Bugcrowd sent to me 

Stickers all about bug bountiessssssss

There’s no denying it…Bugcrowd’s swag game has always been top tier. Over the past decade, we’ve prioritized rewarding hackers with the coolest stickers, t-shirts, and other swag, so our community can rep the brand that we’ve all built together.

Pic thanks to @rahul0x00 via X

During this festive season, we’ve decided to take a walk down memory lane, remembering swag classics and highlighting new fan-favorites. We asked our hacker community, customers, and employees to share their favorite Bugcrowd swag from the past ten years.

The 12 Days of Swagmas highlights include:

1. My Other Computer is your Computer
2. Grace Hopper has a Posse
3. Classic Horror Movie Series
4. This LAN is our LAN
5. P1 Warriors
6. The Bugcrowd Keyboard
7. Bug Bash Swag
8. Outhunt Them All
9. Top 100 MVP Hackers
10. Outhack Them All Series
11. It Takes a Crowd
12. Ingenuity Unleashed

Check out the pictures below! 

1) My Other Computer is your Computer

Nothing beats the OG Bugcrowd swag. “My Other Computer is your Computer” was an instant classic in the Bugcrowd community. Whether you prefer the English or Russian version, you can find this popular catchphrase printed on stickers, t-shirts, card decks, hats, and more.

This hat pic.twitter.com/Jj89A7DetW

— Ashish آشیش (@aashisham_) December 18, 2023

One of the coolest swag I have #Bugcrowd pic.twitter.com/ZDjTJ3VorO

— Ryx (@PadhiyarRushi) December 18, 2023

pic.twitter.com/UgvDlcIpSu

— Chitra A (@t3st37) December 18, 2023

2) Grace Hopper has a Posse

Another classic! Grace Hopper is known as a pioneer of computer programming. She developed the first compiler, A-0, and the programming language COBOL. She is also known for popularizing the computing term “bug.”

3) Classic Horror Movie Series

One of our most popular additions to the Bugcrowd swag family is the classic horror movie series. These stickers and t-shirts riff on classic horror movies like It and Jaws, showing the scary side of cybersecurity. 

This one pic.twitter.com/o0nYFTG9x3

— Ome Mishra (De.Hack3r) (@ome_mishra) December 18, 2023

4) This LAN is our LAN

Another old school classic!

5) P1 Warriors

The P1 Warrior incentive program rewards hackers for their total count of valid P1 submissions in a year. P1 Warriors get some seriously awesome swag!

6) The Bugcrowd Keyboard

Shhhh. The iconic Bugcrowd keyboard can only be spoken about in hushed tones. Reverence is required when discussing this rare artifact. If you’re one of the hackers lucky enough to have this keyboard on your desk, consider yourself lucky.

7) Bug Bash Swag

Honestly, we could do a whole separate post about cool custom swag from bug bashes. From poker chips to boxing gloves to personalized jerseys and bobbleheads, nobody leaves a bug bash empty handed.

8) Outhunt Them All

This character that we refer to as ShadowBuggy perfectly embodies the badass nature of hacking. We’re ditching dated references to hackers in hoodies and showcasing hacking in all of its glory.

9) Top 100 MVP Hackers

Here’s a little throwback from 2018. Five years ago, we compiled the names of our top 100 MVP hackers into this incredible bug design. It was a hit with the hackers on the list, and we love seeing this shirt at conferences like DEF CON.

10) Outhack Them All Series

This series is a favorite within the hacking community. The samurai design was highly coveted when it was first released and is still a favorite giveaway on social media and in conference booths. The retro Outhack Them All t-shirt is another classic, most recently seen worn by hacker Erik De Jong at our BlackHat Europe booth.

11) It Takes a Crowd

Sometimes a design concept and t-shirt come together to create magic…and that is certainly what happened with this highly-coveted “It Takes a Crowd” shirt. The psychedelic space design and unique colors were a hit!

One of my favorite @Bugcrowd shirts and it was complimented by an Air Canada flight counter employee at DFW. pic.twitter.com/PNfvrZRovC

— Phillip Wylie (@PhillipWylie) April 19, 2023

12) Ingenuity Unleashed 

The newest Bugcrowd swag was launched at BlackHat this year. It includes our company mascot, Buggy, and our brand new tagline, Ingenuity Unleashed. Be sure to grab this swag while you have the chance, before it joins the ranks of vintage classics like some of the others on this list!

And that’s a wrap on the 12 Days of Swagmas. Did we miss any of your favorite swag items? Let us know on X (formerly Twitter)! Happy Holidays and Merry Swagmas from Bugcrowd.

The post The 12 Days of Swagmas appeared first on Bugcrowd.

