A bug bounty is a reward provided by a company to someone who reports a bug in their software product. Rewards can range from $100 to $1,000’s of dollars depending on the severity of the vulnerability. Learn more at the bug bounty resource page.
To give our customers a low-risk, low-cost Bug Bounty trial, Bugcrowd created our unique Flex Bounty Program. Flex is a fixed-cost two-week engagement that introduces you to all the benefits of crowdsourcing. A flex bounty program is perfect for testing pre-release code, new features, or for compliance as a quarterly pen-test.
A vulnerability disclosure program is the first step in crowdsourcing your security testing. It's essentially a bug bounty program without the cash rewards, which provides researchers a safe way to report vulnerabilities they find in your app.
Traditionally, larger companies such as Google and Facebook have had the resources to run bug bounties, but Bugcrowd is working to help any company leverage the power of crowdsecurity. We have a crowdsourced community of security reseachers that can test any startup’s application that is built with code. To see who else is running bounty and disclosure programs, you can view Bugcrowd's List, which we keep updated as a resource for security researchers.
A Private Bounty allows only a specific subset of Bugcrowd researchers to participate in testing your app. This allows you to utilize only the top 100 researchers, or specific skills or countries that you feel are useful. You may also request security researchers by individual invitation. Allowing your app to be tested by all Bugcrowd researchers will receive the best overall coverage, but we are happy to help cater to your security testing requirements.
As reseachers submit vulnerabilites into public programs, Bugcrowd reviews these researchers more deeply. Our points system also allows us to assess their skillsets and levels of trust. Only researchers that have proven their abilities via public programs get invited into private programs. Researchers from around the world may participicate, except for researchers from countries the U.S. has issued export sanctions or other trade restrictions against (ex. North Korea, Iran).
People attack applications whether they are invited or not. The issue is whether they are incentivized to exploit the issue or do good by reporting it. Bugcrowd is the most comprehensive and cost-effective approach to making sure as many of these bugs are discovered as possible for the budget allocated to the task.
Crowdcontrol is Bugcrowd's vulnerability disclosure platform. It provides Bugcrowd Security Researchers a secure platform to submit vulnerabilities to your team and allows you the ability to incentivize our researchers through. Bugcrowd points or monetary rewards. It also integrates with your backend issue tracking system to make resolving vulnerabilities as painless as possible.
Yes. There are no trials or intro periods when using the self-managed Crowdcontrol plan and point reward system. We provide a premium service where we handle the entire validation process for you at an additional price.
All Bugcrowd researchers must adhere to the Bugcrowd Standard Disclosure Terms. In addition, each company details the scope and rules that are specific to that program. If a researcher reports a vulnerability that is out of scope, they will not be rewarded. We then alert the researcher so they understand not to test out of scope again. Incentivizing researchers to do good with cash prizes or rewards mitigates wrong doing.
The risk of this happening in a Bugcrowd bounty is actually less than it is with a traditional consulting approach:
In every bounty we've run so far each of the bugs has been found and reported by more than one researcher. The researchers know this, and that if they elect not to disclose a bug they will likely lose the opportunity to collect the reward. On top of this, the bug will get fixed anyway, meaning it's no longer of any use to them.
We can run our Traffic Control system which routes the testing traffic through a proxy. This gives accountability to the researchers and gives us the ability to control the traffic.
All of your vulnerability data is encrypted before being stored in our database. Only your authenticated team members are able to see your data, additionally we never email vulnerability data to you. Security is a top priority for Bugcrowd and we actively run a paid bug bounty against ourselves.
Bugcrowd's physical infrastructure is hosted and managed within Amazon's secure data centers and utilize the Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon's data center operations have been accredited under:
SOC 1/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
Bugcrowd utilizes ISO 27001 and FISMA certified data centers managed by Amazon. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
Amazon only provides data center access and information to employees who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical and electronic access to data centers by Amazon employees is logged and audited routinely.
Welcome to Bugcrowd, thank you for your interest in joining our community!
Since you're new to Bugcrowd we'd like to walk you through a quick checklist of four things to do as you're getting started with us.
1. Create a Bugcrowd Researcher account
Before you can report bugs and be rewarded for your findings, you need to create a Bugcrowd account. Your Bugcrowd account also comes with a profile which can be made public (or private), enabling you to show-off your skills and accomplishments to security peers and industry professionals.
2. Pick a bug bounty (or several!)
Bugcrowd has many public Bug Bounties that you can hack on and find security vulnerabilities in, with many of them paying out cash as rewards. Each bounty page has all of the details you need to start testing, including a list of targets, finding types that are in-scope and out of scope (or excluded) from the bounty, and many programs will list the pay rewards that they pay out.
Once you've found a security vulnerability in a bounty program, click the "Report Bug" button on the bounty program page.
After you've reported a bug you will receive a response from Bugcrowd or the customer that is managing the bounty program. If you don't receive a response within several days, please email us at firstname.lastname@example.org we will help you out.
5. Fill out your profile
Make sure to fill out your profile information to tell the community a bit more about yourself. Many people use this page to show off their skills, as well as link to their personal websites & twitter accounts.
6. Say hello
The Bugcrowd community team is here to make sure your bounty hunting experience is an awesome one. Whether you need help, have ideas or just want to say hello, we'll get back to you as soon as we can.
Valid and accepted bugs submitted to a paid bounty program will result in a payment to your account. After your bug is accepted by the program owner, your reward will be paid out the following Friday. Bugcrowd currently supports payments via Paypal and Payoneer.
Researcher payouts are distributed every Friday and will be paid out via Paypal. Please make sure to add your Paypal account's email address to your Bugcrowd researcher account settings.
