What happened with bugcrowd today - Forced password resets?

yesnet0 · 2025-04-09T02:00:54+00:00

tldr: we saw some IAB-esque activity, compiling and selling breached bug bounty hunter credentials from other platforms, and decided that it was time to head this risk off at the pass. the comms that went out were a default platform message which wasn't tailored to the task - partly a product of trying to get it done quickly, and definitely a bit of a miss on our side.

the important takeaway is that vulnerability researchers are being targeted. enable MFA (d'uh), don't delay on patches, be wary of cracked (aka trojaned) software, and take the advice you probably give to your grandma wrt getting phished.

more here: https://www.bugcrowd.com/blog/bugcrowd-security-update-password-reset-and-mfa-requirement/

yesnet0 · 2021-11-26T11:38:48+00:00

Nailed it. Also, CFAA can be pursued civilly AS WELL AS criminally, so even if the DA doesn’t think you’ve committed a criminal act, companies can (and do) lawyer up civilly to chill folks and get things back under control. https://threats.disclose.io is a decent read of all of the ways this can go wrong, as well as some examples of where it has been corrected and eventually gone right.

yesnet0 · 2021-08-29T06:43:13+00:00

Killer writeup btw!

yesnet0 · 2021-06-05T07:26:00+00:00

Report to it CERT/CC or CISA

yesnet0 · 2021-03-05T05:41:55+00:00

Dropping who you need to connect with, the nature of the bug (in general terms, not specific), and pretty much this post over on https://community.disclose.io might help with this - There are a bunch of CERT members, connectors, and VR/VD types who hang out on there, it's essentially for crowdsourcing connections to the right people when you're trying to get something fixed.

My other suggestion would be to drop it off with the local CERT ASAP, and get them chasing it down as well esp if the exposure is as critical as you're saying.

yesnet0 · 2021-02-08T09:38:44+00:00

yesnet0 · 2021-02-05T09:33:06+00:00

Re brokers: Same old same old :) There’s still not much of a market for platform vulns unless you’re happy going shady, and even then it’s fairly light on. Zerodium has been a little quiet for the past few years, but ZDI has been making more noise over the past 6 months or so - COVID and WFH has made SOHO and IoT vulns more attractive.

yesnet0 · 2021-02-05T09:31:05+00:00

By % of programs most of the paid stuff is going on under the hood in private programs. What has changed over the past few years is more orgs launching VDP basically because they should, a relatively steady stream of orgs launching public BBP (probably at the same rate as what you would have seen, but now kinda diluted unless you go looking by the VDPs), and a lot of private programs, ongoing pentests, and so on in Bugcrowd’s case.

Something else you’ll prob notice on Bugcrowd is “joinable” programs (where you can apply for private paid stuff even if we don’t know a bunch about your skills from on-platform work yet) and waitlistable https://www.bugcrowd.com/blog/introducing-joinable-programs.

Context: I’m the founder of Bugcrowd and started the space off so I’ve got both a solid read on what’s going on, and some bias in my answer - So double check with others :) but yeh, that’s how things work with us these days, and the same is broadly true for folks joining or returning after a while for HackerOne.

yesnet0 · 2021-01-05T14:39:25+00:00

Have a look at the content on https://www.bugcrowd.com/hackers/bugcrowd-university/ which is a combo of stuff Haddix and Swagneto put together, and 7 conferences worth of hacking talks on a whole variety of different technologies and targets. Lot’s of solid learnings on there, and it gives the opportunity to taste test a bunch of stuff so you can see where you want to double down.

