As a new milestone in that effort, we are thrilled to introduce a groundbreaking, industry-first platform feature: Request a Response. This new feature offers an additional channel for hackers to engage with Bugcrowd triagers and customers, with a response ensured within 48-96 hours depending on the type of request. 

As a result, hackers will enjoy improved communication, increased transparency, and most importantly, more time dedicated to hacking–and to earning rewards. For Bugcrowd customers, Request a Response enables faster access to insights from hackers, when decisions about payments or other submission details would benefit from their feedback.

The Old Standard is Out

Unread comments are frustrating, to say the least. In the crowdsourcing space, it’s common for hackers post comments or questions that need to be addressed on their submissions, but for various reasons, the comment will not receive a response for an unacceptably long period of time–or get no response at all, in some cases. 

So, the industry standard has long been: submit a bug, wait for a response, leave a comment while awaiting response, comment goes seemingly unread, reach out to support, and eventually, reach a resolution only after much missed or absent communication. 

This cycle of miscommunication leads to confusion and frustration for everyone involved. Hackers are left wondering about the state of a particular submission and when they can expect movement–and their time, resources, and energy take a hit. 

Request a Response is Here to Deliver, and Here’s How

To solve this problem, Request a Response will help standardize communication between hackers, customers, and Bugcrowd staff. It allows hackers to directly request additional information, or ask a question to Bugcrowd employees and customers. A request triggers specific workflows, notifications, and alert actions to Bugcrowd and customers, who will then address the request within 48-96 hours. For status updates, hackers receive in-platform and email notifications as their request is addressed. 

Communication gaps have been the norm for far too long, and we’re determined to close them. With Request a Response, communication between hackers, Bugcrowd, and customers is streamlined and smooth.

Here’s what our beta testers had to say:

What You Can Expect

Our goal is to make this process as simple and predictable as possible. That leads to clear, reliable communication pathways and timelines. 

With this new standard set by Bugcrowd, hackers can request a response from Bugcrowd across seven different categories:

• Issue is Reproducible
• Scope
• Duplicate State
• Reward
• Priority
• Requesting Update
• Other

For responses from customers, two types of requests are available: Requesting Update and Other.

Additionally, hackers can provide details about their request to help Bugcrowd staff and customers properly triage and respond to them.

Plus, hackers can use this feature for these different submission substates:

• Triage
• Unresolved
• Resolved
• Out of Scope
• Not Reproducible
• Not Applicable (Bugcrowd only)

This feature is available to the Crowd across our engagements, so hackers and customers can submit a request and receive a quick response, saving time and stress.

The New Standard is Here

Ask questions, get a response: It’s as simple as that. Historically, succinct and predictable communication between hackers, platforms, and customers has been poor, messy, and frustrating. With Request a Response, you can expect clear communication timelines and guaranteed responses. 

For more information on Request a Response or any other Bugcrowd feature, please refer to our Researcher Documentation. Follow along as we continue to expand our platform features by following us on Twitter and Instagram, and don’t forget to join us on Discord and the Bugcrowd Forum. Sign up for a researcher account today to start your hacking journey!

The post Introducing Request a Response: A new standard for hacker and customer response time appeared first on Bugcrowd.

The Bugcrowd Platform also provides out of the box capabilities for the most popular workflows and use cases. Some of these include inbound integrations with SDLC tooling such as Atlassian Jira or IBM SOAR. To address outbound needs, Bugcrowd offers notifications on important events via email or on the web. As these use cases grow in sophistication, we’ve enhanced Bugcrowd Platform Notifications with two additional settings.

First, you can now be notified on submissions assigned any severity. For example, “Notify me when a P1 is submitted” is one of the most popular features requested by customers. With this setting, customers are notified of the issue immediately, even before triage. This allows you to take action on the finding immediately if the submission is in fact a true positive. Of course, you will still be notified once the submission is triaged by the Bugcrowd team. 

Second, you can now set up notifications for multiple submission states where you’ll be notified for all submissions that reach the specified state in the Bugcrowd Platform. As an example, you can be notified any time a submission reaches the “Triaged” state, and when it reaches the “Unresolved” state (accepted by a team member).

Both of these settings are now generally available in the Bugcrowd Platform. For more details, see the docs here.

The post Configuring Notifications for P1 Response in the Bugcrowd Platform appeared first on Bugcrowd.

In 2022, Bugcrowd Security Knowledge Platform introduced a new platform feature, the Industry Versus Organization Comparison Report, to allow customers to benchmark the performance of their program against industry peers for augmenting or improving the overall performance of their program. Today, we’re announcing additional security benchmarking capabilities in the report: giving customers the ability to benchmark the performance of their program against different industry peers, and adding new performance metrics, as well.

