Detectify Crowdsource is a platform where hackers can submit vulnerabilities in web applications. Their findings are reviewed by our security team, and built into our web security scanner so that our customers can test if they are vulnerable. For each unique hit we find on one of our customers’ websites, the hacker earns a bounty.
The platform has been running for more than 6 months, and during this time, hackers from all over the world have helped us make the Internet more secure. Since the platform’s launch, we have gotten a lot of interest from hackers around the world. With this article, we would like to shed some light on how you can get the most out of Crowdsource and what qualities we look for when we handpick hackers to join our invite-only program. Here’s how you can do good while making money!
The skillset of a Crowdsource hacker
Many hackers interested in joining Crowdsource ask us how they can earn money on the platform. Researchers get monetary rewards for each unique hit, which is why the most successful submissions are those that affect many systems and generate a high number of hits. Their popularity will increase the amount of hits, and the researcher gets a monetary reward for each unique target that is vulnerable.
Submissions with a high severity (SQLi, RCE, SSRF) will both earn many points on the leaderboard and generate hits faster while submissions with low or medium severity (XSS, CSRF, Open Redirect) often have a stable increase of hits over time. For example, one hacker submitted an open redirect in a very common Flash file. Because this Flash file was included in many content management systems, the vulnerability affected many of our customers which lead to a high bounty (over 1400 dollars in total) over a two weeks period.
Every Crowdsource hacker has a unique style and focus. All Crowdsource hackers have their own style and focus. Some prefer submitting vulnerabilities in common content management systems such as WordPress, Joomla and Drupal, while others prefer huge or small enterprise products like JetBrains and Solr. Some hackers focus on misconfigurations which can affect most systems regardless of which web application is used.
We see a wide range of both new and old techniques for finding and exploiting vulnerabilities. It can be a vulnerability with low severity where many sites are affected which will increase the amount of hits.
As you can see, Crowdsource offers plenty of opportunities to submit vulnerabilities with the potential to generate a lot of hits! It’s all up to the hacker which tactic that is preferred when submitting vulnerabilities to Crowdsource – however, we are mostly looking for hackers that are really knowledgeable in specific products and areas. Right now we are interested in Magento, WP, and .net/episerver researchers.
How to become a (good) Crowdsource hacker
Crowdsource invites hackers with a good reputation who follow responsible disclosure policies, which is why blackhat methods are not accepted because they do not follow a responsible disclosure policy. Once we have accepted the request you can go right ahead, create an account and start submitting vulnerabilities!
When you submit a vulnerability, you don’t need to write a highly detailed description; all we need are details showing how to exploit the vulnerability. If you submit a proof of concept, that’s even better! Before submitting a vulnerability you should make sure it’s not a duplicate. Take a look at the list of all modules so you don’t waste time submitting something that has already been submitted by someone else.
If you think you are the right person for Crowdsource, you can simply request an invite! You can do so by sending an email with a short introduction to firstname.lastname@example.org.