Why not tap a community of bug hunters to find vulnerabilities in your products? That's the pitch behind Bugcrowd, which enables thousands of bug hunters to earn cash for finding and reporting new vulnerabilities.
The San Francisco-based startup uses crowdsourcing to find vulnerabilities in products. "We call it the million-person problem - the Cisco report last year saying there are a million unfilled roles in this industry globally," says CEO Casey Ellis. As he sees it, resolving that problem requires solving two challenges: "How do we build an army, but then also how do we find a way to connect them to the demand more efficiently than now?"
That's why Bugcrowd built a community to attract bug hunters. Some 16,400 participants are earning not just prestige, but also cash. So far, they've collectively participated in the site's more than 365 bug bounties and submitted more than 37,000 bugs. In fact, some of the site's participating bug hunters - based in India, the Philippines, South America and Eastern Europe - are even making their living via the site, Ellis says.
In an interview at the RSA Conference 2015, Ellis also describes:
- The light-bulb moment that led to Bugcrowd's launch;
- Approaches to pricing bug bounties;
- How information about bug hunters and their particular skills could be used to create "elastic security teams."
Before launching Bugcrowd, Ellis was principal of Tall Poppy Group, an information security and application security "skunk works" based in Sydney, Australia; CSO of enterprise system configuration testing platform ScriptRock; and an information security specialist and account manager with Vectra, which focuses on compliance with the Payment Card Industry Data Security Standard.