Tell us a little bit about yourself.

I’ve been in the cybersecurity industry for almost 25 years, and I’ve seen a shocking amount of change. Before Bugcrowd, I served as executive general manager and CSO at National Australia Bank (NAB), one of Australia’s four largest financial institutions. At NAB, I was responsible for overseeing the enterprise security portfolio, which included cyber, physical security, investigations, and operational fraud capabilities to protect customers and employees, support business growth, and enable an operationally resilient bank. 

I currently serve as an advisory board member for Google, Amazon Web Services, Netskope, and Digital Shadows.  

What are the most demanding challenges that CISOs are currently facing in their roles?

CISOs juggle multiple responsibilities, including maintaining a secure foundation and protecting against ever-evolving threats while trying to attract top talent in a highly competitive environment. CISOs must strike a balance between enabling business agility and providing robust protection—all while navigating the intricacies of country-specific technologies and cyber regulations. 

How should CISOs approach working with hackers and implementing crowdsourced security?

By leveraging a select number of curated hackers with small-scope proof of value (POV), CISOs can safely and effectively mitigate the perceived risk of crowdsourced security. Running this POV gives a CISO’s team familiarity with the platform, triage services, and customer success capabilities. As CISOs become more accustomed to the crowdsourced model, they are likely to go wider and deeper—sometimes straight to a public program to glean the ultimate benefits from a bigger, more diverse community of hackers.

In my personal view, the adoption of crowdsourced security does not increase operational risk; instead, it only decreases risk, as it enables the earlier identification of vulnerabilities harvested by experts in the security community before attackers can discover and exploit them. 

In the age of AI, could generative technologies outpace an organization’s ability to establish effective cybersecurity measures?

AI has progressed to the point where it is being used to both weaponize and circumvent traditional controls in organizations’ defenses. For example, more advanced malware, phishing campaigns, deep fakes, and voice cloning are continually being developed. 

As AI advances, CISOs must adapt existing security measures—or introduce new ones—to counter the increasingly sophisticated threats posed by generative technologies. 

Given the potential misuse of generative AI by cybercriminals, should there be stricter regulations on its development and use by hackers, or would that hinder innovation?

Imposing restrictions on the use of generative AI for the hacking community would hinder creativity and create the opposite intended effect. Regulations should be put in place across industries and organizations; rather than restricted to hackers. 

How can CISOs strike a balance between enjoying the benefits of generative AI and ensuring they don’t inadvertently contribute to the rise of more sophisticated cyberattacks? 

CISOs must be aware of the duality of generative AI to both benefit from it and prevent its misuse by attackers or employers. Ultimately, it’s a tug of war between threat actors and defenders, who are constantly trying to evolve with the use of AI to outsmart each other. 

Could an increased reliance on generative AI displace human intelligence and diminish the value of hackers?

Generative AI will certainly help with speed and accuracy in vulnerability analysis, but it cannot replace the creativity and diverse perspectives of human hackers. Hackers spend long, arduous hours deconstructing a complex problem or unveiling an abstract vulnerability; presently, this is something that modern AI systems struggle with. 

Considering recent economic headwinds, what suggestions can you give to fellow CISOs who want to increase the ROI from security programs without significantly increasing their budgets?

CISOs should consider investing in newer frameworks and products such as bug bounty programs or penetration testing as a service, which improve time-to-remediation (TTR), digitize the experience end to end, and deliver continuous outcomes across an evolving attack surface. 

What do you predict the next two years of crowdsourced security will look like, and how is Bugcrowd planning to give hackers and customers the best experience?

In the next two years, crowdsourced security will become the preferred model for continuous assurance, incorporating generative AI to improve customer experiences—through things like improved triage and increased integration capabilities—and eventually expand the usage of hacker data. 

The post Q&A with Nick McKenzie: CISO Advice, Generative AI, and Security Predictions appeared first on Bugcrowd.

The Bug Bounty Program Unveiled 

We are thrilled to reveal Aleo’s fully live Bug Bounty Program, hosted on the Bugcrowd platform. This program invites talented and passionate hackers from around the globe to put Aleo’s security defenses to the ultimate test. 

To kickstart the Bug Bounty Program, Aleo has allocated an initial reward pool of $500,000 USD. This substantial amount underscores Aleo’s commitment to recognizing and rewarding the valuable contributions made by hackers (otherwise known as security researchers or white hat hackers). This substantial amount is divided into two tiers, ensuring that efforts of varying magnitudes are duly rewarded. Tier P1 offers rewards ranging from $10,000 to $25,000 for the discovery of critical vulnerabilities, while Tier P2 grants rewards ranging from $5,000 to $10,000 for significant findings. 

