• United States




Bugcrowd, the for developers and researchers?

Sep 06, 20165 mins
Application SecuritySecuritySoftware Development

Whether you're looking for a single engagement or a long-lasting relationship, developers and researchers connect to test the waters and sometimes make a connection

Relationships are never easy, particularly because many of us struggle with trust. In cybersecurity, especially for application developers, trusting your product in the hands of a researcher can be a bit unnerving.

When most people enter into a relationship, it is with the hope that the other party will appreciate their strengths, not identify their weaknesses. When application developers engage with researchers, though, they are hiring a virtual stranger to seek out their imperfections. 

On rare occasions, the hiring company and the researcher develop a professional appreciation for one another that extends beyond a single assignment. Such was the case for Aruba Networks.

In talking about a major vulnerability found in Aruba’s ClearPass policy manager, Aruba’s senior director of security architecture, Jon Green and Duarte Silva, researcher at Bugcrowd, also offered an inside look into the researcher / application owner relationship.

[ ALSO ON CSO: How (and why) to start a bug bounty program ]

In many ways, Bugcrowd has become the for developers and researchers. Companies looking to find a trusted researcher sign up through Bugcrowd just as researchers looking for work create their own profiles. In this way, the platform assuages the developer’s anxieties around trust because there is some degree of a vetting process that researchers go through.

“There are different categories of researchers in the platform,” said Green, who has had some cross site scripting vulnerabilities identified by other researchers. “Others have found things that needed to be fixed but were kind of minor, less important. Duarte found some that were actually of high risk that would allow a malicious attacker to fully compromise an Aruba appliance,” Green said.

Because Duarte put a lot of effort in and came up with something really good, he impressed Green who said he would encourage those others to get up to that level.

When a researcher finds a vulnerability, it’s reported through the platform and somebody at Bugcrowd does triage. “They look to see if a researcher hasn’t provided enough information so that by the it ends up with me, it’s been validated,” Green said.

As it is in the dating world, not everyone registered on the platform is looking for a long-term relationship. “For some it’s a side job. Some don’t want to be known, and there are others that only want to be known by nickname,” Green said.

Another aspect of trust that is super important to developers is disclosure, and researchers sign an NDA that they won’t disclose outside of Bugcrowd channels so that developers can go through the proper vulnerability release process.

Green said, “We have a fairly standard process. We do triage based on severity. In most cases we are able to slot things into our standard release cycle. With open SSL, vulnerabilities are well published, and we don’t have a choice of how long we can wait, but we patch, test, and get it out as fast as we can.”

The standard time frame for researchers to be able to publicly discuss their findings is 60 days after the company’s advisory, but Duarte said, “Even though there is the 60 days, as a researcher and trying to be professional, I always ask permission before I disclose.”

[ ALSO: Why bug bounty hunters love the thrill of the chase ]

While researchers can remain anonymous, developers often want to know with whom they have engaged, particularly in a case like this. “The real reason we like to know who someone is, is really for credit purposes. Do you want credit for this to build up your reputation in the community?” Green said. 

Unlike some researchers, Duarte also discloses his identity. “I share because I’ve been working on this for a while,” he said. 

So what is it about Aruba that has such appeal for Duarte? What is it about a developer that makes a researcher want to spend so much time working with them?

“It’s a personal taste,” said Duarte.  “I did work for others, but Aruba was the turning point because I was successful in terms of finding critical vulnerabilities, but in this specific bug bounty, I had a lot of communication between myself, Bugcrowd ,and Aruba. That had value.”

Green said, “It’s like tango. You have to have two to dance. You have to have an application owner that complies with what it says. The researcher is given scope and rules to follow, he should follow those rules. If they are followed usually the communication is always good.”

Companies that engage in a bug bounty program are usually welcoming and willing to engage. Those that don’t can sometimes be really hostile toward researchers when they try to reveal a vulnerability. Some companies just aren’t ready to engage.

As with any other online relationship building platform, “Once you have signed up, it puts that out publicly that the developer is willing to work with researchers, and they tend to have a good relationship,” Green said.


Kacy Zurkus is a freelance writer for CSO and has contributed to several other publications including The Parallax, and K12 Tech Decisions. She covers a variety of security and risk topics as well as technology in education, privacy and dating. She has also self-published a memoir, Finding My Way Home: A Memoir about Life, Love, and Family under the pseudonym "C.K. O'Neil."

Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). Recently, The University of Southern California invited Zurkus to give a guest lecture on social engineering.

The opinions expressed in this blog are those of Kacy Zurkus and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author