🛡️

Understanding Bugcrowd's Security Platform

Sep 19, 2024

Bugcrowd Platform Overview

Speaker Introduction

  • Jeff Booth, Trust and Security Engineer at Bugcrowd
  • Bugcrowd: Award-winning crowdsource security platform
  • Mission: Connect security researchers with companies to find vulnerabilities efficiently.

Bugcrowd Platform Components

  • Overview of two sides:
    • Researcher side: Workflow, submission process, bounty brief
    • Customer side: Interactions with vulnerabilities, reporting

Public and Private Programs

  • Public Programs:
    • Open to anyone globally
    • Researchers can sign up and start testing
  • Private Programs:
    • Exclusive to selected researchers
    • Invitation based on vetting process
  • Vetting Process:
    • Researchers must participate in public programs to earn kudos points
    • Kudos points determine eligibility for private programs

Bounty Brief

  • Purpose: Communicate rules, scope, and targets for researchers
  • Components:
    • List of targets: What can be tested (websites, APIs, mobile apps, etc.)
    • Scope: Clear definition of in-scope vs out-of-scope targets
    • Focus areas: Specific parts customers want researchers to test
    • Reward range: Based on vulnerability severity (P1 to P5)
    • Non-disclosure agreement: Researchers agree to confidentiality

Vulnerability Severity and Rewards

  • Vulnerabilities rated from P1 (high) to P5 (low)
  • Companies mostly pay for P1 to P4 vulnerabilities; P5 typically not rewarded
  • Reward ranges are customizable for each program's needs

Submission Process for Researchers

  • Submission form includes fields for:
    • Target URL
    • Technical severity selection
    • Description of the vulnerability and reproduction steps
    • Optional fields for attachments (screenshots, videos, etc.)

Backend for Customers

  • Overview Page: Summary of program activity

  • Submission Queues:

    • Processing Queue: Where new submissions are triaged and validated
    • Other states: In scope, out of scope, not reproducible, etc.

  • Triage Process:

    • Validation by security engineers
    • Communication with researchers for more information if needed
    • Tracking of vulnerability status until resolved

Metrics and Insights

  • Performance Metrics:
    • Insights into submission rates, types of vulnerabilities, and fix times
  • Reporting:
    • Exportable reports for analysis and review
    • Includes executive summaries, vulnerability details, and remediation advice

Integrations and Settings

  • Integrations with tools like JIRA, Slack, GitHub, etc.
  • Ability to manage credentials for researchers
  • Custom roles for managing access within the platform

Conclusion

  • Bugcrowd aims to streamline the vulnerability discovery process through structured programs and clear communication
  • Encouragement for further discussion or questions about the platform.

Full transcript