We understand that customers have dynamic, complex businesses and need to benchmark against different industries to fully understand the performance of their program. So, we’re giving customers the ability to select up to three industries to compare against at a time.

We have also added four additional charts for Payout comparison for P1 through P4 submissions to help our customers understand how they compare in payouts versus their peers in different industries. Having that data should help them become more competitive for researcher attention and attract more researchers to their program.

The post Announcing Enhancements to Industry Comparison Reports in the Bugcrowd Platform appeared first on Bugcrowd.

If a program is enabled as Joinable, you can self-join a private program if you meet the eligibility criteria for that program.

You get informative program teasers and a succinct list of requirements necessary to gain access to your dream program. Even better, logged-in users gain immediate access if they meet eligibility requirements. 

How does it differ from Private Programs?

Typically, a Private Program only allows you to join and hunt on the program if you are specifically invited to said program. While Joinable Programs are private by nature, they do not require that you are invited in order to participate. Instead, you are able to join the program if your skills and background are in line with the program’s criteria. With Joinable Programs, you get informative program teasers and a succinct list of requirements necessary to gain access to your dream program. This means that you can join at any time and no longer have to wait to receive a private program invite, as long as you meet the program’s requirements. 

How do you know what programs are Joinable? 

Customizing your view is easy: from your dashboard, hit “Programs”. Then navigate to the drop-down menu and choose “Joinable”. 

Each program tile offers a snapshot of the scope, rewards and eligibility requirements you can expect for each program.

Click “View Details” to find more of the information you’re looking for. Look closely at “Program Requirements”. Programs may have anywhere from 2 requirements to 5 requirements, and they may also require ID verification. To learn how to become ID verified, check out this quick guide. Don’t forget; you may already be qualified, gaining you instant access. 

Can I share a Joinable program?

If you see a program you know someone else would be great on, send them the URL to the teaser page. The recipient will be able to instantly see the program details and the eligibility requirements. 

It’s now easier than ever to gain instant access to programs without having to wait around for a private invite to hit your Researcher Dashboard. Read more about Joinable Programs in our researcher product documentation here. Stay up to date on all Bugcrowd has to offer by following our Twitter and joining our Discord.

The post What is a Bugcrowd Joinable Program? appeared first on Bugcrowd.

The Bugcrowd Security Knowledge Platform helps organizations continuously find vulnerabilities that other approaches miss. With our new platform feature, the Industry Versus Organization Comparison Report, customers can benchmark the performance of their program against that of their industry peers and learn how to augment or improve the overall performance of their program.  

With this unique feature, Bugcrowd is helping its customers realize the full potential of the Bugcrowd Security Knowledge Platform. 

The report provides the following information per quarter at the organization level:

• Number of submissions
• Priority of submissions
• Unique researchers
• Number of rewards
• Number of accepted submissions
• Number of fixed submissions

Sample Industry versus Organization Comparison Report

At Bugcrowd, we continuously strive to deliver value to our customers. Comparing their organization’s performance against the industry allows them to see how well their security programs are performing, and make tweaks or changes to get maximum value from the Bugcrowd Platform. 

Get started today and find out how to go about creating the report here.  

The post Announcing: Industry Comparison Reports appeared first on Bugcrowd.

that orchestrates data, technology, and human intelligence, including the power and agility of the global ethical hacker/security researcher community (the Crowd), to find blind spots before attackers do, and then remediate them more quickly.

We continuously strive to provide our customers with more and improved security protection, which is why we are excited to announce a new security defense to help customers keep their Bugcrowd programs even more secure: Multi-Factor Authentication (MFA). 

Ensure your organization’s team members are authenticated before gaining access to your Bugcrowd programs

So what does this mean? As an organization owner you can enforce MFA at the organizational level for all your Bugcrowd powered solutions –  Attack Surface Management, Vulnerability Disclosure, Bug Bounty, and Penetration Testing as a Service. Once enabled, programs under the organization will require your company’s team members to set up MFA to gain access. If a team member doesn’t set up their MFA, then they will not be able to access your programs. MFA gives you an additional layer of security and confidence in who is accessing your programs. 

Plus, if you have MFA enabled at the organizational level, then any new Bugcrowd programs added under the organization will automatically have MFA enabled. This makes it easier for you to ensure all your Bugcrowd programs require MFA, and it is one less thing you need to remember or worry about! For more details, please see Enforcing Multi-Factor Authentication (MFA) at Org level.

