We’re absolutely ecstatic to release our flagship annual report: Inside the Platform: Bugcrowd’s Vulnerability Trends Report. You may remember this piece based on its previous name: Priority One. 

What is Inside the Platform?

Inside the Platform is a magazine-style piece that features an analysis of all the crowdsourced security vulnerability submissions handled through the Bugcrowd Platform in 2023. The report leverages these data to offer trends and insights for CISOs and security leaders. 

Specifically, the report looks at vulnerability submission data from every possible angle to attempt to predict the future of cybersecurity. In writing this report, we examined overall submissions, critical submissions, payout data, notable targets, VRT categories, and public vs. private programs. We also broke down the data into six key industry categories. Using this analysis, we forecasted trends and made recommendations on what levers to pull in a crowdsourced security program to achieve success. 

The report also includes qualitative interviews with Bugcrowd customers, thought pieces on the value of an open scope program and how different hacker roles contribute to crowdsourced security, social media spotlights, legal work being done to make hacking safer, and more. 

Key takeaways from Inside the Platform

The 12 articles that Inside the Platform are composed of are jam-packed with data, but here are five highlights:

1. Higher Rewards—The most successful programs were those that offered higher rewards (e.g., $10,000 or more for P1 vulnerabilities).
2. Open Scope—Programs with open scopes saw 10x more P1 vulnerability submissions than those with limited scopes. 
3. Vulnerability Submissions by Industry—The government sector experienced a 151% increase in vulnerability submissions and a 58% increase in the number of P1s rewarded in 2023 compared to 2022. 
4. P1 Payouts by Industry—The financial services industry and government sector offered the highest median payouts for P1 vulnerabilities ($10,000 and $5,000, respectively). 
5. AI—A new AI-related category was added to Bugcrowd’s Vulnerability Rating Taxonomy (VRT). This addition reflects the profound influence that AI has had and will have on the threat environment and the ways that hackers, customers, and the Bugcrowd triage team view certain vulnerability classes and their relative impacts. 

Where to find more information

The report is live! Keep an eye on our social media for breakdowns of the report from experts at Bugcrowd, plus a webinar later next month. 

The post Inside the Platform: Bugcrowd’s Vulnerability Trends Report appeared first on Bugcrowd.

Over time, the attack surface and submissions associated with the VRT evolve, as do the needs of hackers and customers – so the VRT needs to grow and change, too. In that spirit, we are pleased to announce the latest release, VRT version 1.11, will be rolling out on the Bugcrowd Platform and reflected in our submission form shortly.

Overview of changes

This release includes several updates. As you can see below, they reflect changes to the threat environment, and how hackers, customers, and the Bugcrowd triage team view certain vuln classes and their relative impacts differently than before. 

New Top-Level Category: Cryptographic Weaknesses
A new category has been added to cover all common flaws in the cryptography area. This approach will help guide hackers when submitting a report about a specific weakness – such as insufficient entropy, predictable PRNG or IV, missing cryptography steps, timing attacks, or insufficient key stretching, to name just a few.

Multiple Category Updates: Insecure Direct Object Reference (IDOR)
This category has been a bit of a thorn in the side of hackers for a while now as a single IDOR category with the priority of ‘Varies’ can be frustrating especially when the finding has proven demonstrated impact. Additionally, with a lack of default priority, it could mean a program owner is more exposed than they should be, compared to if it were a P1.

Therefore, we’ve added several specific variants to the category:

• P1 – Read Personal Data (PII) – Iterable Object Identifiers
• P2 – Modify/Delete Sensitive Data – Iterable Object Identifiers
• P2 – Read Personal Data (PII) – GUID/Complex Object Identifiers
• P3 – Modify/Delete Sensitive Data – GUID/Complex Object Identifiers
• P4 – Read Sensitive Data – GUID/Complex Object Identifiers
• P5 – Read Non-Sensitive Information

This change should cover most common IDOR cases. However, hackers who find something that isn’t in these specific variants can always select the top-level category and appropriate adjustments will be made by our triage team.