Take on the challenge

Are you up for the challenge of securing the Aleo network? Join our Bug Bounty Program, showcase your skills, and help us enhance the privacy and security of Aleo. By actively participating, you become an integral part of the Aleo community, working towards a common goal of building a robust and resilient blockchain ecosystem.

Some key points to keep in mind as you hunt:

• The program scope currently only focuses on Aleo’s snarkOS and snarkVM repositories.
• Bounties will be paid based on severity of the bug using the Bugcrowd VRT scoring system.
• Aleo must remain compliant with OFAC programs, and thus cannot pay out bounties to residents in OFAC-sanctioned countries.

How to Get Started

To participate in the Aleo Bug Bounty Program with Bugcrowd, simply login to the Bugcrowd platform and look for the Aleo program. There, you’ll find detailed instructions, guidelines, and the necessary resources to embark on your bug hunting journey. For more information, visit the Aleo program brief on the Bugcrowd platform.

Aleo and Bugcrowd: A Powerhouse Collaboration

Aleo’s Bug Bounty Program, in collaboration with HackerOne and Bugcrowd, is an invitation to security researchers and white hat hackers worldwide to help fortify the Aleo network. With Aleo’s security-first mindset and a generous $500,000 USD reward pool, we are committed to fostering a strong and secure blockchain ecosystem. Join us in this exciting journey into the world of blockchain, contribute your expertise, and together, let’s pave the way for a safer digital future with Aleo.

The post Hackers Wanted for Aleo’s Inaugural Bug Bounty Program! appeared first on Bugcrowd.

A duplicate (in the bug bounty world), is a report for an issue that was previously known or identified. However, when determining whether or not a given finding is truly a duplicate, the solution isn’t always cut and dried. Many situations require a non-trivial amount of nuance and context. To help with duplicate evaluation in these cases, we’ve put together a guide for a few common duplicate scenarios, where we explain how Bugcrowd looks at these situations, and how we recommend clients approach them as well. As we go through these scenarios, there are three key principles to keep in mind:

• Touch the code (or make a change), pay the bug

1. 1. • If a finding causes you to make a change—and is in scope + is a vuln that’s rewarded as part of the program brief—it should be rewarded.

• Similar != same

1. 1. • If a finding is similar to another finding, but requires a separate change, it is a unique issue that needs to be rewarded independently.

• Many != systemic

1. • Just because there are many of a particular vulnerability type, that doesn’t mean they’re all part of the same root issue.

The importance of context and nuance in duplicate evaluation

As a quick note, when triaging findings, Bugcrowd’s engineered triage takes all of the above into account (to the best of our abilities—as there are extenuating circumstances in some cases that we don’t have visibility into). We leverage our ML-powered de-duplicate detection, contextual intelligence from over a decade’s worth of data on vulnerabilities, and human validation to perform a thorough review of any and all findings that come into the platform to ensure (1) duplicates are properly identified; and (2) all unique issues are elevated for review by the client. 

Scenario #1: Multiple SQLi Vulnerabilities

• A researcher has identified ten SQLi vulnerabilities across your application for a number of different queries and resources. Since they are all SQLi, you decide to pay for one finding and mark the others as duplicates.

This approach is misguided because multiple vulnerabilities of the same vulnerability class does not equal them all being the same vulnerability. Seeing a large amount of the same vulnerability class reported on a single asset is fairly common—when there are one or two of a vulnerability type, there are usually a lot more. This may be due to the same developers making the same mistake(s) in different places across the attack surface. Like birds, vulns of a feather commonly flock together. 

Assessing Vulnerability Clusters and Determining True Duplicates

In situations like this, it’s important to realize that even though there are many of the same type of vulnerability, they’re sprinkled across the application in different contexts. This means that it’s highly unlikely that they’re all one fix. 

Some of them might be true duplicates. If fixing one removes the need to fix another, refer back to principle #1 from above, “touch the code / make a change, pay the bug.” If, as a result of fixing a vulnerability, one no longer needs to touch the code or make a change to fix another finding, then the latter is truly a duplicate of the former. 

Ensuring Fair Recognition and Reward for Unique Findings

However, it’s imperative that we only mark something a duplicate if it’s truly a duplicate (e.g. fixing the parent finding removes the need to fix the duplicate finding). In the case of having ten SQLi scattered across the application, if we try to reward only one finding and dupe the rest, that’s tantamount to saying that only one change to one area of the codebase was made as a result of those issues. If we look at the situation honestly, had the researcher only reported one of the ten SQLi issues, and that issue got fixed, there would likely still be at least nine other vulnerabilities floating around even after the first one was remediated—because each requires a unique fix. It may be tempting to assert that they’re all one-in-the-same, but that is very rarely the case.

