Let’s learn more about our brave winners  – none other than the crew that likes to go by the name ‘Tess’s Squad’! Tess is a 2022 MVP and loves space, including all things astronomy. Anhnt1337 is a part-time hunter and 2022 MVP focusing on server side bugs and sensitive data leaks with 201 P1’s. HackerX007 is a P1 hunter, 2022 MVP, and P1 Level 7 Warrior with 173 P1’s, but he always makes time for family as he believes they are the key to his success. OrwaGodfather is a P1 Level 7 Warrior and LevelUpX 2022 Champion who loves to hunt for information disclosure and server side P1 bugs. Last, but certainly not least, Todayisnew, a true collaborator with over 35 years of experience automating code, Bugcrowd Bug Bash winner with a goal to hack a happier life and leave the internet more secure.

First things first, you did it! How does it feel winning first place after all your hard work?

Todayisnew – “Great to see the hard work of all my team mates be highlighted.”

Anhnt1337 – “I feel very happy and proud to be part of the team. The team’s efforts have paid off.”

Tess – “It feels amazing, when you prove you did best from the rest.”

‘The best from the rest’ – we’re saving that one!

Looking back, what made you want to put a team together and participate?

Anhnt1337 – “One morning when I woke up, I received a message from Tess that he wanted to invite me to join the team for the Hacker Cup event. Everyone on the team is someone I greatly admire and love for their achievements and contributions to the bug bounty community. I think Tess chose me in part because he saw that in me.”

Tess – “I learn a lot from @OrwaGodfather & @Todayisnew personally so I always wanted to put these two in a team with me and work together on something. Due to the Team Hunt event it was possible to do something like this. @Hackerx007 and @Anhnt1337 were Orwa’s good friends and now because of this event we have developed a good friendship as well.”

Before there was Tess’s Squad, you were just a talented group of hackers. Where did the name Tess’s Squad come from?

Tess – “It was spontaneous that I named it Squad, so I was like what Squad? Since I assembled everyone I named it TESS’s Squad haha.”

OrwaGodfather – “Tess asked me if it’s ok to drop this name as the team name. I said ok, in the end I’m the team captain ”

We’re curious about how you all got started. What inspired you to become a hacker?

HackerX007 – “I have had a passion in computers, programs, and hacking stuff since I was 14 years old. It just kept growing over the years.”

Todayisnew – “Interest to learn and explore, and necessity to support my family financially. :)”

OrwaGodfather – “To tell myself and tell the world that nothing is impossible, and you can do something, you are protecting thousands of users indirectly.”

Anhnt1337 – “It came out of curiosity and wanting to break things.”  

We see a common theme here – passion, curiosity, and protecting users across the globe!

Despite the abundance of talent each player brings individually, what is the best part about working on a team?

Todayisnew – “Celebrating the successes, and supporting each other during the challenges. :)”

Anhnt1337 – “Learning, sharing and collaborating when finding something interesting. Giving tactics to compete with other teams, and finally celebrating.” –

Tess – “Creativity and able to learn from each others work is the best thing about working in a team.”

OrwaGodfather – “Everything is great. Starting with the team, we all agree on a specific program who does the recon, another one who tests, and another one who reports. The most important thing is that I did a great job in this event and this is important to earn the respect of this great team.” 

Uh-oh! Looks like you used up all of your subs. What obstacles did you have to overcome?

Todayisnew – “All our p5 bugs were not rewarded and triaged as p1’s We overcame with sending in more reports :)”

Anhnt1337 – “The problem is that everyone has a different time zone. My time zone is the opposite of everyone else’s. So it’s quite difficult to discuss and hunt bugs together. We often had to stay up late.”

OrwaGodfather – “That everyone has a different time zone, so we couldn’t hunt in the same time together. We started leave notes for who was not hunting.”

What did your day typically look like during this event?

Todayisnew – “Check in and wish each other well, share and collaborate and possible bugs.”

Tess – “Mostly P1 severity issues since that’s where the most points were at.”

Hackerx007 – “I woke up and I found that my team during (my night) was working and I found their notes, targets or things that need fuzzing. I started working on these things until I found something that needed recon and leave it as a note for another team member and so on.” 

