Latest Blog & News

IT Security Company Client Solutions

  It is an accepted fact that bug bounty programs are growing not just in popularity but are also being seen as a valuable addition to an existing S-SDLC and it is possible that many of your clients may be considering such a program. As a trusted security provider / advisor, you are best positioned to advise and manage a bug bounty program for them. Bug Bounty HQ offers a number of solutions to help fulfil you and your client’s requirements   White Labeled Consultancy... Read More...

Hunter Tip #2 Nullie the Elephant

  Summary: This is a quick paper about another typical attack I find that has proved successful throughout my own bug hunting.  It is likely this may often be over looked by Bug Hunters.  So I am sharing another tip with you. Description: Unfortunately I do not have any real examples I can show you as the programs have stated “no disclosure”.  That being said, I recently discovered another successful attack using this method in a financial services... Read More...

Hunter Tip #1 Response To Request Injection (RTRI)

Response To Request Injection (RTRI)   Summary   The title to this paper sounds super cool, but it is really not that cool and not that complicated, however it is clearly overlooked by the developers of applications and researchers hunting for their next bounty.  After you have finished reading it, it may seem blindingly obvious, but if this was the case, I would not be having the success I do with it as these vulnerabilities should have already been discovered. These types... Read More...

Introducing the Budget Bug Bounty Program

Not all companies / organizations have big security budgets, but many individuals are very concerned about the protection of their brand / data and in some cases their job. Unfortunately it is not always the case that security departments have the full support of their board and at times the security department are seen more as hinderance to progress than being an essential factor in the success of the business. There are two roads a business can take.  A Vulnerability... Read More...

The BBHQ Private Bug Bounty Team

The Bug Bounty HQ private team (BBHQ SRT) consists of 12 proven and trusted security researchers / bug hunters each having their own unique skill sets and approach to a security audit.  (A full list of the team and their credentials is available upon request.) To summarize – Signal-Noise ratio, 100:1 Proven security researchers / bug hunters A team approach as opposed to 12 individual’s Hand selected for their unique skill sets and approaches to a security... Read More...

The Gold Star In Private Bug Bounties

Bug Bounty HQ has established a team of 12 auditors selected from some of the best and proven security researchers / bug hunters in the world.  This team has been brought together to cater for Private Bug Bounty Programs.  Using this team ensures your program will Receive high quality vulnerability submissions Vulnerability write ups will be of a high standard Noise (bad or out of scope reports) will be negligible Be assured program rules / scope is followed This is... Read More...

Run & Host Your Own Bug Bounty on Your Own Network

Bug Bounty HQ is pleased to announce the release of its Independent Bug Bounty Platform and the Security Consultancy Independent Platform.  Bug Bounty HQ appreciates that many companies wish to have more control over their programs / data and as such run their own bug bounty programs instead of using managed platforms.  These Independent platforms offer a company seeking to run their own program an instant solution with a number of unqiue features builtin. The Indepenedent... Read More...

New Program Admin Messaging Feature Added

At times during the course of your bug bounty program, you my find that you would like to communicate directly with researchers that have joined your program. You have just released some new code and would like some draw some research focus to it You may need to suspend testing for a given period of time Or simply, you just want to say how awesome the researchers are   Bug Bounty HQ has now added messaging.  With this new addition, there are now three means by which you can... Read More...

Embracing The Crowd Step Two

We all understand the term crowd sourcing.  A bug bounty is just that, a company owns a product / application and invites the research community (crowd) to hunt down security issues within its code and rewards them cash. The real difference in a bug bounty is the crowd.  The crowd is a bunch of individuals working on an individual basis with an individual goal - find as many bugs as I can to make the most money. More traditional crowd sourced projects such as those run by for... Read More...

Introducing Bug Bounty HQ India

At the launch of Digital India Week, Prime Minister Narendra Modi stated “I dream of a digital India where cyber security becomes an integral part of our national security.  The world is so worried about cyber security.  One click can change a lot of things”. Introducing BugBountyHQ.IN, a separate standalone, chained Bug Bounty Platform.  BugBountyHQ.in exists to aid Prime Ministers Narendra Modi’s dream by helping to forge working partnerships between... Read More...

IMPACT - The Pre-Cursor Bug Bounty Program

Bug Bounty HQ, is pleased to announce the launch of IMPACT.   IMPACT, is a crowd sourced pentest (bug bounty), provided by registered security researchers of Bug Bounty HQ testing an application / product, being limited to a duration of 24 - 72 hours. Upon launching a new bug bounty program, your applications, domains or products will experience a tsunami of researchers.  In the first 24 - 72 hours, your program will receive more bug submissions than at any other time throughout its ... Read More...

Dipping Your Toe In the Water

It’s a known fact that bug bounties are growing in popularity but there still remains the vast majority that are yet still to be convinced in their value and just as important, trust.  Many companies are simply not yet ready to invite “the world” to hack their systems. Another big put off and probably one of the biggest complaints about bug bounties is the noise – signal ratio.  There are many statistics out there but as an average, for every 100 reports... Read More...

Bug Bounty HQ Points System

Bug Bounty HQ understands, that to many researchers, points are extremely important.  The points system designed for Bug Bounty HQ  are far more fairer than other platforms and more representative of each resolved issue. In the RTU you will notice the following columns - Reports / P Class / Awards / Duplicates Reports carry a maximum of 10 points.  Each time more information is requested before the issue is triaged, 2 points are deducted.  So good information and a... Read More...

Are You Really Ready For A Bug Bounty

Originally posted July 20th, 2015 on LinkedIn Code Review                                                 YES / NO Vulnerability Scan                                          YES / NO Security Audit (Pentest)                ... Read More...

Welcome to Bug Bounty HQ

Bug Bounty HQ is now open for researcher and program registrations. As to be expected upon initial launch, there currently exists no bug bounties.  It is expected over the course of the next few weeks bug bounties will be added.  A program does exist for Bug Bounty HQ, but currently this is a point's only program.  If circumstances change, all fixed submissions will be financially awarded accordingly.  We completely understand if you do not want to partake in this... Read More...