Governance & Risk Management , IT Risk Management , Next-Generation Technologies & Secure Development

Beyond Bug Bounties: Crowdsourced Security Testing Evolves

Bugcrowd's David Baker on Targeted 'Researcher Grants,' Waning 'Crowd Fear'
David Baker, CSO, Bugcrowd

Crowdsourced bug bounty programs help organizations identify severe flaws in their IT infrastructure, apps or other code. Now, that model is being used to help organizations perform more widespread security testing, including penetration testing as well as deep dives by single researchers, says Bugcrowd CSO David Baker.

See Also: The Operationalization of Threat Intelligence Programs

"Traditionally ... you've had a large group of people sort of gamified - the first one to find a bug gets paid, and so that tends to work very well," Baker says.

But as technology evolves and more web and mobile applications rely on APIs, more specialized types of technology review and testing need to be brought to bear, he says. That's given rise to Bugcrowd's more "gig economy" approach, called researcher grants. "We will give a certain researcher a certain aspect of that technology to look at and research," Baker says, and then that researcher will produce a report with detailed findings that can also be used to also satisfy audit requirements.

In a video interview at the recent Infosecurity Europe conference, Baker discusses:

  • The state of the crowdsourced security testing market;
  • The evolution in trust as well as reward mechanisms;
  • The role of penetration testing.

Baker is CSO of Bugcrowd. He has more than 20 years of experience in enterprise data security, IT and government computer research.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.