THINGS TO KEEP IN MIND

In some cases, some might assert that implementing a WAF (or WAF rule) could count as a single “fix.” For instance, one could implement a WAF rule that blocks any injection of double quotes that were otherwise required for the SQLi vulnerability. In doing so, all the SQLi issues are no longer exploited, and are thereby “remediated.” However, from Bugcrowd’s view, findings need to be rewarded from the perspective of how they would be remediated in the underlying codebase, and not at the WAF layer. Adding a WAF rule or similar blocking mechanism is a half-measure that will invariably have a hole of its own at some point in the future that will leave the still-vulnerable application underneath exposed. There’s no shortage of WAF bypasses or other creative mechanisms that researchers have found to get around these controls, and as such, (1) any remediation should always start at the application layer; and (2) rewards should be administered based on fixes to the codebase, and not the WAF.

Scenario #2: Reflected XSS Vulnerabilities with Common Parameters

• A researcher identifies 15 reflected cross site scripting (XSS) vulnerabilities across a number of pages on your application—however, they usually end in one of three parameters “page=”, “id=”, and “utm=”. Since they are all on unique pages (e.g. /view, /news, etc), and we previously talked about how it’s important to pay for all unique issues, you decide to pay for each finding independently.

This is partially correct, and partially incorrect. It is correct in that we want and need to reward for all the unique findings, given that these issues appear to be originating from three unique parameters. The most common outcome here is that there would be three unique findings (one for each vulnerable parameter), and the rest would be marked as duplicates of the initial issue for each parameter. 

Understanding Duplicates in Multi-Parameter Vulnerability Scenarios

But this is not always the case. Sometimes the same parameter name may be handled differently by different pages—this can be evaluated by looking at where the injection is reflected back on the page, and if it’s the same place for each parameter on each page. If that’s the case, they’re likely the same issue / underlying function applied on the different pages—despite appearing on unique urls. In cases like this, fixing the underlying function will remediate the issue on every page where that function is called, and so Bugcrowd will automatically mark each initial finding as unique per parameter, and then mark all subsequent ones for those parameters as duplicates. 

THINGS TO KEEP IN MIND

It’s worth noting that in a good number of cases, even multiple parameters will be duplicates of the other parameters across the same or multiple pages if they’re fundamentally part of the same issue. A good example of this is when the page url is printed in the page content. In such cases, the url could have 30 parameters, or even a fake parameter added to it would all be reflected back in the page via the same function on the backend—which again would only take a single fix to remediate, and thereby only be eligible for a single reward across all the parameters and pages that have this issue.

In doing so, we’re adhering to the principles outlined earlier: paying for all the places where the code is being changed (once per underlying function that will be fixed per parameter), and also keeping in mind that “similar != same.”

Scenario #3: CSRF Findings on Multiple Pages/Endpoints

• A researcher submits 50 cross site request forgery (CSRF / XSRF) findings against the application for every available page/endpoint, since there is no anti-CSRF token present anywhere on the app. Since they’ve identified 50 points where there’s an issue, should they be paid out for 50 findings? 

This is where our third principle of duplicates comes into play: many != systemic. As we saw in the first and second example, many issues of a vulnerability class doesn’t mean that it’s automatically systemic, or that it should be condensed to a single finding. With certain bug classes though, it is possible to have systemic issues—CSRF being a notable example.

Clarifying Systemic Vulnerabilities and Their Influence on Payouts

If the application had anti-CSRF protections in 45 of the 50 places, and was just missing it in five of them, then each instance of missing CSRF protection would be a unique finding. This is because the protection exists, it just didn’t on those specific endpoints. However, since in our example there was no anti-CSRF anywhere on the application, it’s possible that once they turn it on (especially in modern frameworks), it’ll automatically apply itself to all of the pages/endpoints for the application, and resolve the many with a single code change. Now, this isn’t always the case, but very commonly is (specifically with CSRF). In such situations, we’ll label the issue as “systemic,” reward the first report, and mark all subsequent reports as duplicates. 

THINGS TO KEEP IN MIND

After the mitigation is applied, if there are places where the systemic fix doesn’t cover all the bases, then those would be net-new unique vulnerabilities that should be rewarded independently.

Other examples of systemic issues include subdomains that are load balanced or resolve to the same host. This is where reporting an issue on one will make it immediately applicable to all other subdomains that share the same codebase or host, etc. This isn’t an exhaustive list—just a couple examples of how/where vulnerabilities can be systemic.