With different timezones and busy schedules, how did you take care of yourselves during this event?

Anhnt1337 – “The duration of the event was quite long so I did not have any health problems. Outside of hacking, I work for the company and spend most of my time with my family.”

Tess – “When I am not hacking, I usually go workout and come back with a fresh brain of new ideas.”

OrwaGodfather – “Just by saying, ‘no matter how many points we have, it’s not enough.” 

Determination, taking breaks, and some good ole’ movement? Recipe for success.

Even though you were all hacking from different areas of the world, you still had to hack together. How did you all coordinate efforts?

Todayisnew – “Discord for the win :)”

Anhnt1337 – “Eric and Tess have strengths in automatic scanning and scale attack with their recon data. Owra and Hackerx007 are an awesome duo with strengths in recon and fuzzing hidden assets. I focus on server-side issues and 3rd party bugs. We combine each other’s strengths to effectively hunt the most bugs.”

Hackerx007 – “Each one of us is good at something, so we collaborated to make the team win.”

We saw a lot of submissions, many being excellent. What was your most impactful bug?

Hackerx007 – “It was a direct RCE”

Tess – “Lots of RCE haha”

Anhnt1337 – “It always is Remote Code Execution and Sensitive data leakage”

Todayisnew – “Friendship”

Winning takes strategy (and lots of pizza). What was Tess’s Squad’s secret strategy going into a collaboration challenge?

Todayisnew- “Work together, do our best, can’t control the outcome and take care of mental, physical health and each other :)”

Anhnt1337 – “We focus on bugs that can be automated and mass scanning, look for programs in a wide range of scopes, and hunt together.”

Tess – “Just look for high severity issues and get as much as recon we can gather.”

Orwagodfather – “Whatever I find, I add everyone in equal points because in the end I collect friends, not money.”

The event is over, swag is heading your way and you have extra cash. But, if you could change anything about the way your team did things, would you?

Anhnt1337 – “I think it’s online communication. It’s always hard to work in different places, different time zones, and hard to share.”

Todayisnew – “Maybe a video call earlier to have real-time planning and Communication earlier   “

Communication is key.

You might be asked to sign some autographs now that you’re at the top. Do you have any tips for those that want to start collaborating?

Tess – “Building trust is very Important to collaborate with anyone. The people I work with are the ones I trust them and I never have second thoughts about anything which makes it very easy for me to work with them.”

OrwaGodfather – “When you collab and hunt try to share everything and try not to hide anything”

Todayisnew – “Build trust with some initial smaller collaborations, see if it’s a good fit, in any new relationship communication and clarity of expectations is so important :)”

We have a feeling there’s plenty to learn when it comes to team challenges. What did you learn from your team members?

Anhnt1337 – “I learned a lot from my team. From Eric and Tess’s way of hunting think out of the box as well as Orwa and Hackerx007’s never-ending efforts. They are truly amazing people both in terms of hacking skills, spirit and ethics. Well worth studying and admiring.”

Todayisnew – “Empathy for life challenges, and more trust in others after such a positive experience :)”

Besides the biggest pizza party ever, do you have any plans for your winnings?

Todayisnew – “Pizza party and into savings”

Anhnt1337 – “This is an online competition and we are from different countries. So it’s hard to celebrate together. We congratulate each other on twitter. The prize of the contest is enough for me to eat pizza for days :P” 

Hackerx007 – “Focusing on p1s”

Would you like to participate in future hacking events?

Todayisnew – “Always great to connect and learn from others so yes of course :)”

Anhnt1337 – “Sure. Meet and make friends with people in the reputable bug bounty community and many years of experience is always something I look forward to. Build your relationship and they get better and together add value. Tess’Squad was the first team I had success together in a hacking event. Thank you all for giving me the opportunity to do this.”

Tess – “Yes, I would love to :)”

OrwaGodfather – “Yes yes yes for sure yes” 

Hackerx007 – “This was my first hacking event. I learned a lot and I won. Now I’m so optimistic about winning other events, so my answer is yes I absolutely would.” 

Don’t miss out on any future events! Stay caught up by following us on Twitter and Instagram and don’t forget to join us on Discord and the Forum! Sign up for a researcher account today and start your hacking journey!

