Frequently Asked Questions

BugPoC is a platform for security professionals to build and share Proof-of-Concepts. It's a patent-pending SaaS that rethinks how bug reporting is currently done in the security industry. Visit the About Us page for more information.

A PoC is a Proof-of-Concept that illustrates a security issue. PoCs are comprised of static files, environmental setup, and supporting applications. BugPoC simplifies this process and allows you to reproduce bugs with a single click.

Before BugPoC, front-end PoCs were typically stored on researchers' personal blogs and self-managed servers. This forced organizations to visit untrusted 3rd-party websites to see live demos. In a typical browsing experience, this means the HTML/JavaScript code was run before you could even inspect it and there was no guarantee that the code wouldn't change after the bug was submitted. On BugPoC, you get to read the front-end code before you click play and every PoC is password protected and immutable.

Furthermore, some bugs require organizations to run untrusted Python scripts. This forces teams to either trust the author completely or set up entire testing labs with isolated networks and virtualized machines. On BugPoC, the Python code is run off site and you just see the response.

BugPoC maintains all aspects of PoC reproduction. It's a safe and trustworthy environment for security engineers and software developers alike to repro bugs. If your bug report contains a BugPoC link, there is no need for the security team to vet and rebuild the PoC.

Additionally, BugPoC takes care of all overhead required to run a PoC. That means there is no need to install Burp Suite just to replay an HTTP request or install a non-standard Python library just for one bug.

PoCs are stored in a highly scalable, multi-region, multi-master database owned and managed by BugPoC. If you are an organization and want to discuss alternative options, including on-premise deployment, please contact us here.

The BugPoC PoC database is encrypted using 256-bit Advanced Encryption Standard (AES-256), which helps secure your data from unauthorized access to the underlying storage.

PoCs are typically accessed using a BugPoC ID and auto-generated password. Organizations can also programmatically invoke PoCs using access keys.

HTTP and Python PoCs are run on remote servers owned and managed by BugPoC. Front-end PoCs are run locally in your browser. If you are interested in running front-end PoCs off site in virtualized browsers, please contact us here.

Yes! All PoCs can be downloaded as runnable Docker images. When you do this, you aren't just downloading the PoC file, you are also downloading all peripheral setup required to run the PoC. This means that when a hacker writes HTML code, the downloaded image also includes a real server to host the code. When the hacker crafts an HTTP request, the image contains a full HTTP client to repeat it. When the hacker writes Python code, the image contains an entire Python interpreter and all non-standard libraries. You can read more about Docker integration here.

BugPoC offers two different ways for organizations to receive continuous testing coverage. Firstly, BugPoC exposes APIs for organizations to programmatically invoke PoCs. This allows software developers to quickly integrate PoCs into their testing pipeline such as regression tests, integration tests, or testing canaries. The second way is a fully-managed solution where BugPoC can rerun PoCs on a regular cadence on behalf of the organization. This method will automatically notify the organization if a PoC ever starts working again.