New Variant: HTML Injection
The existing P4 ‘Email HTML Injection’ variant receives a lot of false-positive submissions from hackers submitting HTML injection in a web application. We did a lot of research on this category, reviewing the outcomes from the P4 false positives and how many led to accepted submissions and resulted in fixes. The answer was: not very many. As a result, the new category for these is considered P5, and you’ll find it under the existing ‘Content Spoofing’ specific vulnerability name. We’ll update existing submissions under the old P4 variant to the new P5 one, accordingly.

Update To Existing Category: Server-Side Request Forgery (SSRF) – External
We reviewed a number of SSRF findings across the existing P4 variant ‘External – Low Impact’. Most of these submissions are not accepted by customers, as they typically arise from intended functionality such as a webhook or image download. As a result, we have moved this category to the P5 level. 

New Specific Vulnerability: HTTP Request Smuggling
Thanks to amazing work by James Kettle at PortSwigger, this category has been revitalized across the internet. We see this vulnerability reported on a daily basis, but more often than not, it has low impact – so, we’re introducing it at the ‘Varies’ priority level in the ‘Server Security Misconfiguration’ category. The triage team will adjust affected submissions as needed.

New Specific Vulnerability: LDAP Injection
While certainly not the most reported vulnerability we see, LDAP Injection was a conspicuous omission in previous versions of VRT. We’ve remedied that by adding it to the ‘Server Side Injection’ category. 

Modified Specific Vulnerability: PII Leakage
The existing ‘PII Leakage’ category is commonly misused, with many hackers simply searching for ‘PII’ in the VRT selection box and selecting this category regardless of whether the specific vulnerability is related to automotive security. As a result, the existing category under ‘Automotive Security Misconfiguration – Infotainment’ has been changed from ‘PII Leakage’ to ‘Sensitive Data Leakage/Exposure’, retaining its usability for automotive submissions specifically.

A new vulnerability called ‘PII Leakage/Exposure’ with the default priority of ‘Varies’ has also been added to the category ‘Sensitive Data Exposure’. We believe that a ‘Varies’ priority is important here because not all instances of PII – a single email address in an AEM response, for example – are a P1 by default. However, the triage team will adjust submissions to a P1 as needed.

Deprecated Specific Vulnerabilities and Variants
‘Existing P4 Cross-Site Scripting IE-Only / IE11’ has been removed and the existing P5 category ‘Cross-Site Scripting – IE Only < IE11’ modified to cover all versions of IE. These changes have been pending for some time due to Microsoft retiring Internet Explorer version 11 in 2022.

New Specific Vulnerability: On Permission Change
This vuln is documented by OWASP and other sources, but is also very use case specific. To support these customer use cases, we’ve added it to the ‘Failure to Invalidate Session’ variant of ‘Broken Authentication and Session Management.’

This is a healthy, albeit not major, update to the VRT with contributions from hackers in the Bugcrowd community, our triage team, and our customers. There is still more work to be done, so you’ll soon be hearing from us again very soon about additional changes that reflect the evolving environment.

Why contribute to the VRT?

As we said in the introduction, an open-source governance model helps the VRT evolve at a pace and in concert with the changing environment – but that only happens if hackers and customers actively participate in the process. Contributions to the repository are reviewed by the VRT Council, which meets regularly to discuss new vulnerabilities, edge cases for existing vulnerabilities, priority-level adjustments, and general validation experiences. When the team comes to a consensus regarding a proposed change, it is committed to the master.

If you would like to contribute to the VRT, Issues and Pull Requests are most welcome!

The post Announcing Our Latest Vulnerability Rating Taxonomy Update appeared first on Bugcrowd.

This edition analyzed 1000 survey responses from hackers on the Bugcrowd Platform, in addition to millions of proprietary data points on vulnerabilities collected across thousands of programs. 

We’re happy to see that some of the dated stereotypes of hackers (we’re looking at you, basements and hoodies) are going away. In fact, 89% of hackers believe that companies are increasingly viewing hackers in a more favorable light. This report continues to clear through the fog and mystery around hackers and crowdsourced security as a whole, helping organizations understand how to partner with hackers as an extension of their often under-resourced security team. 

Another exciting part of this edition is a special feature on security in the age of generative AI. The internet is full of fear-mongering articles covering the terrifying consequences AI could have on cybersecurity, but what about ways hackers can use AI to make the world a safer place? We dig into how hackers are using AI technologies to increase the value of their work.