The post Protecting what Matters: Announcing Enhanced Multi-Factor Authentication (MFA) for Programs appeared first on Bugcrowd.

We’ve proven to customers like Atlassian, Netflix, and Twilio that only a platform-driven, solution-oriented approach to crowdsourced Penetration Testing as a Service, Attack Surface Management, and other workflows ensures long-term customer success. That said, our work is never done to make the platform more powerful, more efficient, and easier to adopt and use by customers at any scale, as well as to help researchers work on more interesting challenges and earn more rewards. Today, we’re announcing platform enhancements that are milestones on that journey, especially in the area of penetration testing.

Faster, More Agile Penetration Testing as a Service

Although modern approaches to penetration testing (including crowdsourcing) are well on their way to widespread adoption, many customers are still dissatisfied with pen test time-to-launch, speed, agility, and results. One key reason is that testing is nontransparent: Once it starts, customers have no visibility into how well the testing is progressing, which steps in the testing methodology have been covered, what findings are being discovered, and whether the test will deliver actionable results on time. Instead, a final report is dropped in their proverbial laps, and there’s no recourse if the findings are late (delaying remediation) or aren’t what were expected. 

Instead, Bugcrowd is committed to providing the fastest, most agile, and most transparent penetration testing as-a-service (PTaaS) available. In our PTaaS solution on the Bugcrowd Security Knowledge Platform, we already provide real-time visibility into findings from pen testers as they are discovered, triaged, validated, and prioritized by our world-class Validation and Triage services for highest fidelity results. Today, we’re announcing a rich, new dashboard with customer visibility into the progress of methodology-based pen tests, as well–completing a 360-degree, real-time view for pen testers, customers, and Bugcrowd Security Engineers–as well as even more precise crowd matching results from the Bugcrowd Platform’s CrowdMatch^TM ML technology.  

Previously, we described how our platform’s CrowdMatch ML recommendation engine delivers excellent results for customers by auto-matching trusted, qualified, motivated researchers to their precise needs and environment across hundreds of dimensions. Now, thanks to the richest security knowledge graph in the industry built over a decade of building 1000s of customer solutions, we’ve further improved the machine learning model that powers CrowdMatch. 

We estimate this new model will lead to at least a 60% increase in valid submissions from matched and activated pen testers/researchers, which we know from experience will directly translate into better overall results and ROI for customers. Furthermore, for ethical hackers and researchers, this improved matching performance provides more opportunities to work on challenging, impactful problems and earn more rewards.

With these new enhancements, Bugcrowd’s PTaaS solution now ensures that:

• Trusted, motivated pen testers can be precisely, dynamically matched to the customer’s needs by CrowdMatch to deliver better results, with tests launching per your requirements in 72 hours or less.
• All pen testers can stay on track and know exactly what’s expected as they complete their methodology checklist.
• Bugcrowd Security Engineers can deliver a great customer experience by rapidly validating and triaging issues for most actionable results, and then adding contextual remediation advice, as they’re discovered.
• Testing can stay on track because customers always know exactly how well the test is progressing, rather than having zero visibility or chance to course-correct until the final report is delivered. Customers get rapid access to the final report through their dashboard, as well.

This new dashboard with 360-degree visibility into methodology-based pen tests will be enabled for all customers on the Bugcrowd Security Knowledge Platform in the next month or two, giving them even faster, better results than before.

To explore the business impact of Bugcrowd PTaaS, download this IDC research which documents nearly a 500% ROI for customers over three years. 

Enhanced Payment Notifications

Furthermore, the Bugcrowd Platform already offers best-in-class payments infrastructure to support flexible researcher payments and incentives for differing use cases. That now includes more granular notifications for payments-related events, such as when the bounty pool reaches a certain threshold or pool funds are moved across programs. 

Follow the Roadmap

The Bugcrowd Platform is growing and getting more productive and useful all the time. Stay tuned for news about more milestones as we reach them!

The post Investing in Customer Success: Announcing Faster, More Agile Penetration Testing and More appeared first on Bugcrowd.

Previously, we introduced some of the new features of the Bugcrowd Security Knowledge Platform API. As a complement to APIs, support for webhooks offers important benefits in areas such as: 

• Immediate business updates. Webhooks let applications receive information in a simple, efficient way as new data becomes available, without having them constantly poll Bugcrowd for changes. That makes webhooks a great option for use cases like notifications, messages, and alerts, especially when automation is a requirement, such as sending them on specific days or times.
• Specificity. Webhooks let you directly connect specific parts of an application instead of having to build a complete framework for the entire app. For example, you may want to create alerts about a very specific type of event, but you don’t want to have to write a lot of code for it. When the Bugcrowd event happens, that specific part of your custom application will be invoked.
• Self-service setup. Because Webhooks rely only on HTTP for transport, adding a webhook to an application is quick and pretty much effortless out of the box.