Navigating Duplicates with Confidence

Hopefully this guide provides some context around how, when, and why duplicates are duplicates. It’s important to remember that in all cases relating to duplicates, it’s critical to interrogate and evaluate the situation, as context matters significantly. Many times it requires reviewing the codebase to see how many fixes a given bug will take to remediate. So, remember the three principles mentioned earlier:

1. Touch the code (or make a change), pay the bug
2. Similar != same
3. Many != systemic

As long as you’re taking these principles to heart in each situation, it’s unlikely that you’ll get it wrong. If you have any questions, the Bugcrowd team is always here to help and provide advice. 

Finally, if nothing else, always remember, whether it’s updating documentation or the codebase—“touch the code or make a change, pay the bug”. 

Good luck and happy hunting!

The post The Three Principles of Bug Bounty Duplicates appeared first on Bugcrowd.

In 2023 alone, Bugcrowd, and in particular these new PTaaS capabilities, has won five distinct industry awards. This recent string of wins demonstrates Bugcrowd’s persistence in delivering industry-leading solutions to the market and validation as an accomplished and preeminent organization throughout cybersecurity.

Most recently, our team was recognized by Cyber Defense Magazine’s Global InfoSec Awards as a Hot Company in the Penetration Testing Category for our PTaaS capabilities, along with being recognized as a Gold Winner in the 19th Annual Globee® Cyber Security Awards for the technology. Additionally, Bugcrowd PTaaS was recognized as the Gold Winner in the Pentest-as-a-Service category in the 2023 Cybersecurity Excellence Awards among North American companies between 1,000 and 5,000 employees.

As an organization, we took home two more wins in the Cybersecurity Excellence Award program with recognition as Gold Winner for Cybersecurity Provider of the Year and Silver Winner for Best Cybersecurity Company.

For one, I am so proud to see all of these incredible wins. It’s a huge testament to our stellar team and technology! At Bugcrowd, we are committed to delivering the very best crowdsourced solutions to our customers and ultimately fulfilling our mission to democratize security testing for all.

Our team has taken major strides over the course of the past year to walk out this mission, including a major upgrade to our PTaaS offering, all aimed at staying at the forefront of innovation and leadership within a very saturated cybersecurity market. With a surge of vendors offering security testing solutions, a common concern that we hear is that vulnerability assessments in the market today are often shallow and low impact. 

Our goal was to provide a human-driven, high-impact pen test with a team matched to their precise needs with just a few clicks, cutting configuration time from days to hours. These recent award wins validate our work and the direction we’ve been laser-focused on. By focusing our priorities on our employees, the hacker community, partners and vendors, we are excited to build upon this momentum throughout 2023!

To learn more about our award-winning PTaaS offering, which is now available globally, visit https://www.bugcrowd.com/products/pen-test-as-a-service/.

The post Bugcrowd PTaaS Takes Home Five Awards for Cybersecurity Excellence appeared first on Bugcrowd.

Tell us what you do for a living!

“I try to hack things and, when successful, I get paid for it. Sometimes that works, often it doesn’t…but, failure is part of the process, right? I also enjoy writing security-related tools, and have a few public ones on my GitHub profile.”

There’s no success without failure. 

What sparked your interest in hacking?

“I have always been fascinated by computers and software in general. When I was younger I wanted to become a developer, but over time I realized I was more attracted by the security implications of writing code in certain ways. From there, hacking software made by some of the largest companies in the world felt like a great challenge, so I did just that.”

Way to step up to the challenge!

How did you get into Cybersecurity? How long have you been hunting?

“I got seriously into cybersecurity when I realized bug bounty platforms were a thing, around 3 years ago: I wish I had started earlier! It felt great to figure out I could make money doing the things I loved.”

It’s never too late to start. If you’re thinking about getting into Bug Bounty, go for it! 

How have bug bounties impacted your life?

“Quite frankly, bug bounties made my life a lot better on multiple levels. The most important thing is that they allowed me to get in touch and collaborate with many of the best hackers in the world. This was (and it still is!) a great opportunity to make new friends and learn new things, some of which you can’t just grasp by reading books or blog posts.”

Making us emotional over here.

Are you a part-time or full-time hacker? How much time do you spend hacking?

“I’m a full-time hacker thus I spend most of my work time hacking. However, “hacking” doesn’t only mean directly attacking a target. It also means reading books, learning new things, writing code, and even randomly chatting with other hunters on Slack. Doing many different things helps not to get bored, and in this field, there are many options available!”

What has been your biggest challenge while hacking? How did you overcome it?

“There are many tough challenges to overcome when doing bug bounties, but one of the hardest ones for me is staying focused. That’s easy when you have a super cool bug you’re working on, but it becomes harder when it has been a while since the last time you had found something interesting. When that happens, I try to hack something else or, if needed, take a small break and come back at it later.”