Key Learnings

1. Even in an uncertain economy, the motivations of hackers remain altruistic. 

There is a misconception that hackers, even the ethical kind, are only after money. For many of them, hacking is their full-time career, so of course financial factors are major motivators. However, time and time again, data shows that the heart of hacking is much more complex. 75% of hackers identify non-financial factors as their main motivators to hack and 87% of hackers believe that reporting a critical vulnerability is more important than trying to make money from it. 

2. Top hackers consider generative AI as a tool to leverage, not a threat. 

72% of hackers do not believe AI will ever replicate their human creativity. Although some hackers are concerned about generative AI making their skills irrelevant, many of Bugcrowd’s top hackers disagreed. According to Nerdwell, “If you’re stagnant and don’t grow your skills, then maybe you should be worried about AI, but if you embrace it and use it as a tool, then I believe you’ll likely become even more valuable.” 

3. CISOs are taking generative AI seriously.  

This edition spotlights two CISOs and surveys many others. We found that across the board, CISOs are already considering the potential cybersecurity risks of generative AI. They are approaching these concerns from a technical side, such as data poisoning and prompt injection concerns, and wider issues, such as implications on privacy and traceability. 

Besides new statistics and learnings like the ones in the infographic above, you can also expect to have a little bit of fun reading this report. From in-depth interviews to quizzes to posters, Inside the Mind of a Hacker feels more like a thought provoking magazine than a traditional report. Download it today to learn why organizations can trust hackers to secure their future with confidence.

The post Inside the Mind of a Hacker: 2023 Edition appeared first on Bugcrowd.

What is a CSA STAR Certification?

The Cloud Security Alliance’s Security, Trust, Assurance, and Risk (STAR) certification is a powerful attestation of a cloud service provider’s security practices. A cloud service provider that earns a STAR certification can assure their customers that they’re using industry-leading best practices to secure data in cloud applications.

The CSA’s STAR Program combines the controls and best practices laid out in other information security standards (e.g., ISO/IEC 27001:2013) with the CSA’s own Cloud Controls Matrix (or CCM, their proprietary cybersecurity control framework that covers all aspects of cloud technology) to create one of the most comprehensive cloud security control sets in the industry.

The Benefits of CSA STAR Accreditation

It all comes down to Trust. It means that when you partner with Bugcrowd, you can be rest assured that your sensitive information and critical assets are in safe hands. Our comprehensive security controls, meticulously designed to align with industry best practices, ensure the highest level of protection for your data.

By achieving CSA STAR Level 1 accreditation, we have undergone a rigorous evaluation of our security practices, policies, and procedures. This showcases our dedication to transparency and accountability, as we meet the stringent requirements set forth by the CSA.

Final Thoughts on CSA STAR L1

Bugcrowd’s commitment to cloud security extends beyond mere compliance. We continuously invest in cutting-edge technologies, stay abreast of evolving threats, and leverage industry-leading security frameworks to fortify our platform. Our team of skilled security professionals is dedicated to maintaining a robust security posture, detecting vulnerabilities, and promptly addressing any potential risks.

With the achievement of CSA STAR L1, Bugcrowd is now even better positioned to provide tangible proof of our commitment to upholding the highest cloud security standards. This certification not only demonstrates our dedication to maintaining best-in-class security practices but also enables us to offer our customers a higher level of trust and assurance in our services.

The post Bugcrowd Earns CSA STAR L1 Certification appeared first on Bugcrowd.

Bugcrowd is—and there are many chances for you to connect with us from June 20–22 at ExCeL London:

• Meet members of Bugcrowd’s senior team, including co-founder Casey Ellis at the Aloft London Excel Hotel next door. Discuss your challenges, and learn how the Bugcrowd Platform can help.
• Get your hands on some Bugcrowd swag, and ask us your burning questions about crowdsourced cybersecurity—also at Aloft London Excel.
• On Tuesday evening, join our reception at Tapa Tapa Restaurant for laid-back networking with complimentary drinks and tapas, plus fireside talks with a Bugcrowd customer and hacker.

Click here for details, and reserve your place.

