A startup called Bugcrowd has built a network of 11,700 hackers (and growing) worldwide. They are tasked with ripping into software and websites like trained attack dogs.
When they find a bug, they get paid.
The more bugs they find, the more they are invited in to hack ever-more sensitive parts of a company’s network. They hack companies like Google, Dropcam, Pinterest, even some banks.
And these companies couldn’t be happier about it.
In the two years since Australian cofounders Casey Ellis (CEO) and Chris Raethke (CTO) launched Bugcrowd, it has become a phenom. Not only is it working for some huge names in tech, but it has hired away some big names in the security industry, like Marisa Fagan, who had constructed a similar community of hackers from Facebook. It also hired Jon Cran formerly of Rapid7 (makers of Metasploit, the ultimate hacker tool) and Pwnie Express.
The reason Bugcrowd’s “crowdsourced security testing” works is that it takes the pain and fear out of security testing. Long ago, the good guy hackers (called “white hats” or security researchers) realised that if you pay people to turn in the bugs they find for cash, you have now motivated people to hack for good instead of evil.
These are called bug bounty programs. While big companies like Microsoft and Facebook run their own bug bounty programs, there are good reasons why other enterprises don’t.
Ellis tells Business Insider that the common fears he hears from enterprises are: “What if my developers have a bad day and push a bunch of bugs out that are found by bug bounty hunters? Am I going to be out $US1 million? How do I determine who these people are and if I can trust them?”
By contracting with Bugcrowd they don’t worry about either of those things. Some companies offer small payments per bug ($100 – $US1,500 per bug) and some simply offer “kudos.” That’s because bug hunters are using the system to build street cred in the security industry, like a resume.
Once they rise in the rankings, by finding a lot of bugs, Bugcrowd vets them, and they get hired for better-paying jobs, trying to break into ever sensitive computer systems (a type of hacking known as “penetration testing” or “pentesting.”)
From there, they are sometimes even offered jobs. “One guy got hired by Tesla. He was No. 3 in the crowd. He wasn’t a career security person, but working at Bugcrowd in his free time.”
Google actually has one of the biggest bug bounty programs around, paying over $US2.7 million a year to hackers. But it still became one of Bugcrowd’s first customers, wanting help to run certain bounty programs, Ellis tells us.
That helped put the the startup on the map. Bugcrowd now runs programs for dozens of companies. It’s raised $US1.7 million from Squarepeg Capital, Paladin Capital Group, and Icon Venture Partners.