The post The Inside Scoop from the 2022 Hacker Cup Winners appeared first on Bugcrowd.

If your team chooses to accept this challenge, fill out the Team Application. Act fast! There are only 30 spots available. Selection for Hacker Cup teams will be based on the aggregate totals of all-time rewards on the Bugcrowd platform of participating members. 

How does the Hacker Cup work? 

This year we’re going bigger, we’re talking global: 

• Assemble a team of 2-5 players
• Hack with your pals, gain bonus points and make $$
• Expedited triage for team submissions on Hacker Cup programs
• Earn the bragging rights of making BC’s Top 8 Teams in 2022
• Compete against other teams for a grand prize of $10K and exclusive swag

Important dates

• Application deadline: December 5th, 2022 5:00PM Pacific Time
• Selected teams will be messaged: December 6th 12pm Pacific Time
• First Challenge Round: December 6th, 2022 – December 23rd, 2022
• Top 8 will be announced: January 5th 2023
• Final Challenge Round: January 5th, 2023 – January 20, 2023 

There are 2 challenge rounds where participating teams will face potential elimination from the Cup based on challenge points earned during the first round. From there, 8 teams will make it to the second challenge round, where teams will continue their Hunt towards $10k. Keep in mind, teams with the highest number of points based on their unique, non-duplicate submissions will move on to the next round.

How do points work?

Challenge points:

• P1 unresolved/resolved non-duplicate valid submissions get 60 points along with the standard 40 points 
  • Total point value for a unique P1 submission: 100
• P2 unresolved/resolved non-duplicate valid submissions get 30 points along with the standard 20 points 
  • Total point value for a unique P2 submission: 50
• P3 unresolved/resolved non-duplicate valid submissions get 15 points along with the standard 10 points
  • Total point value for a unique P3 submission: 25

Important details

Teams that move on to the final challenge round will be informed individually and announced via Twitter. Eliminated teams will not go home empty-handed! 

• Teams that are eliminated in the first challenge round will get 5 private program invites per person on each team
• Teams that are eliminated in the first challenge round will also get swag
• Private invites will be provided to researchers within 4-8 weeks after the challenge

Please note:

• Researchers can only participate as part of 1 team for the duration of this challenge 
• Teams must be composed of 2-5 researchers per team
• No swaps will be allowed this year, unless there are extreme circumstances 
• For the duration of the #HackerCup2022, there will be expedited triage for team submissions

Are you ready to score big?

Assemble your team! You have until Dec 5, 2022 5:00PM Pacific Time to submit your TEAM APPLICATION. Best of luck! 

We’re excited for you to join the 2022 #BCTeamHunt! And hey, don’t forget to stay current on Hacker Cup updates, special announcements, and all things Bugcrowd through our Twitter, Instagram, and Discord.

The post Hacker Cup 2022; Bugcrowd Team Hunt appeared first on Bugcrowd.

Whether you joined us at Black Hat, the Bug Bashes or DefCon, there were plenty of ways for you to make a mark and meet some seriously awesome people.

Bugcrowd founder, Casey Ellis, was meetin’ and greetin’ all week long. Every single one of you made a huge impression on him.

Hackers hard at work securing some of the biggest organizations around. Plus, making some pretty great friendships in the process.

Our first winner of the Vegas Bug Bash 2022, nagli! The leaderboard was buzzing, but he pulled out on top and secured the victory.

” Indeed’s BugBash was a really great experience. The team on-site presence, BugCrowd triage and the hospitality were top-notch and I’m thankful that I was part of it.” – nagli

Congrats!

We had a blast interviewing hackers like bysop, tess, InsiderPhd and more!

Plus some really hot takes on the future of cybersecurity, entrepreneurship, the history of bug bashes and so much more!

Sam, Indeed’s Bug Bounty Engineer said, “The Bug Bash was a useful and fun addition to the public bounty we already run through Bugcrowd. The ability to have one on one conversations with the researchers is what makes these events unique. Direct feedback on your scope is invaluable!”

Raise your hand if you stopped by the Bugcrowd booth at Black Hat! Not only did we have tons of awesome swag to hand out, but we got to meet so many curious individuals during our theater presentations. Bugcrowders and hackers were featured in several winning conversations and got to answer all your questions.