Among the members of Bugcrowd’s senior team attending Infosecurity is Emily Ferdinando, Vice President of Marketing, and one of our newest hires: Vlad Nisic. We say, “newest hires,” but you may recognize his name. Between March 2016 and October 2019, Vlad was Vice President of Sales (EMEA & USA East) for Bugcrowd. After a three-and-a-half year absence, Vlad has returned to Bugcrowd, this time as VP sales for EMEA & APAC.

If you knew Vlad during his first term with Bugcrowd, say hi again. If you didn’t, do introduce yourself and tap into his 25+ years of experience in IT, information security, and digital transformation. Cybersecurity has never been more important, so there’s plenty to talk about!

The post Meet Bugcrowd at Infosecurity Europe 2023 appeared first on Bugcrowd.

In 2023 alone, Bugcrowd, and in particular these new PTaaS capabilities, has won five distinct industry awards. This recent string of wins demonstrates Bugcrowd’s persistence in delivering industry-leading solutions to the market and validation as an accomplished and preeminent organization throughout cybersecurity.

Most recently, our team was recognized by Cyber Defense Magazine’s Global InfoSec Awards as a Hot Company in the Penetration Testing Category for our PTaaS capabilities, along with being recognized as a Gold Winner in the 19th Annual Globee® Cyber Security Awards for the technology. Additionally, Bugcrowd PTaaS was recognized as the Gold Winner in the Pentest-as-a-Service category in the 2023 Cybersecurity Excellence Awards among North American companies between 1,000 and 5,000 employees.

As an organization, we took home two more wins in the Cybersecurity Excellence Award program with recognition as Gold Winner for Cybersecurity Provider of the Year and Silver Winner for Best Cybersecurity Company.

For one, I am so proud to see all of these incredible wins. It’s a huge testament to our stellar team and technology! At Bugcrowd, we are committed to delivering the very best crowdsourced solutions to our customers and ultimately fulfilling our mission to democratize security testing for all.

Our team has taken major strides over the course of the past year to walk out this mission, including a major upgrade to our PTaaS offering, all aimed at staying at the forefront of innovation and leadership within a very saturated cybersecurity market. With a surge of vendors offering security testing solutions, a common concern that we hear is that vulnerability assessments in the market today are often shallow and low impact. 

Our goal was to provide a human-driven, high-impact pen test with a team matched to their precise needs with just a few clicks, cutting configuration time from days to hours. These recent award wins validate our work and the direction we’ve been laser-focused on. By focusing our priorities on our employees, the hacker community, partners and vendors, we are excited to build upon this momentum throughout 2023!

To learn more about our award-winning PTaaS offering, which is now available globally, visit https://www.bugcrowd.com/products/pen-test-as-a-service/.

The post Bugcrowd PTaaS Takes Home Five Awards for Cybersecurity Excellence appeared first on Bugcrowd.

At the recent RSA Conference in San Francisco, I was struck by how many conversations revolved around the rapid uptake of generative artificial intelligence technologies by businesses of all kinds. Everyone at the show seemed to have a viewpoint about what the big AI transformation would mean for the future of cybersecurity.

As far as innovations in the evolution of the human-computer interface go, generative AI is the most exciting thing to come out in recent times. When Bugcrowd published its annual “In the Mind of a Hacker Report” in 2020, 78% of global researchers believed they would outperform AI for the next ten years. I expect that a much lower percentage still feel that way today, based on the massive hype surrounding generative AI.

I believe that safety and privacy should continue to be top concerns for any tech company, regardless of whether it is AI focused or not. And when it comes to AI, the priority should be to ensure that the learning model has the necessary safeguards, feedback loops, and most importantly, the right mechanisms to highlight any safety concerns raised by the broader community.

As organizations rapidly adopt AI for efficiency, productivity, and the democratization of data, it’s important to ensure that there is a reporting mechanism to surface any related concerns. Human oversight and decision-making are crucial to safeguard the accuracy and ethics of these technologies, as well as to provide necessary contextual knowledge and expertise. On the upside, leveraging AI has the potential to significantly improve the productivity and efficiency of security experts. Generative AI technologies are already enabling defenders to rapidly disrupt adversaries. ChatGPT and similar AI technologies can provide leverage by analyzing data, detecting anomalies, and distilling insights to identify threats and point toward potential risks. 