We’re happy to announce that you can now get those benefits with Bugcrowd by making applications react to events through a new Outgoing Webhooks integration. For example, you can set up custom security workflows to activate when Bugcrowd submissions are created, triaged, or receive comments.

The process is simple, just look for the new tile in Settings > Integrations:

Next, all that is needed is to specify a name, consumer URL, and desired triggering events (for example, when a submission is created).

And, you’re off!

Learn More

We hope you find this new type of extensibility useful. For more information about Bugcrowd APIs and webhooks, explore our docs.

The post Making Apps React to Platform Events Through Webhooks appeared first on Bugcrowd.

Our submission form was a little outdated. In an effort to improve your experience, we’ve removed two fields under Vulnerability Details: Trace Dump and Additional Information. 

Take a peek below at the improved Vulnerability Details portion of our submission form:

Wasn’t it annoying how you were previously limited by lame things like the size of the description field and character count? Especially when you have a complex bug to report. Consider that nuisance a thing of the past with the newly expanded description box with up to 25,000 – characters! This new hotness will allow for more detail and structure, so you can ensure an accurate submission. 

Our primary goal is to provide a top-tier platform experience and that includes continuously fine-tuning your submission process. That being said, enjoy this new feature update and keep an eye out for many more in 2022! To stay up to date, make sure you’re following us on Twitter and Discord.

The post Submissions With Bugcrowd appeared first on Bugcrowd.

At Bugcrowd, security researchers are at the heart of our organization. We take great pride in informing and involving you in all aspects of our process. That’s why we ask for feedback and love hearing the crowd return with awesome ideas like this. 

One of the most asked for features was researcher collaboration on programs. Working with your mates is great, but we also heard you when you expressed concern about privacy and spam via unwanted collaboration requests. We’re proud to say, we believe we delivered. 

The difference lies in the details 

Whoever said “two heads are better than one”, had the right idea. You can expect collaboration with your fellow researchers and friends to lead to increased creativity, increased innovation and a whole lotta opportunity to learn and improve your craft. Some of these bugs can be really tricky to nail down, but problem-solving with your collaboration crew will leave everyone feeling productive and successful. Everything from hunting to writing reports will become easier and more fun when you work as a group. So pool your knowledge together, bounce ideas off each other and build lasting relationships. After all, teamwork makes the dream work. 

5 steps to a quick and painless setup 

We promise you’ll be buzzing around with other researchers in no time. Follow these 5 easy steps to set-up and you’ll be ready to go:

Step1: Login 

Step 2: Click the “Account Settings” tab

Step 3: Follow that to the “Friends” tab

Step 4: Choose your own adventure! Take a moment to sort out whether you want “Anyone” to be able to add you on a public or private program, or if you only want your chosen friends to be able to add you. This will allow you to control the level of “spam” typically associated with features like this. 

Note: Blocked researchers will always be excluded to protect you from spam.

Step 5: Lastly, search programs. Find a program you want to collaborate on and navigate down to the “Add a Collaborator” button. Choose your mates, choose the split, and you’re all set! 

Stop, Collaborate and Listen

What do you call a collaboration on Twitch? Give up? Ok ok, we’ll tell you… Crossing the Streams   Jokes aside, there are a few interesting things you should know about this enhanced feature:

• It’s a unilateral relationship between you and other researchers, meaning that you both have to independently add each other. Think, less like Facebook friends and more like Twitter followers. 
• Once both parties have added each other, you can now add each other on submissions 
• Collaboration will not be enabled on VDPs. VDPs are a “see something, say something” kinda deal, so collaboration doesn’t really fit the bill. 
• To collaborate on a private program, both researchers have to be invited to that program AND both researchers have to add each other as collaborators. 

*2022 update*

You can now easily find programs that your friends (or potential friends) are working on and collaborate with them! This will give you the opportunity to reach out and join forces! There are two places you can spot your buds: on the program brief page and on the submission page.

We are so excited to roll out this fun, new feature for you. It’s no secret that we can all benefit from sharing knowledge and perspective. How else do we grow as people and professionals if not through our admired peers? We hope you enjoy working with your pals on the variety of challenging programs we have available. Our team loves to hear your thoughts and experiences, so don’t be shy! Share your experiences on Twitter or write to us directly. Happy hunting!

The post Platform Collaboration in 5 Easy Steps appeared first on Bugcrowd.