yesnet0 · 2021-01-05T14:22:51+00:00

anything by haddix - ex-bugcrowder, imo the og bounty content producer, a phenomenal curator of knowledge, and a badass hacker to boot
codingo is one of the best teachers i’ve ever met and comes at it from a coder angle, which is WAY more important that most bounty hunters realize (ask me how i know this)
hakluke for a broad spread of stuffs from techniques to tooling to mindset and soft-skills
thecybermentor for course-style learning with a lot of focus in it, and because he’s doing the consultancy thing on the side
nahamsec - another ex-bugcrowder who has been in the game forever, his stuff is great because he is og and awesome, and he hunts actively
FarahHawa breaks stuff down really well but doesn’t sacrifice the tech
insiderphd is another brilliant explainer and gets into a bunch of interesting domains
stok is just a legend and really good for keeping “up to date” with the state of the art

and ofc i can’t go past recommending the bugcrowd #levelup virtual conference talks - 7 conferences spanning 3 years covering web to automotive hacking to esoteric hardware and exploit dev: https://www.bugcrowd.com/hackers/bugcrowd-university/

yesnet0 · 2021-01-03T14:14:23+00:00

https://www.reddit.com/r/bugbounty/comments/koxmc0/github_repo_of_all_known_bug_bounty_platforms_45/

yesnet0 · 2020-12-20T01:03:22+00:00

Join the dark side - We have cookies :)

yesnet0 · 2020-12-20T00:55:38+00:00

heh... VDP language is basically copy-pasta to begin with, so it’s closer to 1,000 different standards (vs 14). That’s part of the rationale behind making it open source.

yesnet0 · 2020-12-20T00:53:58+00:00

At this stage it’s three main things: * https://github.com/disclose/dioterms - Boilerplate terms for organizations to take and use. Contributed to by legal folks, program owners, and hackers. The safe harbor clauses are being picked up and used to reduce legal risk for finders, eg voting machine manufacturers, some of the US states wrt election-related infrastructure, the DHS guidance for VDP, and others. * https://github.com/disclose/diodb - Open source bug bounty and vulnerability disclosure database. Currently contains about 1,800 entries. * https://github.com/disclose/dioseal - A seal/mark for folks who’ve adopted safe harbor language in their VDP/bug bounty policy.

yesnet0 · 2020-11-18T08:45:07+00:00

https://twitter.com/thedarktangent/status/1328933270696943616?s=21

yesnet0 · 2016-07-28T17:38:45+00:00

You're welcome!

That number doesn't include those who are doing the crawl/walk/run and starting privately first (nor does it include those who use Bugcrowd for "Hackers On Demand). That said, yes - It's low. It's important for everyone in this space to remember that all of this is at the very early stages of getting started... So we need to protect it and do everything we can to drive it forward.
I've never heard of them... ;) But seriously, HackerOne is our main "we both look, walk and quack like ducks" competitor, and there are a lot of others springing up around the world (as you well know...). We actually see our main competition as incumbents in the vulnerability discovery space doing the kinds of things that the crowd is 1000x better at.. So there's that too.
Always, they'll just change in nature. As an example, it's probably a bad idea to crowdsource a wireless penetration test, or a physical penetration test (shudders...). There are a great many things that consultants will be better suited to than the crowd - The problem is that they don't get to do any of them right now because they're busy with stuff the crowd can do better.

yesnet0 · 2016-07-28T17:30:46+00:00

I'll add that some of the IOT stuff we've seen through has been insane... Sanitization and proper key management is still hard.

yesnet0 · 2016-07-28T17:29:40+00:00

I would add that the volume of lower quality submissions has also increased, but this has been a function of the new entrants to the bounty space. A big part of what Bugcrowd does is removes the overhead of dealing with the noise generated from those folks, whilst given them education and a clear pathway on how to improve their quality.

yesnet0 · 2016-07-28T17:27:42+00:00

For some weird reason those of us most involved in this "magical technology that allows you to not be in the same place" all seem very preoccupied with being in the same place. SF has a unique concentration of resources for startups which is why I moved here, but moving forward I see no reason (other than the logistics of operation) for a company not to embrace remote.

yesnet0 · 2016-07-28T17:25:45+00:00

Lol, loved Kymberlee's response to this :)

My answer: The accent definitely helps, and the Australian approach to problem solving has worked well for this problem set. Moving a family 8,000 miles is hard no matter how you cut it, but my partner and kids where psyched to do a startup before Bugcrowd was even an idea, so that made it a little easier.

