Hacking for Good: Bugcrowd’s Crowdsourced Security Platform is a Next-Generation Solution for On-Demand Risk Reduction

TL; DR: Bugcrowd is a crowdsourced security platform that harnesses the power of ethical hackers to reduce risk within organizations. By leveraging a human-based approach to vulnerability disclosure, bug bounties, and pen testing, the company is closing the gap between the motivations of attackers and those of traditional enterprise security defenders. Ultimately, Bugcrowd empowers companies to build strong reputations in terms of security while freeing up internal talent for other pressing initiatives.

With all the cold, technical-sounding weapons deployed in today’s online attacks — malware, phishing, SQL injections, denial-of-service — it can be difficult to remember that living, breathing human beings are behind each of them.

But digital security is fundamentally a human problem, not a technical one.

“Humans create technology, but they’re not perfect, and sometimes their mistakes turn into vulnerabilities,” said Casey Ellis, Founder and CTO of Bugcrowd. “On the other side, you have creative adversaries driven by a human desire to identify those mistakes and exploit them.”

Many of the enterprise security defense solutions available on the market today leverage technical solutions such as automation and machine learning to mitigate the risks those adversaries pose. But Bugcrowd takes a human-based approach, harnessing the collective power of ethical hackers to harden attack surfaces.

“We have built an army of good people who can think like bad people to help make the internet a safer place,” Casey said.

Bugcrowd’s crowdsourced security platform helps organizations manage their bug bounty, vulnerability disclosure, and penetration testing programs by combining the expertise of its in-house team with that of trusted ethical hackers around the globe.

In addition to rapid risk reduction, crowdsourced security teams can reduce costs and lower operational overhead by freeing up the internal talent within a business to focus on high-level tasks. At the end of the day, Bugcrowd measures its success on how well it both helps organizations safeguard their digital assets and enables them to build strong reputations as leaders in online security.

Bugcrowd was founded in 2012 with headquarters in San Francisco. Back then, Casey — who had ventured into security and networking straight out of high school and watched the industry evolve over the years — observed a profound shortage of security resources that businesses could use to protect their digital environments.

Around the same time, Google and Facebook introduced bug bounty programs that rewarded those who could identify security vulnerabilities within their platforms. “The whole idea of a bug bounty began in 1995 with Netscape, but it took until 2011 or so when Google and Facebook jumped in for it to become better understood in the security community,” Casey said.

The shortage of cybersecurity resources and increased popularity of bug bounty programs inspired Casey to start Bugcrowd. “Those two things came together, so I decided to create an army of allies to combat our adversaries — and connect that army to demand,” he said.

Today, Bugcrowd helps redefine security for businesses in more than 50 industries and 30 countries. The company’s customer base includes startups, midmarket, and Fortune 500 customers alike. Some of the world’s biggest companies, including Mastercard, Etsy, Jet, Tesla, NETGEAR, Sophos, and Fiat Chrysler Automobiles, trust Bugcrowd to protect their digital assets.

When it comes to internal development, Bugcrowd turns to both customers and its global community of researchers for input to inform future plans.

“It all comes down to being able to listen to these groups to understand the features and innovation they’re expecting based on their own assessments of where things are at,” Casey said. “We integrate that feedback into our service based on where the market is going. That’s a core part of how we operate.”

Bugcrowd’s risk-reduction platform is built around three fundamental areas: vulnerability disclosure, bug bounties, and next-gen pen test programs.

The company’s vulnerability disclosure programs (VDPs) provide a fully managed solution for accepting, responding to, and fixing vulnerabilities reported by the global security community. With a VDP in place, a company is able to provide a framework for external parties to responsibly divulge vulnerabilities while demonstrating a commitment to security. According to Bugcrowd, a VDP is no longer something nice to have — it’s a necessity.

“It’s not just getting your ass kicked around specific risk; it’s about the learnings that you can take from the experience in order to make your development team all the better at avoiding those things in the first place,” Casey said.

Bugcrowd’s fully-managed bug bounty program, on the other hand, helps companies outsmart adversaries by combining human expertise, automated security workflows, and analytics. The company provides end-to-end support for all aspects of the process, from program scoping and crowd recruitment to vulnerability triage and SDLC integration.

The process is easy: Specify the areas to be tested, and Bugcrowd will connect with hackers who specialize in web, mobile, and IoT technologies to find the right talent. The hackers will then search for vulnerabilities, which Bugcrowd’s security engineers will triage, validate, and prioritize. The crowdsourcing platform even features integration with development tools, such as IRA, Slack, ServiceNow, Trello, and Github, to deliver the resulting information to the right people within each company.

Finally, Bugcrowd’s next-generation pen testing combines the collective intelligence of the company’s global community with methodology-driven reports to ensure businesses meet compliance requirements. One group continuously searches for vulnerabilities while the other works against a methodology defined by the business.

When all problems are resolved, the system triggers a clean compliance report. To ensure credibility, Bugcrowd has had the process independently assessed for compatibility with regulatory requirements on penetration testing, including the Payment Card Industry Data Security Standard (PCI DSS).

The shortage of security talent that Casey observed years ago persists today. According to Deloitte’s “Cyber Risk in Consumer Business Study,” almost 350,000 online security jobs in the U.S. remained unfilled as of July 2017. And it’s only getting worse — the same study projects the global shortfall in the information security workforce to surpass 1.8 million workers by 2022.

According to Casey, Bugcrowd can help companies reduce headcounts and streamline work processes. He cited a Fortune 500 company that uses Bugcrowd as an example: The company found 90 vulnerabilities within 30 days of deploying the platform, and were notified of seven times as many critical vulnerabilities compared with their previous penetration testing service. Ultimately, the decision to switch to Bugcrowd helped boost the company’s ROI.

“Crowdsource the tasks that are appropriate for crowdsourcing, and then reappropriate your internal people in areas that are deep within the business itself,” Casey said.

David Baker, now Vice President of Operations at Bugcrowd, learned this lesson firsthand as a former customer. Before he was appointed to his current role, David served as CSO of Okta, where he leveraged the Bugcrowd platform to change the way his operation approached security.

“He believed in our idea and saw its value,” Casey said. “He was able to free up three to four personnel within his security assessment and defense organization within Okta. The crowd was able to come in and do a better and more scalable job at those employee’s previous tasks, while the employees handled more high-order tasks. To me, that’s the perfect outcome.”

Until five or six years ago, Casey said the few people preaching the value of digital security were seen as fanatical industry zealots — and the public wasn’t listening to them. “But then something changed,” Casey said. “All of a sudden, cybersecurity has become a dinner table conversation.”

In this new world, organizations can use their security assets to inform effective business and marketing strategies — and Bugcrowd hopes to aid them in that effort.

“We’re compiling data from different customers over a period of seven years to create a more compelling story for CSOs, VPs of security, and security leaders to show why what they were doing was worth it, and also to take that information to market,” Casey said.

The initiative will help organizations better articulate their value proposition. “It’s the best of both worlds: We make their customers more secure, but also help them build a brand reputation that’s more attractive to customers,” Casey said.