Detectify Crowdsource was born almost 6 months ago, and a lot has happened since then. Kristian Bremberg, Community Manager, who spends his days coordinating almost 100 top-ranked ethical hackers and building their submissions into our scanner, has summarized the first 6 months with Detectify’s security platform Crowdsource.
What is Crowdsource?
Crowdsource is a security platform with ethical hackers from all over the world helping us make the Internet more secure. Only the most skilled hackers are invited to join the platform because we aim to make Crowdsource a tight-knit community that can really make a difference.
Crowdsource works just like a bug bounty program, but instead of submitting vulnerabilities on specific websites, we are interested in security issues that can affect many more websites. The submissions Detectify get from hackers are reviewed, and then implemented into Detectify’s scanner and tested on all our customers.
What have we found?
The scope is wide both when it comes to vulnerability types and software. Crowdsource submissions have generated more than 4000 hits, including vulnerabilities like remote code execution, SQL injection, cross site scripting, cross-site request forgery, open redirect and information disclosure.
We have received almost 200 submissions from the hackers in our platform, with a 75% accept rate*.
The majority of the submissions are WordPress vulnerabilities, followed by Joomla! vulnerabilities in 2nd place, Drupal (3rd) and Magento (4th). The most common vulnerability type submitted is XSS, followed by SQLi, Information Disclosures and RCE.
*Submissions that are verified as valid and implementable. Some are not implemented because they are duplicates, auto-patched or the software is removed (e.g WordPress plugins).
Who has joined Crowdsource?
Crowdsource researchers have their own unique style; some submit vulnerabilities affecting content management systems, some focus on misconfigurations and some on enterprise systems. We have spent a lot of time handpicking ethical hackers with a lot of potential and the right skillset. Email us if you are interested in joining, or check out this blog post where we have explained what we look for in a Detectify Crowdsource hacker.
Many of the security researchers wish to remain anonymous, but we got the chance to interview one of them: Meet the Hacker: Peter Jaric, Software Developer: “I got two board games for the first bug I reported”
You can also read a write-up by our 14-year old guest blogger and Detectify Crowdsource hacker Karim Rahal who discovered and reported a stored XSS vulnerability that affected over a million websites. Detectify was able to help Karim contact the developers behind the vulnerable plugin and the story was picked up by tech sites like The Next Web.
The future of Crowdsource?
The future goal of Crowdsource is to build a healthy community where researchers with different focus and knowledge can make the internet more secure by sharing a wide range of different vulnerabilities.
As Crowdsource continues to grow, we aim to continue bringing in the best researchers in the world, and with their help build the most up-to-date security scanner in the world.
Interested in joining Detectify Crowdsource or have any questions about the initiative? Drop Kristian an email: hello [at] detectify.com
Utilize our hacker community to test your site – Sign up for a free trial now!
Detectify Crowdsource approaches bug bounties in an innovative way, focusing on platforms instead of specific clients. When a researcher submits a vulnerability to us, we build a module for it and integrate it in the Detectify service. Run a scan with Detectify, and get direct access to a global competence pool of top ranked security researchers!