It is unlikely that AI will completely take over cybersecurity functions, as human operators bring creativity and ethical decision-making to the task, skills which will be difficult if not impossible to fully replace with AI. That said, AI will continue to play an increasingly important role in cybersecurity as it becomes more advanced, and a human-machine combination will be necessary to effectively defend against evolving threats. And while AI won’t replace human creativity and resiliency, it does hold the potential to fill some of the current talent gaps we see in the industry by automating tasks that will allow human defenders to focus on higher value activities. 

Organizations today face more cyber threats than at any point in history, and this problem is only going to increase as the attack surface expands and hackers continue to adapt. Arming defenders with the capabilities to move faster in the face of these attacks will be critical to leveling the cybersecurity playing field. 

Now is the time to set aside competition to work in a tightly coordinated way to promote widespread adoption of best practices that enhance transparency to protect people. To learn more about your hidden vulnerabilities, I encourage you to reach out to us for a conversation. 

OpenAI’s collaboration with Bugcrowd

OpenAI has partnered with Bugcrowd, to manage the submission and reward process of their bug bounty program. Read more here. 

#StrongerTogether #RSAC2023

Attending BlackHat Asia, come visit us at booth #A01

The post RSA Conference Recap: The Security Impacts of Artificial Intelligence appeared first on Bugcrowd.

The UK’s Computer Misuse Act, under which most UK hacking prosecutions are made, came into force in 1990 – about one year after the introduction of the world wide web. Since then, of course, cyberspace has evolved beyond all recognition! The UK Government is currently consulting on how the Act can be updated to – as the consultation itself puts it – “identify and understand whether there is activity causing harm in the area covered by the CMA that is not adequately addressed by the current offences”.

Why it matters:

One of the issues on which respondents are invited to comment is the potential for a statutory legal defence for hacking if such activities had good-faith/benevolent motives. The UK’s Home Office – which has responsibility for the consultation – has already indicated that such a legal defence could “advance our whole of society approach to cyber security”. Simultaneously, however, it is wary of the potential for unintended consequences.

Of course, this is an area of very great interest to me, to Bugcrowd, and to our crowd of cybersecurity researchers or ethical hackers. Poor legal protection for ethical hackers creates a chilling effect whereby those who could contribute to making the Internet a safer place are afraid to do so in the first place.

A view from the top:

In Bugcrowd’s view, the UK needs to think along the same lines as the United States, which has already clarified protection for legitimate security research activities via an important Supreme Court ruling and a clear DOJ commitment not to prosecute good-faith security hackers. The UK needs a revised Act that not only better defines what bad actors are not permitted to do, but also adequately and clearly supports the key role that freelance, ethical cybersecurity hackers play in discovering and disclosing vulnerabilities so they can be addressed before they are exploited.

Bugcrowd is contributing to the consultation via two industry groups on which I sit: the Cybersecurity Policy Working Group (CPWG) and the Hacker Policy Coalition. Both these organisations will be making submissions to the consultation reflecting the views of their respective members.

But it’s equally important that as many as possible individuals and organisations have their say on this, and I encourage anyone from our extended ecosystem with a view to contribute to the consultation here. I also encourage you to be quick: the consultation closes on April 6th 2023.

The post The UK’s Computer Misuse Act (1990) is up for revision. It’s time for ethical hackers to submit your views appeared first on Bugcrowd.

2022 was a year full of excellent crowd submissions and powerful new relationships with customers. The strength of the crowdsourced security space can only be utilized when cohesive teamwork among researchers, customers and Bugcrowd is engaged. In order to foster this important synergy we want to recognize our community for the outstanding work they do. We’re excited to announce the winners of the 2022 Buggy Awards! The Buggy Awards honor those who have gone above and beyond in their effort to make the internet a safer place. Interested in discovering the top performers from previous years? The 2019 Buggy Awards provide an insider’s glimpse into the winners worth checking out! 

Ahem… envelope please! Without further ado, here are this year’s winners.

Top Program Awards

The Top Program Awards are awarded to companies that are truly committed to both the Bugcrowd researcher community and to running an outstanding bounty program. Finalists are selected based on a combination of platform program metrics as well as Researcher feedback and nominations.