Ummm, can you leave some “cool” for the rest of us?

From our team to you, thank you so much for joining us at our Vegas Bug Bash 2022, Black Hat and DefCon. In whatever capacity you engaged, we couldn’t have done this without you. Here’s to the new friendships we made! Oh, and Vegas….look out for us in 2023!

The post The Vegas Bug Bash 2022 Recap! appeared first on Bugcrowd.

Level Up LevelUp!

Rather than focusing on launching new educational content once or twice a year, LevelUpX will showcase new content every other week – and often more frequently. This content will take a number of shapes and forms; there will be short- and long-form talks, in-depth blogs on hunting tips, methodologies, reporting guidelines & templates, and more. We are hoping that more frequent content – and content of a wider variety – will get you inspired to keep trying new techniques when you’re hunting. 

You can catch our very first LevelUpX talk, presented by researcher B3nac, on Salesforce Object Recon, on May 20th on our YouTube channel. The video will go live at 9 AM PST / 4 PM UTC. All LevelUp resources, past and present, can be found in the Bugcrowd University resource center on our website. 

Want to get involved?

We’re always looking for researchers and hackers like you who have tips, tricks, and skills that you want to share with the community! If you have any questions, or would like to participate with LevelUpX, please reach out to researcher.marketing@bugcrowd.com

Good luck, happy hunting, and don’t forget to follow us on Twitter!

The post Introducing LevelUpX – Resources for the Community by the Community appeared first on Bugcrowd.

Click here for the LevelUp CFP Submission Form

[vcex_divider color=”#dddddd” width=”100%” height=”1px” margin_top=”20″ margin_bottom=”20″]

When is the next LevelUp?

We are currently in the planning stages of our next major event! Stay tuned to the Bugcrowd blog or our twitter for the official announcement (Coming Soon!)

Wait, what IS LevelUp?

LevelUp is a virtual event series featuring high-quality, technical presentations by members of the hacker and infosec community. It is a free online, virtual infosec conference and video series, featuring leaders in security sharing new/novel testing techniques, best practices, strategies, and research to help their fellow hunters and researchers develop new skills!

What you can expect from our LevelUp event series

• Amazing talks covering a variety of infosec topics
• Good Jokes
• A community of researchers looking to network
• CTF Challenges
• Bad Jokes

Nice! What can I talk about?

We’re looking for a range of content; from deep-diving technical talks to presentations on professional and personal development. Presentation length should range from 20 to 50 minutes. Head over to our submission form if you have something you’d like to present to the Crowd!  

Here is a general list of themes we’ve showcased at previous LevelUp events. 

• New and noteworthy attacks to take bug hunting to the next level (what should people be looking for, that they’re not looking for now)
• API & Mobile (how-to; tooling; getting started; getting better)
• Recon techniques (how to find more, better, faster)
• Hardware Hacking  (how-to; tooling; getting started; getting better)
• Testing methodologies (ways to make testing more efficient/effective)
• Soft career developing skills: professionalism, mental health, and techniques for how to build your career through bug bounties

[vcex_divider color=”#dddddd” width=”100%” height=”1px” margin_top=”20″ margin_bottom=”20″]

Good luck, happy hunting, and looking forward to reading all the incredible submissions! If you have any questions about this LevelUp CFP, please reach out to support@bugcrowd.com and we will be happy to help!

The post The LevelUp CFP is open! Calling all Speakers! appeared first on Bugcrowd.

Bugcrowd is excited to announce a special Program Challenge for the month of October to celebrate Cybersecurity Awareness. We will be running a set of challenges that get progressively more difficult each week. You can choose to complete one challenge or all four!

Researchers who submit qualifying reports have the chance to earn a unique Bugcrowd swag item. Swag will be awarded in the order the submissions are received. We will be evaluating the winners at the end of October and will feature the challenge champions in a blog post in mid-November. Each week will be evaluated independently for the swag so be sure to get your submissions in early! 

What are the Challenges?

