Beyond Compliance: Bugcrowd Leverages Crowdsourcing to Find Server Vulnerabilities Before Cybercriminals Do

TL; DR: Businesses require frequent updates and contact with cybersecurity vendors in their constant struggle to stay ahead of hackers and cyberattacks. But Bugcrowd harnesses the power of crowdsourcing to more seamlessly deliver critical data security to companies. Bugcrowd offers pen testing, bug bounties, vulnerability disclosures, and attack surface management services to help companies develop holistic strategies to protect their servers. As cyberattacks continue to rise, companies have responded by increasing bug bounties by more than 60% to incentivize security.

Personal Capital is a hybrid digital wealth management company that manages more than $9 billion in assets. It has 20,000 investors across the United States and 2 million-plus total users. That means Personal Capital has plenty of important, personal data that it needs to secure.

The company knows that financial service firms fall victim to cyberattacks 300 times more often than organizations in any other industry. That’s why it wanted to offer its clients protection that went well beyond compliance regulations.

So Personal Capital turned to Bugcrowd for its forward-thinking bug bounty, pen testing, and vulnerability disclosure services. Bug bounties offer incentives for users to report bugs found in a system. They can also spur professionals to alert businesses about exploitable points they find in software before cybercriminals do.

Personal Capital was so happy with Bugcrowd that it expanded its services and even launched a public bug bounty in June 2019.

Bugcrowd has saved its customers nearly $9 billion in the last 12 months by helping them anticipate ransomware and malware attacks by offering development solutions to secure those weaknesses. Cybercrime is on the rise, but Bugcrowd harnesses the power of crowdsourcing to parcel out the data security workload and more quickly surface actionable insights.

And since the COVID-19 pandemic began, companies have seen five times the number of cyberattacks, which has resulted in a 60% increase in penetration testing (pen testing).

“Things that were not on people’s minds started coming to the forefront,” said Ashish Gupta, Bugcrowd CEO.

Many companies transitioned to remote work overnight, and it has taken others much longer to make their servers and systems strong enough to accommodate their newly expanded territory.

Bugcrowd produces fast results for companies and can help them save millions of dollars. And its solutions are scalable from SMB to enterprise level. Bugcrowd can offer solutions to such a wide range of clients because it uses many pen testers instead of a team of a few researchers.

Companies that want to stay ahead of ransomware and cyberattacks must anticipate threats instead of reacting to the latest threat. Bugcrowd allows companies, including HP and NETGEAR, to harness the power of the masses to prioritize actions and stay ahead of data breaches.

Companies often use small teams to perform pen tests, which can take months to ensure completion. But because Bugcrowd has a larger team of qualified experts working on the project, it can expedite the tests.

That helps businesses get the right person on the right job, and it saves money. Bugcrowd has also streamlined its pen tester’s workflow by simplifying the way experts complete pen testing and vulnerability disclosures. That means researchers can focus on finding bugs and server failings instead of developing detailed reports — a time-consuming process.

Ashish said that strategy keeps Bugcrowd ahead of its competition.

“First, we bring the right researcher to the right use case. If you bring the wrong person to the wrong case, they won’t be successful, and the customer will be dissatisfied,” Ashish said. “Second, we digitize the workflow. Pen testers spend as much time writing reports as they do finding bugs, which isn’t what they want to be spending their time on.”

Bugcrowd automates the reporting process and adds contextual analysis so clients can gain actionable insights. The company removes those barriers for pen testers and allows them to save companies billions of dollars by exposing security weaknesses.

“It would take six months for a pen test in the past,” Ashish said. “We take all that away by having hundreds of thousands of experts. The world of devices has changed. You need a website that’s connected to a phone. And if you can connect experts together, then you can have a much higher ROI.”

Businesses, researchers, and developers win when they harness the power of crowdsourcing. The tests take place on faster timelines with lower budgets, and Bugcrowd ensures that the right data ends up in the hands of developers at the end of the process.

Bugcrowd also differentiates itself from competitors through the information it delivers. Many cybersecurity companies and software programs relay a long list of bugs and security weaknesses to their customers. And although Bugcrowd offers clients that same list, it focuses more on what needs immediate attention.

Bugcrowd focuses on actions that fit within the daily schedule of developers, which is why it easily integrates with developer project management software, including Jira and GitHub.

Today, it’s also essential to have the right information at the right time. Deciding the right next step when you have a list of 1,000 things to do requires a human who is thinking about the problem holistically — but that’s not always the ideal scenario.

“If a security person finds something, they still need to work with the engineers to build that in,” Ashish said. “Our platform has two-way integrations to all software development life cycle products, including Jira or Git — you name it, we have it. So, engineering teams can get the information they need to fix these bugs.”

Many companies have security and software development life cycles that are siloed in separate departments. Bridging these teams and offering development solutions to critical findings is essential when developing successful solutions to timely server security issues.

“This digitization of the workflow between the development and security life cycle has been important for getting these things that we find fast to be fixed fast,” Ashish said. “Unfortunately, speed is the enemy of security.”

Bugcrowd can help those companies keep pace.

Some software solutions claim to solve server security concerns, but those programs may produce only lists of bugs and weaknesses without creating priorities. And when companies don’t have a list of actionable steps, the ball often gets dropped.

“Folks are not looking for a barrage of bugs,” Ashish said. “When I was a developer, the last thing I needed was noise. I needed a signal. On our platform, we triage and validate every bug that comes through. We have a 97% signal-to-noise ratio. So, when we say it’s a bug, it’s time to take action.”

And Bugcrowd harnesses the power of crowdsourcing, so real people are hunting down and identifying server security weak points. And they can look at the problem from a more holistic angle than expensive software can.

That is part of the reason Ashish said he is convinced that Bugcrowd is the answer to the future of cybersecurity.

“We can save companies as much as $55 billion in the next five years with our program,” he said. “And 70% of our researchers think that they can offer a better solution than an AI.”

While $55 billion may sound like a big number, Bugcrowd is already approaching $10 billion saved — and the company has been around for less than a decade. Many companies are turning to AI and taking people out of the process. Still, Bugcrowd offers a convincing argument that the future of information security belongs to people and not AI.