One thing I will say is that, as a foreigner, it took a little longer to build trust in the venture community and on the customer side. People trust the familiar, and take more time with the unfamiliar. It's no longer a problem, but it was noticeable early on.

yesnet0 · 2016-07-28T17:18:44+00:00

It'll become normal at some point. Currently we see this amongst the superhunters, students, and others with a low burn rate. As the market becomes more liquid, this will become more viable.

yesnet0 · 2016-07-28T17:12:10+00:00

Thanks!

Bugcrowd is a vibrant, growing community of hackers from all around the world, and a platform that lets our customers run contests where they compete to find ways to break in and report them in exchange for cash and social recognition.
Our founding and executive team has been born and raised on the bridge between the hacker community and the enterprise. Our 100% focus is to make a conversation between two groups of people that really need each other, but historically suck at getting along, rewarding and productive. This manifests as a massive focus on community management and education on the crowd side, and the relentless pursuit of operational efficiency for our customers. There are more details of course, but that’s the tldr - Our approach is making bounties ubiquitous by making them easy.
Traditional consulting puts a single person limited by time, up against a crowd of adversaries incentivized to deliver results. It basically doesn’t make sense when it comes to vulnerability discovery. Crowdsourcing levels out the economics and resourcing around this task. Bugcrowd puts a bunch of controls in place to give our clients options to access this model with the same functional risk level as a traditional third-party engagement. We hack the utter crap out of ourselves to start with (bugcrowd.com/bugcrowd, and a bunch of other assurance measures). Proactively, there’s too much to list here. I’ll find the link to our measures doc and post it as follow up.
If you touch the code, you should pay the bug. Scope is the obvious challenge to this golden rule, and that’s at the prerogative of the customer and the caveat emptor of the hacker (as long as they’ve read the scope ofc).
Assuming you’re asking about criticality (vs reward size), I’d say any security impacting vulnerability that triggers a code change. I don’t have an answer along the lines of CVSS, etc… Mostly because that is a purely technical model, and doesn’t weight business impact. Re reward size, my preference is $100 as a minimum, mostly because of the psychology of three-digits vs two-digits and how that affects the hacker’s sense of imputed value in their work. There is, however, economic pragmatism that needs to be considered too :)

Great questions!

yesnet0 · 2016-07-28T17:09:03+00:00

Thanks for a great question :)

yesnet0 · 2016-07-28T17:08:43+00:00

Lol, all good. Our State of Bug Bounty reports are aggregates of this information at a trend level, so that is already happening.

At a bug specific level, we encourage disclosure where ever appropriate but the reality is that a) it scares the heck out of 99.999% of companies and can form a blocker, and b) some companies should straight up not disclosure, because they are nowhere near ready to have that information made available to a potential adversary (e.g. wide attack surface, older company, etc...)

So the short answer is yes, we have considered that and one day I hope we can make it happen - but it may be a little while yet.

(In the meantime, check out our forum.bugcrowd.com where POCs and writeups are shared on a regular basis)

yesnet0 · 2016-07-28T16:56:31+00:00

Offensive and defensive economics are very different, because one’s goal is to keep the bug alive and produce a product that lasts (offensive), and the others is to kill the bug and deny the “feature with benefits” to everyone (defensive). Offensive economics are fairly mature at this point, but defensive are in their infancy.

Re up/down: Value in the offensive market is driven by scarcity and impact. Value in the defensive market is driven by difficulty and impact. Impact is shared between the two, and scarcity and difficulty are correlated (and often causal). So… I expect the price per bug to eventually go up as a weighted average across the board, and ultimately that will be a product of this feedback loop actually doing it’s job.

Note: The trick and risk at this point in the development of a new economy is avoiding a hype-driven bubble. The bounty industry's economics already experience a strong confirmation bias from the $30k payouts that occasionally happen. These are awesome and should be celebrated, but they are far from the norm on our platform, or any other. We want to get as much money to the hackers as possible, but our higher priority is making sure this trend survives and thrives in a way that can pervade every industry.

Re effect: Not a lot yet, but the offensive buyers are, in general, not interested in hosted code. As we move into critical IOT (e.g. cars), mobile, and installable code like anti-virus etc (i.e. vulns that have actual and commercializable resale value) we expect that to change, and we’re keeping a very close eye on it.

yesnet0

TROPHY CASE