tl/dr: We paid out over $57,000 in bounties to Detectify Crowdsource hackers for Log4j vulnerabilities over the last month. Over the course of the last month since its discovery, the Log4j vulnerability was actively exploited by remote access trojans, ransomware, and advanced persistent threats. As many companies still lack the resources to run a rigid security team that can cope with the Apache log4j RCE vulnerabilities, that is where ethical hackers and Crowdsource come in.
What is Detectify Crowdsource?
Detectify Crowdsource is not like any other bug bounty platform. Instead of hunting for bugs in the systems of a single target, hackers search for vulnerabilities in widely used software that can be automated into tests and scaled to protect thousands of customers globally through Detectify Crowdsource. Each time a unique vulnerability finding is produced in a customer asset, we issue a bounty to the ethical hacker who submitted the vulnerability to us. Ethical hackers on Detectify Crowdsource earn bounties on their portfolio of vulnerabilities for as long as that vulnerability is present in our growing customer base.
How our community of ethical hackers took the challenge to find CVE-2021-44228 in various technologies
Detectify’s approach to crowdsourcing vulnerabilities shined during the height of CVE-2021-44228. Log4j affects technologies everywhere, which allowed our crowdsourced approach to shine. Soon after we became aware of the widespread impact of Log4j, we mobilized users on our platform by running a special bonus period in December. We got an overwhelming number of submissions from our dedicated hackers. By the end of this period, we awarded over $57,000 in bounties to our community of ethical hackers.
Thanks to the Crowdsource community, Detectify now scans for Log4j vulnerabilities in a host of technologies including:
- Apache Struts2
- VMWare Center
- Apache Solr Server
- VMWare Horizon
- Okta IDP
- Tableau
- VMware NXS-T
- Elasticsearcch
- Citrix XenMobile Server
- Unifi
- Apereo CAS
- Metabase
- Logstash
- Grails
- Jamf Pro
- Cisco vManage
- Cisco Unified Communications
- Cisco BroadWorks
- Cisco WebEx
- ManageEngine Desktop Central
- Symantec SEPM
- Graylog
- Jitsi Meet
- Citrix XenApp
- Splunk Enterprise
- FortiPortal
- Sonicwall NSM
- Pega
- Papercut
- F-Secure – Policy Manager
- FlexNet
- GoAnyWhere
- OpenShift
What are bonus periods?
We were able to award these bounties through one of our perks: bonus periods. Bonus periods are a time-limited event with specific requirements for submissions. Requirements for bonus bounty could for example be finding vulnerabilities in specific products (like Log4j). A single lump-sum payout is given to 0-day submissions and submissions compatible with our open-source web scanner Ugly Duckling. We run bonus periods for many different reasons, but generally, it’s in response to something – such as Log4j – that we believe can help our thousands of customers around the planet.
Our members enjoy bonus periods because it allows them to focus on a specific technology or tasks for a limited time – they also have a chance to earn big rewards during that time! But that’s not the only benefit they get on Detectify Crowdsource.
Ethical hackers on Detectify Crowdsource earn payouts for their portfolio of vulnerabilities for as long as they are present in our growing customer base
Ethical hacking has been at the core of everything we do at Detectify. That’s why we created Detectify Crowdsource, to bring the security knowledge from leading ethical hackers to thousands of customers around the globe through automation. Our platform is built for ethical hackers who want their next vulnerability finding to protect more than a single target. The best part: hackers on Detectify Crowdsource earn bounties for each unique hit their vulnerability produces in our customer base.
Detectify is looking for more hackers to join its Crowdsource platform
We offer more than continuous payouts and bonus periods for members. We also offer members a variety of other benefits, such as:
- Access to a talented community of hackers. Ethical hackers on our platform regularly rank for the top spots across other bug bounty platforms. You will likely find their names in many Hall of Fames, including our own. Beyond their experience, they are also generous with their experience and often contribute their knowledge to our blog.
- Opportunities to showcase their hacks through our official channels. We are proud of the community we have built, so we look internally to our members when we require expert knowledge on topics for customer events or industry-leading papers.
- Access to a growing repository of vulnerability submissions to sharpen their skills. We now make it possible for our members to disclose their vulnerability reports as soon as we implement them into our attack surface product. This means members have access to the latest techniques to sharpen their own skills.