Best Communication

In previous years, the Most Responsive Program award focused solely on the speed with which an organization responded to a triaged report. While taking action quickly is important, we also wanted to recognize Program Owners who have made a commitment to providing quality responses and ongoing engagement on the platform. 

2022 Best Communication Award goes to HP Printers

Researchers’ Choice

Throughout the year we surveyed our Crowd and asked them to nominate their favorite program (and tell us why it rocks!). While it is important to have a well-rounded program, the ultimate decider of success in this category is the Researcher community.

2022 Researchers’ Choice Award goes to FIS

Program of the Year

Program of the Year recognizes the incredible work that goes into creating a successful bounty program. Based on several variables including reward range, communication, scope breadth, and general participation, this award goes to the most well-rounded program managed by Bugcrowd.

2022 Program of the Year Award goes to FIS

Top Bug Hunter Awards

Our Bug Hunter Awards acknowledge Researchers for contributions of excellence. This ranges from positively impacting the wider security and Bugcrowd communities, as well as traditional recognition for exceptional individual work on bounty programs. Finalists are selected based on a combination of Researcher platform data metrics and nominations by the Bugcrowd Operations team.

Community Champion

The Community Champion category recognizes Researchers who positively influence the wider Bugcrowd community. These contributions may come in the form of engagement on social media, contributing to the Bugcrowd GitHub VRT discussions, or by writing valuable educational materials for other Researchers. While these Researchers are all dedicated Crowd members who participate in many Bugcrowd programs, we value their incredible contributions to help level up the Bugcrowd community.

The 2022 Community Champion Award goes to Bsysop

“I feel honored and excited to have been selected for this award, it was a surprise and it gives me a great boost of motivation to keep trying my best and sharing my journey with others. The swag of this award is amazing and outstanding, it will be stored in a special place in the office. I would like to thank @sw33tLie for inspiring me every day with his crazy and brilliant ideas, he is the MVP. I’m looking forward to Articles, Tips, with more Tips in the Draft already, this year I will release it and give back more to the community, showing what I have learned during my journey, some 0day’s that I have found, and some tips that can help others in their journey too, stay tuned. Finally, a big thanks to the Bugcrowd team that makes all this possible, changing people’s lives!”

LevelUpX Champion

LevelUpX Champion recognizes Bugcrowd University Content Creators that have gone above and beyond to educate and spread the word of security testing. Not only do they work tirelessly to help others in the Bugcrowd community, but they also continue to increase their own knowledge by staying educated within the field. This person embodies the spirit of Bugcrowd and its educational initiatives.

The 2022 LevelUpX Champion Award goes to OrwaGodfather

“I feel very great when I see myself make something big like this for 2022/2023. I’d like to first thank all who working on Bugcrowd: Triagers, Marketing, Support, Etc. And, who believed in me from hunters Hackerx007, Tess, Mohd Waseyuddin, anhnt1337 and a lot of others. I am planning for more success on Bugcrowd and more P1s and to share a lot of tips/tricks for new hunters to get valid bugs.”

Rookie of the Year

The Rookie of the Year award is given in recognition of Researchers who joined the Crowd in 2022 and had the best rankings across the following categories for 2022: average technical severity, accuracy, and volume of valid and accepted submissions.

The 2022 Rookie of the Year Award goes to Mzamat

“As someone who studied biology in college (currently working as a Scientist at a vaccine development company) and never formally touched a computer science course/had any formal training, to say that this is an honor would be an understatement. I started my journey in July of 2022, and none of this would have been possible without the guidance and support of ZwinK, and this amazing community. I hope to continue learning and growing in the Infosec space this year, with the goal of hopefully switching careers by early next year; so if you’re looking to hire, you know how to reach me. Thank you so much to Bugcrowd for this unreal recognition. I can’t wait to see what 2023 brings us all.”

Most Valuable Hacker

Our final award, the Most Valuable Hacker, is in recognition of veteran Researchers with the best-combined rankings across the following categories for 2022: average technical severity, accuracy, and volume of valid and accepted submissions.