Additional Challenge Details:

• For this challenge, only paid, non-duplicate submissions qualify.
• Qualifying submissions will be awarded in order for each challenges’ timeframe, by the date and time the submission was received.
• Winners will be notified in November and can opt-in to be highlighted in the blog announcement.  
• Rewards will be shipped after the blog announcement in November.
• Rewards are non-transferable.

[vcex_divider color=”#dddddd” width=”100%” height=”1px” margin_top=”20″ margin_bottom=”20″]

Want to participate but not part of the Crowd? What are you waiting for!
Sign up for a Researcher account

If you have any questions, please reach out to support@bugcrowd.com

Happy Hunting!

The post Bugcrowd’s October Challenge Month! appeared first on Bugcrowd.

This virtual event exists for the benefit of the community-at-large and would not be possible without the support and participation of you all. We had so much fun putting together our twitter puzzles and swag challenges. In addition to the great talks, we hope you enjoyed the CTF Challenge to defeat The Matriarch and the Secure Code Warrior Tournament to test your defensive security skills. We loved seeing the incredible submissions and enjoyed surprising our crowd with a few extra prizes for their fantastic work. 

Ultimately, this event could not be possible without the amazingly talented speakers who took personal time to help us put on this community-driven event. Their infosec knowledge and personal experiences provided fantastic insight and incredible resources to the Crowd! 

Did you miss a talk? You can watch them on our Youtube channel! 

[vcex_divider color=”#dddddd” width=”100%” height=”1px” margin_top=”20″ margin_bottom=”20″]

Thank you to our Speakers! 

Keynote: Understanding OWASP’s Amass
Jeff Foley (caffix/ @jeff_foley)

Intro to AI for Bug Bounty Hunters
Katie Paxton-Fear (@InsiderPhD)  

InsecurityThrough Obscurity
Matt Byrdwell (@TheRealNerdwell) 

Offensive Recon for Bug Bounty Hunters
Harsh Bothra (@harshbothra_) 

How to Do Chrome Extension Code Reviews
Breanne Boland (@breanneboland)

Zero to hero – How to crush bounties in your first 12 months
Luke Stephens (@hakluke)

Hardware Hacking for the Masses (and you!) v2
@BusesCanFly 

LevelUp0x07 CTF: 7 Flags Exploration 
@WizardSecLabs 

Women in Security and Privacy (WISP) Roundtable
@n0tkat, @breanneboland, @farah_hawa01, @InsiderPhD, @them8triarch 

It’s not a vulnerability, it’s a feature
Bryson Bort (@brysonbort) and Jorge Orchilles (@jorgeorchilles) from @scythe_io

Thank you to our hosts!

Michael Skelton (@Codingo_)

Casey Ellis (@caseyjohnellis)

James McLean (@vortexau)

Luke Stephens (@hakluke)

Sajeeb Lohani (@sml555_)

Jay Turla (@shipcod3)

[vcex_divider color=”#dddddd” width=”100%” height=”1px” margin_top=”20″ margin_bottom=”20″]

Sadly, two of our speakers were unable to attend LevelUp0x07 due to personal circumstances. We’d like to thank them for their time and wish them well. You can look forward to LevelUp breakout sessions with them, coming soon! 

The Bug Hunter’s Methodology v4 / Application Analysis
Jason Haddix (@Jhaddix)  

to err is human: proven researcher strategies for navigating uncertain waters
John Menerick (@projeknexus):  

[vcex_divider color=”#dddddd” width=”100%” height=”1px” margin_top=”20″ margin_bottom=”20″]

Stay tuned for more announcements, LevelUp0x08 will be here sooner than you think.

Want to continue the conversation from LevelUp0x07?
Sign-up for our Discord and get to it!

The post Mission Complete: LevelUp0x07! appeared first on Bugcrowd.

LevelUp0x07 Tournament Sign-Up: http://bgcd.co/SCW-Tournament

We’ve partnered with Secure Code Warrior to bring you a Defensive Security based tournament from a developer position. The tournament allows you to compete against the other participants in a series of vulnerable code challenges that ask you to identify a problem, locate insecure code, and fix a vulnerability. This is a great opportunity to Improve your secure coding skills! 

All challenges are based on the OWASP Top 10, and players can choose to compete in a range of software languages including Java EE, Java Spring, C# MVC, C# WebForms, Go, Ruby on Rails, Python Django & Flask, Scala Play, Node.JS, React, and both iOS and Android development languages.