If you would like to receive your payouts via Payoneer, please email email@example.com with "Payoneer" in the subject-line.
Bug submissions that affect singular users, require interaction or significant prerequisites to trigger, non-exploitable weaknesses and "won't fix" vulnerabilities all will receive a low priority rating.
Sometimes there can be delays in the confirmation of bug submissions. Bugcrowd works hard with our customers to speed up the confirmation process. Response time can vary, typically programs that are Bugcrowd Managed (signified by a Bugcrowd "b" logo on the 'Report Bug' button) have a faster response time.
If you have submitted a bug to a Bugcrowd Managed program and have been waiting for more than two weeks for your bug confirmation, please send an email to firstname.lastname@example.org and make sure to include your Bug Reference ID in your email.
The Bugcrowd Researcher Leaderboard is updated at the beginning of every month. A researcher's rank on the leaderboard is based on their total number of kudos points earned over all-time and over the previous month.
All researchers must adhere to the responsible disclosure guidelines that are outlined in the bounty program's details and rules sections. Bugcrowd's Disclosure policies apply to all submissions made through the Bugcrowd platform, including Duplicates, Out of Scope, and Not Applicable submissions. Customers may select Nondisclosure, Coordinated Disclosure, or Custom Disclosure policies to be applied to their program brief. Please refer to https://researcherdocs.bugcrowd.com/docs/disclosure for details on the different Public Disclosure Policies at Bugcrowd.
Improper disclosure can result in the researcher being removed from a program and can even result in removal from the Bugcrowd platform.
If you have any questions about a program's disclosure policy or process, please email email@example.com and we will be happy to assist you.
You can view a program's average response time on the program page's top-right panel. This information can only be viewed when logged-in as a Bugcrowd researcher.
Response time can vary by program, programs that are managed by Bugcrowd typically have a faster response time. Bugcrowd managed programs will have a small Bugcrowd "B" logo on the 'Report Bug' button for the program.
Acceptance Rate is best explained as a comparison of valid to invalid reports. For those that are interested in the details:
Let X = The count of all your valid and duplicate submissions, including P5 won’t-fix
Let Y = The total count of all your submissions, excluding any marked ‘not applicable’, have not yet been reviewed, or have only been triaged but not confirmed.
Acceptance Rate = (X / Y) * 100
It’s a simple ratio of all of your accepted submissions to date, versus all submissions you’ve ever made. We exclude ‘not applicable’ submissions, which are those that have been marked by us or a customer as having been made in genuine and well-intentioned error. (And obviously we don’t include submissions that haven’t been finalized yet!)
Private programs are invitation-only, meaning that researchers can only receive access if they are directly invited by Bugcrowd's Researcher Operations team. Invites are distributed based on several criteria, including the researcher's ability to report high quality, high impact vulnerabilities to customers and the researcher's recent activity on the platform.
It's important to note that we invite both new researchers and long-time researchers to private programs, so make sure to always strive for a high level of quality and priority for your bug submissions.
At Bugcrowd, we're working to make sure quality of reports stays high.
Here are some quick suggestions that can help improve many submissions, resulting in higher payouts and acceptance rates:
Capitalization and clear explanations. We can't stress how important it is to write out clear descriptions of issues. If you don't spend the time on your submission, it's unlikely the program owner will spend time on reading it.
Well documented and clear attack scenarios. Attack scenarios tell the program owner why they should care. For example, you can say something like:
"This vulnerability affects all users of your forum. When a user signs up, and enters a username of XYZ@Customer.comand a password of XYZ@Customer.com, then his username is accepted. An attacker could use this vulnerability in conjunction with a username enumeration issue to bruteforce forum usernames and passwords"
Many researchers have different strategies to avoid "duplicates", aka bugs that have been reported previously by researchers. Since bounty programs only reward unique vulnerabilities that haven't been reported by others previously, it's important to try to report bugs that haven't been submitted by others.
Over time you will likely create your own strategy to avoid duplicates, oftentimes this includes finding a niche of vulnerability types that you're especially good at finding, going after bug bounty programs that have just recently launched, and avoiding common bugs that will have been found by others.
A valid bug is a security vulnerability that is in-scope for the bounty program and can be reproduced and tested by the program owner. Always make sure that you've found a bug on a target that is in-scope for the bounty program and that the bug is a vulnerability type that the program owner has listed as in-scope.
Duplicate bugs are vulnerabilities that have been reported previously by researchers. Since bounty programs only reward unique vulnerabilities that haven't been reported by others previously, it's important to try to report bugs that haven't been submitted by others.
For all Bugcrowd managed programs we have a contract with the customer. This contract details that we have permission to manage the program and hence view data on submissions. Managed programs are usually preferred by Bugcrowd clients as they offer the opportunity to extend their limited security resources. These managed services come in two types; Triage and Validation. In Triage, Bugcrowd engineers and technology de-duplicate findings, remove out-of-scopes findings, and assign estimated priority levels to each bug. On a validation programs, we do the same but actually reproduce submissions and provide extra services based around that.
As an active Bugcrowd researcher on the platform, you have access to a [username]@bugcrowdninja.com email alias that forwards to your account's primary email address. This email can be used to sign up for testing accounts, and in some cases is required for testing.
The email alias is automatically generated when you first sign into the platform, and is re-synced whenever you sign in. Because we use a third-party service to faciliate these aliases, you may need to wait up to 10 minutes after sign-in at bugcrowd.com to obtain access. If you haven't signed in after 30 days, the alias is automatically destroyed.
In the past, the 'bugcrowd.ninja' domain was used for this purpose. This domain has been deprecated, and existing email aliases will be phased out in 2015.
If you have any issues receiving email, please send a message to firstname.lastname@example.org or use the in-app messenger.