The 2022 Most Valuable Hacker Award goes to Tess

“‘Any sufficiently advanced technology is indistinguishable from magic.’ – quote from Arthur C Clark. The idea of having a technology so advanced and perfect makes me believe magic is real. And I’m in search of such magic. To be recognized as the most valuable hacker on Bugcrowd in 2022 is a great achievement, and it motivates me to continue pushing myself to be the best I can be. I’m grateful for the opportunity to contribute to a community that’s working towards making the online world a safer place for everyone. I’d like to thank elmahdi, todayisnew, DK999, Orwagodfather and restricted. These hackers collaborate with me a lot and I have learned a lot from them. It would have not been possible to learn so much if they weren’t in my life. I would love to keep learning/ grow in this field and keep working on Bugcrowd platform in future as well. Bugcrowd is amazing :)”

While we only recognized a handful of people who delivered awesome work in 2022, we’d also like to thank the community as a whole for an incredible 2022 year. We can’t wait to see what the rest of the 2023 brings! Looking to stay caught up with all things Bugcrowd? Follow us on Twitter and Instagram and don’t forget to join us on Discord!

The post Bugcrowd’s Annual Buggy Awards are Back appeared first on Bugcrowd.

In technology circles, it’s a well-known and often lamented fact that technology and cybersecurity have a habit of moving at a much faster pace than policy. “Hackers on the Hill” (HotH) is a program that works to bridge this gap by bringing hackers and policymakers together to address technology policy matters, learn how to understand and communicate with each other more effectively, and hold breakout sessions with Congresspeople, Senators, and their aides and staff to work on specific issues.

The Hackers on the Hill contingent gathers in the Indian Treaty Room of the White House Campus

This year’s HotH was a little different, and it was an exciting evolution from my perspective as a career advocate for hackers as part of the solution, not just the problem. After the morning sessions on Capitol Hill, Bugcrowd was proud to be invited into a smaller group that headed across to the White House.

The White House West Wing, otherwise known as “The Most Surveilled Piece of Land on Earth”

On a gray DC day just over a month ago, myself and around 30 other hackers went through security screening at the southwest entrance of the White House — with varying degrees of difficulty, but all with eventual success. Once that clearance was behind us, a thoroughly surreal and incredibly significant event was about to take place: The first “Hackers on the Hill” group was to meet with the Office of the National Cyber Director (ONCD), and ultimately provide input on the National Cyber Strategy. 

Casey Ellis and Beau Woods, security researcher, in the White House

On a personal note: Aside from the thrill that comes from setting foot in the White House, the thing that struck me first is also why I think this was such an important milestone: These are people I’ve worked with to help reform the popular understanding and opinion of hackers for, in some cases, decades, and now we were experiencing the opportunity to explore and influence the North American seat of power as a community. Over the last 10 years, there have been a growing number of events that have validated, legitimized, and promoted hackers as an important part of the Internet’s immune system. This event brought the input of security researchers to the very top of Western power, as a collective.

Just some White House tourist things before getting down to business… 

There were Chatham House sessions with members of the ONCD, Clare Martorana (the Federal CISO), and Chris Inglis (the former director of the ONCD), a panel on “A Day in the Life at the EOP” with representatives from the ONCD, OMB, and the NSC, and an overview of the draft National Cyber Strategy. Overall, it was a great introduction to the Executive Office of the President (EOP) and the strategy itself, and it set the stage for the working groups. Bugcrowd was asked to join the working group that was working on coordinated vulnerability disclosure, which was one of the main parts of the strategy.

The National Cybersecurity Strategy document on which we provided input was released today. For Bugcrowd, the significance was squarely around the opportunity to participate and provide input on a document that is sure to set the expectations and tone for the relationship between builders and breakers – rebalancing the responsibility for cybersecurity, and elevating it from a niche domain to one that is truly approached as a team sport, including soliciting the input of the hacker and security research community itself.

Why It Matters

The focus of the strategy is rebalancing responsibility. From its inception, Bugcrowd’s vision has been to “level the cybersecurity playing field” by helping defenders engage the creativity of the good-faith hacker community to shift the resourcing and economic advantage away from the attacker. To defeat an army of adversaries, you need an army of allies, and the inclusion of Coordinated Vulnerability Disclosure in the National Cyber Strategy as well as the invitation to the hacker community to give input into its formation bode well for the future of crowdsourced security.

Bugcrowd, representing the global ethical hacker community, in the White House – something we can all be proud of!

The post Hackers in the White House appeared first on Bugcrowd.