See… Breaks are important. Make sure you give yourself time to rest and recharge. 

Do you have any favorite tools or resources to learn? Why?

“I really like uncommon bugs. Bugs that you know the other side (triage) will enjoy reading and likely won’t be duplicates. Weird edge cases that nobody had deeply studied before. Any resource from people like James Kettle (@albinowax) or Frans Rosen is good material on that front.”

Save these #BugBountyTips.

Do you have any advice for new hackers or people transitioning into bug bounty?

“Read a lot, be curious, and don’t forget to network with the right people! Also, when making the jump, don’t expect to make money from day one (or month one). Always have a backup plan during the transition.”

What’s an important lesson that you wish you learned early on in your hacking career?

“Quick dirty scripts can sometimes work just as well as well-written software. And often, that means saving a lot of time, which is a scarce resource. This has been difficult to accept but it’s one of these things that separates software engineering from bug bounty hunting: breaking stuff doesn’t have to be elegant!”

How do you avoid burnout? How do you take care of yourself and your mental health?

“Thankfully, I’m not one of those people that regularly suffer from burnout: in fact, I don’t think I can say I ever experienced a serious one. However, as I said before, I do lose focus and interest in hacking from time to time. I think the best way to overcome these challenges is to leverage the freedom that bug bounties give us and take breaks when needed: this is why it’s crucial to have some spare money to make that possible.”

Where do you see your journey going from here? What are some goals you have for this year?

“Finding more bugs is always the goal, but more specifically, I want to focus on my automation so that it can find unique behaviors that normal scanners miss. Time will tell if that works or not!”

Why do you hunt with Bugcrowd?

“Like most full-time hackers, I hunt on all major bug bounties platforms as a way to maximize the scope I’m legally allowed to hack. However, Bugcrowd is certainly the platform I enjoy most and where things go very smoothly most of the time. I love the crazy fast triage times for critical bugs, all the good things Bugcrowd does for researchers, and interacting with the people working there.”

We feel the same about you, sw33tLie, you’re awesome! 

What does your life look like outside of hacking (family/hobbies)?

“I’m 21 and, apart from spending too many hours in front of a computer, I am not very different from my peers. In my free time, I enjoy playing the piano and hanging out with friends. Life outside hacking can often be interesting, especially when you get asked what you do for a living. Career advice: it seems there are many people out there that would love to hack somebody else’s Instagram account. Instead of the word “hacker”, use “security engineer”…it will help!”

Who is your hero? (hacking and/or life)

“Hero is a big word, but if there’s a person I truly admire in the field it has to be Guillermo Gregorio (@bsysop). I collaborate with him most of the time because it just works well for us, and trust my words, he’s crazy, in a good way. I sometimes ping him at the weirdest times, and he always replies quickly: I’m not sure if he even sleeps! bsysop always has your back. He truly is a good vibes guy and I’m sure everyone in the community agrees on this. Super recommended, but please, don’t steal my collab buddy too much! I feel I will regret these words…”

Bsysop, if you’re reading this, we also think you’re pretty cool. We love to see all of you researchers collaborating, as it will always improve your skills and possibly create long-lasting friendships.

Want to stay caught up with all things Bugcrowd? Follow our Twitter and join our Discord! Ready to join sw33tLie as a bug hunter? Sign up for a researcher account today and start hacking!

The post Researcher Spotlight: Paolo Arnolfo (sw33tLie) appeared first on Bugcrowd.

How did you end up working in cybersecurity?

Adrian: I started out at the NSA – mainly because they offered to pay for me to go to college, which was an opportunity I might have missed out on otherwise. I was originally interested in cryptography, but then I discovered something even more exciting – ethical hacking. Following my time at the NSA, I had security roles at Adobe Systems and Android. I also spent several years consulting, which involved helping to find vulnerabilities in various web apps and operating systems. In 2018, I joined Atlassian as CISO, so now I’m responsible for protecting assets from the inside.

How has cybersecurity changed over the years in your experience?

Adrian: For me, cybersecurity has always been about trying to solve interesting problems, but the landscape has evolved, which has demanded a different approach. Early on, security was primarily seen as a technical issue, whereas now, a lot of the problems in the security space are organizational, so that’s where I try to focus – on people, process, and organization.

Having been on both sides, can you share any insights into the relationship between hackers and security personnel?

Adrian: Twenty years ago, the two communities didn’t interact much – the hackers and the people building defenses were pretty separate. Most people didn’t have a very good grasp of bug hunters at all, to be honest – there was just their glorified image in movies like Hackers or The Matrix. Now, I think there’s a much better understanding of what attackers do and how they work, and greater interaction between those communities.

