With the launch of Joinable Programs, we're excited to enable immediate access to a set of private programs as long as one meets the eligibility requirements. The requirements of each program are available and can be shared easily. When viewing the program one can see the requirements and what is being tested. Head over to checkout joinable programs here.
CrowdStream is Bugcrowd's public activity feed and displays the activities for unresolved, resolved, or coordinated disclosed submissions depending on the configured level of visibility for a program.
An activity feed displays the program name, researcher name, priority, target, date of resolution or acceptance, and/or reward amount based on the configured visibility settings.
Competing among the crowd is commonplace; whether it's who has gotten the most findings or who has provided the highest impact, researchers want to share their achievements and see how they stack up. In the past, there have been one-dimensional leaderboards based on points of findings but as researchers are completing more types of engagements we are looking to enable you to track your growth and see how you're doing compared to others in more ways.
With program invitations, researchers were previously required to accept the invitation before they could understand the terms of the program. Going forward, we have decoupled the ability to become eligible for a program from the ability to join it, allowing researchers to view a program brief once eligibility is met. With access to the full brief, one can better understand the engagement and make a more informed decision to join the program or ignore it for the time being. When ignoring a program, one can input feedback to give the Program Owner and Bugcrowd valuable insight on how to better manage the program and improve our processes around program invitations going forward. But don't worry about losing out on the opportunity, you can always go back and accept the invitation later — just check the Hidden tab in the Programs list to adjust.
Once a vulnerability is patched, program owners will often have the issue retested to help verify that the fix was successful. Researchers are uniquely positioned to complete this black-box retest to certify a complete fix. With a breakers-mindset, researchers are incentivized to complete the original reproduction steps and also work around the patch for further rewards (as defined by the program's brief). Once a vulnerability is certified patched through a retest, customers can breathe a bit easier knowing the vulnerability is resolved.
At Bugcrowd, we're in the business of sourcing the best researchers for a program’s needs, taking into consideration the researcher's skills and trusted qualifications to ensure they can deliver. To enable researchers with a limited history to qualify in programs we are adding the ability to upload your certificates to help prove your skills. Once you upload your certificate(s) they will be automatically validated, then surfaced as part of crowd selection.
Security research requires explicit permission to begin testing, but even with that, the lack of clear legal scope can put hackers, companies and consumers at risk. Now with our safe harbor tracking in platform, one can set their level of safe harbor so that researchers can filter appropriately within the programs list. Go to your bounty brief settings to view your status, and reach out to your account manager to see how to adjust your program to be safe harbor compliant.
To ensure success in finding priority vulnerabilities, security researchers often leverage the learnings of others through write-ups, blogs, podcasts and more. At the same time, researchers are beginning to work more collaboratively thanks to live communication tools and bug bounty incentives. However, researchers were limited in claiming credit for the finding and applicable rewards between multiple accounts. With Bugcrowd’s new researcher collaboration feature, researchers can now easily add collaborators to a submission, allowing each collaborator to participate and split the relevant rewards.
Program onboarding is a key component to program success. We recently released a Crowdcontrol feature that streamlines credential management for easier researcher onboarding and workflow.
When writing vulnerability reports and submissions, it is vital to be as clear and detailed as possible to help streamline triage, validation, and acceptance. The markdown fields allowed for rich text functionality, making it easy to update and review reports.