw the potential for a platform that could bring together companies and hackers in a mutually beneficial way. Since its inception, Bugcrowd has become one of the leading bug bounty platforms.
In a short 10-year period, they have grown their internal staff to over 250+ employees and offices in San Francisco, London, and Cost Rica. They have also raised 83M in venture capital, which has helped them grow their market share and build the platform.
Today, Bugcrowd’s customer base has expanded to over 600 companies across 30 industries and 43 countries. More than 275,000 ethical hackers reportedly contribute to security research on the platform.
How does BugCrowd work?
Bugcrowd is a platform that connects companies with ethical hackers and offers various services. This section will focus on its core function of facilitating bug bounty programs. Let’s first dive into how Bugcrowd works to service companies.
For companies
Companies can use Bugcrowd to launch a bug bounty program or supplement their security efforts.
To do so, they must submit a request through Bugcrowd’s website. This will open up a conversation with a Bugcrowd specialist, who will work with you to identify the solutions that best suit your needs and provide you with a cost outline tailored to your unique requirements.
Bugcrowd’s Managed Bug Bounty Programs help provide companies with access to a diverse community of skilled security researchers. Their platform uses machine learning to match researchers to relevant projects. In addition, they offer automated workflows and high-quality triage and can integrate directly with a company’s software development life cycle.
Companies can leverage insights from a wealth of security knowledge gathered over the past decade from Bugcrowd. This, plus payment and vulnerability management tools with detailed reporting, makes Bugcrowd an attractive platform for companies focused on proactively testing systems for potential weaknesses.
For hackers
Bugcrowd provides an opportunity for hackers to use their skills and expertise to find and report vulnerabilities in the systems of various companies.
Hackers can sign up to be a part of Bugcrowd’s network by creating a profile. Once activated, they can participate in public bug bounty programs and earn rewards for any vulnerabilities they find and report.
Hackers can work with various companies and industries through Bugcrowd’s platform, allowing them to continually test and improve their skills while also making a positive impact and earning financial rewards.
Bugcrowd also offers a leaderboard feature that ranks its top hackers. This leaderboard is updated in real-time and considers the number and severity of vulnerabilities found and reported by each hacker.
Top hackers on Bugcrowd can earn achievements and are often invited to participate in private programs. These private programs offer the opportunity to work on high-profile projects and earn even more significant financial rewards.
Additionally, hackers can leverage Bugcrowd University, an educational hub. Bugcrowd University aims to provide hackers with the knowledge and skills needed to be successful on the Bugcrowd platform and in the broader field of cybersecurity. The resources include expert content surrounding ethical hacking, penetration testing, and web application security.
Success stories and case studies
Bugcrowd has helped numerous companies across various industries identify and fix vulnerabilities in their systems through its crowdsourced security platform.
At the same time, it has provided a way for white hat hackers to use their skills and expertise to make a positive impact and earn financial rewards.
Below are a few examples of the successes of both companies and hackers on the Bugcrowd platform.
Success stories from companies:
- Atlassian is a multinational technology company that provides a range of software products and services for collaboration, project management, and issue tracking. Since 2017, they have successfully resolved over 1800 vulnerabilities thanks to reports made on Bugcrowd.
- Indeed is a job search website that allows job seekers to search for job openings and post resumes. The website is available in more than 60 countries and 28 languages, making it one of the largest and most widely used job search websites in the world. To date, they have successfully resolved over 1600 vulnerabilities due to security research on Bugcrowd.
- 1Password announced it is increasing its top bug bounty reward to $1 million after paying out $103,000 to Bugcrowd researchers since 2017. This story gained some secondary publicity due to LastPass security issues.
Success stories from hackers:
- @todayisnew earned accolades as the Submission Shogun on Bugcrowd, which is awarded to the contributor with the highest total number of valid submissions. In 2018, @todayisnew submitted 2584 vulnerability reports.
- @mert, an ethical hacker from Turkey, has submitted over 2600 vulnerabilities on Bugcrowd, earning a Bounty Bee Level 8 achievement.
- From the series Inside the Mind of a Hacker, Bugcrowd hacker @PhillipWylie said the “bug hunting has allowed him to help others further.” Watch the full video interview here.
These success stories demonstrate the value that Bugcrowd brings to companies and hackers.
Companies can improve the security of their systems and protect their customers’ data. Hackers can use their skills to make a positive impact and earn financial rewards. Bugcrowd’s platform serves as a win-win for both parties, and it is no surprise that it has become one of the leading bug bounty platforms in the industry.
Pros and Cons of Bugcrowd
While Bugcrowd can provide a tremendous opportunity for companies and hackers to unite, it does come with some potential drawbacks.
Pros for Companies:
- Access to a global network of experienced and skilled hackers.
- The ability to set the scope and rules of the program, as well as the financial rewards.
- The option to receive ongoing testing and coverage rather than a one-time security audit.
Cons for Companies:
- The cost of the program can be a significant expense for some companies.
- Some vulnerabilities go undetected, as it is ultimately up to the hackers to discover them.
- There is a risk that hackers may find and report vulnerabilities before the company has had a chance to fix them, potentially leading to public disclosure. (To mitigate risks, read our article on best practices for responsible disclosure).
Pros for Hackers:
- The opportunity to use their skills and expertise to make a positive impact and earn financial rewards.
- The chance to work with a variety of companies and industries.
- Access to training and education through Bugcrowd University.
Cons for Hackers:
- Competition for rewards can be high, as many hackers may participate in a single program.
- The time and effort required to search for and report vulnerabilities may not always result in a reward.
- Some programs may have strict rules or requirements that can be difficult to meet.
Frequently Asked Questions
What is Bugcrowd used for?
Companies use Bugcrowd to identify and fix vulnerabilities in their systems and applications through a bug bounty program.
Is Bugcrowd free?
No, Bugccrowd charges a fee for its services, which includes access to its network of hackers and the tools and support needed to run a successful bug bounty program.
Where is Bugcrowd based?
Bugcrowd is based in San Francisco, California.
How does Bugcrowd pay?
Hackers are paid for their efforts through the financial rewards set by the companies running the bug bounty program. Bugcrowd handles the payment process and ensures that hackers are paid promptly.
Is Bugcrowd CREST certified?
Yes, Bugcrowd is a CREST-accredited service provider. CREST is a non-profit organization that sets standards and best practices for the technical security industry.