LevelUp CTF Challenge:

Haven’t worked out our CTF yet? You still have time! Our LevelUp0x07: CTF Challenge has 7 flags to find and will run until Sunday night, August 22nd 11:59PM PDT

Don’t forget to tune into our LevelUp0x07 Virtual Conference this upcoming weekend! 

Day 1 starts at 6:00PM PDT on August 22nd
Day 2 starts at 5:00PM PDT on August 23rd 

For the full speaker list and times, check out our LevelUp0x07 event page!

The post Are you a Secure Code Warrior? appeared first on Bugcrowd.

To prepare you for LevelUp0x07: Hack Another Day next week on August 22nd at 6pm PST, we’ve created a brand new Capture the Flag challenge with some very special rewards. 

This CTF is a web and mobile-based challenge in which players are encouraged to test their security skills and collect all 7 flags. Each flag varies in difficulty with the first flag being the easiest, and the last being the hardest.

Our challenge is based on real web and mobile applications and includes sensitive data exposure, authentication bypass, Javascript, and Android-based challenges. 

The challenge starts on August 16 and runs through August 22nd at 11:59 PM PST. Click here to check out our rewards and submit your flags to the program!

This challenge would not have been possible without the incredible work of Maxim G! Check out his Bugcrowd Spotlight to find out more about his work with Bugcrowd and the InfoSec Community. We love you Max!

You can also join our Discord and Twitter for more updates.

Good Luck Agents!

Mission Briefing: 

We’ve received reports of a worldwide cyberattack using a new form of ransomware known as WannaSpy. This worm has been designed to target hospital data and aims to delete all information related to COVID 19 worldwide in the next week. As such, the President has assigned this mission to H.A.C.K. (Heroic Agents Clacking Keyboards).

We need you to bypass their authentication and bring down their operation.

Good luck Agent.

Sincerely,

Spymaster 

The post Calling all Agents: Join our LevelUp0x07 CTF Challenge! appeared first on Bugcrowd.

What can you expect from LevelUp0x07? 

• Amazing talks covering a variety of infosec topics
• Good Spy Jokes
• A community of researchers looking to network
• CTF Challenges
• Bad Spy Jokes

Check out the LevelUp0x07 Mission Details and register for the event to keep up to date with emerging developments! And, while you’re at it, don’t forget to sign up for our LevelUp Channel in Discord.

Interested in Speaking?

We are now accepting abstracts from both individuals and groups through July 29th at 11:59pm PST. We’re looking for a range of content; from deep-diving technical talks to presentations on professional and personal development. Presentation length should range from 20 to 50 minutes. Head over to our submission form if you have something you’d like to present to the Crowd! :: Submission Form

See the list below for examples of particularly areas for this LevelUp:

• New and noteworthy attacks to take bug hunting to the next level (what should people be looking for, that they’re not looking for now)
• API & Mobile (how-to; tooling; getting started; getting better)
• Recon techniques (how to find more, better, faster)
• Hardware Hacking  (how-to; tooling; getting started; getting better)
• Testing methodologies (ways to make testing more efficient/effective)
• Soft career developing skills: professionalism, mental health, and techniques for how to build your career through bug bounties

Please note: talks that touch on the above focus areas will be prioritized, but we’re open to any/all novel or compelling presentations!

Why LevelUp?

Our LevelUp conferences have been, and will always be, a free, community-driven resource hosted by Bugcrowd. These virtual events provide in-depth talks on niche skills and techniques as well as methodology and hunting styles. Our goal with LevelUp is to provide education, exposure, and uplift across the global security community for researchers of all experience levels. In this New Normal, virtual events are no longer a spectator sport and we encourage all attendees to join our Discord and actively participate in driving the conversation and discussions.  

Check out our playlist from LevelUp0x06 to see what our last event was like!

Good luck, happy hunting, and looking forward to reading all the incredible submissions! If you have any questions, please reach out to researcher.marketing@bugcrowd.com and we will be happy to help!

The post Your Mission, If You Choose to Accept It: LevelUp0x07 appeared first on Bugcrowd.