You’re responsible for security for a large and diverse IT environment – how do ensure everything gets fixed?

Adrian: I don’t think it’s always necessary, or even possible, to fix absolutely everything. My job is more about identifying the right things to fix. A lot of it is pretty basic – making sure you’re updating and patching systems on a regular basis and frequently checking your infrastructure. With continuous updates, you create an environment that’s much harder for an attacker to get to grips with, and if you’re interacting with the environment regularly you’re more likely to identify anomalies that could indicate a problem. One of the key lessons I’ve learnt over the years is that it’s impossible to know about everything in a modern enterprise, so I don’t expect to. I trust in my team and each member’s ability to handle their specific area of responsibility. It’s a strategy that’s working so far – we’re well-equipped to defend against any potential attack.

Why do you use crowdsourced security?

Adrian: We’re bound to have some blind spots, and they’re what concern me the most. But that’s where diversity comes into play. With people from various different backgrounds and with a multitude of experiences, we’re more likely to pick up issues faster. That’s why working with a broad set of people outside the Atlassian environment to look at our systems is incredibly important. No matter how much pen testing we do, no matter how many internal evaluations or analysis tools we run, it’s always going to be beneficial to have other people checking our environment. It’s a win-win situation – either the Crowd finds something we didn’t see, in which case we can fix it. Or they don’t find anything, which validates our efforts.

How are you bringing crowdsourced security to the wider community?

Adrian: At Atlassian, we have a whole ecosystem of partners creating applications that plug directly into the Atlassian infrastructure to extend its functionality, and we make their applications available via our ecosystem marketplace. Many of these partners are fairly small development companies that don’t necessarily have enough employees to warrant a CISO or even a full-time security person – certainly nobody that’s dedicated their life to security. We’ve put a lot of effort into working out how to give those smaller developers access to security talent and robustness. Some of this involves proactive reviews on our part, but we’re also starting to expand our bug bounty program to include coverage for the marketplace as well, so they can leverage the benefits that we’re getting. It’s good for them, good for us, and of course better for our customers as they know they can trust the security of marketplace products as much as our own.

“It’s a win-win situation – either the Crowd finds something we didn’t see, in which case we can fix it. Or they don’t find anything, which validates our efforts.” Adrian Ludwig, CISO, Atlassian

To find out more about Adrian and his work at Atlassian, go to https://www.atlassian.com/blog/technology/a-conversation-with-adrian-ludwig-our-ciso

The post Atlassian’s CISO tells the story of his journey from hacker to security executive appeared first on Bugcrowd.

An avid soccer enthusiast and rookie referee, Shrey brings his passion and excitement from the field to Bugcrowd, getting a real kick out of improving security posturing on every program he works with. He helps researchers score those critical vulnerabilities for any goal-oriented customers. 

We sat down with Shrey to learn more about his background and get some advice on getting started in cybersecurity.

Check out his story below! 

How did you get into Cybersecurity?

During my master’s in Electrical Engineering at Texas A&M I was allowed to take a few Computer Science courses. Having heard about this one great security professor, Dr. Daniel Ragsdale, I decided to audit one of his classes and that was the start of a great journey. Dr. Rags by just being the kind of person he is, really motivated and inspired me to dig deep and was the one who got me hooked into cybersecurity.

What brought you to Bugcrowd?

One of the common pain points I learned about cybersecurity both in school, in talks/ seminars, and then in my first security job was the `lack of talent to fill the cybersecurity job vacancies in the market`. So when I read about the work Bugcrowd was doing to employ the gig economy model to solve this industry-wide problem I got super interested. Then it was about finding how I could contribute to this and that came in the form of becoming a Security Solutions Architect where I could work with customers to understand their security needs, threat model, attack surface, etc., define the program brief and then work with researchers to find interesting bugs to help improve the customers’ security posture.

In your opinion, what makes a program successful?

By far the biggest factor in helping drive the success of any program on Bugcrowd are the program owners themselves. If the program owner thinks about the target application from the researcher’s point of view they’ll strive to work with the Bugcrowd team to create as detailed bounty briefs as possible to facilitate testing, so researchers can immediately start finding valuable issues. Similarly, customers who are Fair, Responsive, Understanding, Invested and Transparent (F.R.U.I.T) in their communication with the researchers are able to build long-lasting relationships and an invested researcher following that provides them long-lasting value.

What’s your favorite Bugcrowd memory (so far)?

The first Bugcrowd hosted, Women In Security and Privacy (WISP) meetup was a great experience. Getting to hear from the brilliant panel members on how they got started in the security industry and what keeps them going was great.

Do you have any favorite tools or resources you use to learn? Why?

I love listening to the weekly Security Now! podcast by Steve Gibson and Leo Laporte whenever I get the chance. They cover the latest in security every week and present the information in a very engaging and fun way.

When you aren’t working, what do you do for hobbies/fun?

I love playing and watching soccer whenever I can. Hala Madrid!

Do you have any advice for new hackers or people transitioning into InfoSec?

Whatever your motivation for looking at InfoSec as a career, just go all in. There are plenty of opportunities everywhere so try to find a mentor who can guide you to get to where you want, but most importantly put your head down and just get at it.

Connect with Shrey on LinkedIn!

Stay tuned for more Researcher Spotlights. Want to join us and be part of the Crowd? Join our Discord and sign up for a Researcher Account!

The post Bugcrowd Spotlight: Shreyance Tewari appeared first on Bugcrowd.

At just 21 years old, Maxim joined the Bugcrowd team in March of 2019 as an Application Security Engineer. Since then, he’s provided immense value to hundreds of customers and researchers alike, while working to make the internet a safer place!

In his free time, Max is currently working towards earning his Offensive Security Web Expert (OSWE) certification alongside his contributions as a moderator to a Penetration Testing Lab called Wizard-Labs.

Max has partnered with Bugcrowd to launch an exclusive Capture the Flag challenge to celebrate the announcement of our next LevelUp Conference!

[vcex_divider color=”#dddddd” width=”100%” height=”1px” margin_top=”20″ margin_bottom=”20″]

How did you get into Cybersecurity? How long have you been hunting?

Computers have always been a passion of mine. My first job was working the IT help desk at a company of around 150 employees. As good luck would have it, they had recently overhauled their IT team, meaning that the only people on my team were two superiors and myself. One of my superiors was a wealth of knowledge and I was very blessed to have the opportunity to work with him. He guided me and I was exposed to a great number of various technologies at that job. 

What brought you to Bugcrowd?

After leaving the help desk job, I wanted to take some time to relax and brush up on some skills, so I’ve found bug bounties to be the perfect opportunity to do so. After spending time learning various web concepts, such as browser security & application misconfigurations, I started hunting from time to time.

When it came time for me to find a job, I saw that Bugcrowd had an opening available and felt it would be the perfect opportunity to build an even stronger foundation for my security knowledge.

What’s your favorite program to Triage on? Why?

It’s hard to have a favorite, but I’ve really enjoyed triaging on the Dell program. Dell Technologies has a wide-open scope so you will see a lot of interesting stuff along with the Program Owners being very responsive and on top of things. They receive very interesting bugs anything ranging from Open Redirects to Remote Code Execution via Deserialization.

I also enjoy working on one of our private hardware programs. I’ve gotten to see some very low-level bugs and esoteric bugs that you would’ve never imagined possible!

Do you have any favorite tools or resources to learn? Why?

I love playing CTF’s to brush up my skills. A lot of CTF’s are built with heavy inspirations from real-life scenarios. Some CTF’s are more like “puzzles” than others, and sometimes you have to use a very obscure payload due to certain quirks in the way the application is built. They are still great practice, as it builds perseverance. They teach you how to do 99 things the wrong way, so you can do 1 thing the right way.

Do you have any simple tips that you use when you are hunting?

I look at hunting as a way to garner experience and knowledge. I don’t tend to look my success in the amount of bugs I’ve found or how much money I’ve made, but rather what I’ve learned. There are times when you will go for a long dry streak not finding anything, or it seems like every single one of your bugs is a dupe. However don’t forget that a lot of websites are built very similar in the way technologies are used, coding habits, etc.

By spending the time doing Recon, you will come across rabbit holes. The next time you experience something similar, you will know how it works and whether or not it would be a good vector to explore!

When you aren’t hunting bugs, what do you do for hobbies/fun?

One of my hobbies is building vulnerable boxes for people to then test their skills by trying to hack into them. I like to build many types of varieties of boxes with cool attack vectors I’ve seen in the bug bounty world and blend it with concepts from network pentesting. Overall the general theme is realism. Apart from computers, I’m an avid fan of MotoGP and F1 racing.

Do you have any advice for new hackers or people transitioning into bug bounty?

If you’ve never worked a job in IT, I would strongly recommend to do so. In order to break into something, you need to understand how it works. If you try to skip building the foundation you’ll find yourself running in circles and being frustrated. While some IT positions are not the most glamorous, you will find that even the most minuscule details you learn will go far and help you potentially score you a bounty in the future.

The post Bugcrowd Spotlight: Maxim G appeared first on Bugcrowd.