The company has announced a $1.6 million capital round from ICON Partners, Paladin Capital and Square Peg Capital, which it will use to open a San Francisco office and fund its efforts to crowdsource the uncovering of vulnerabilities in popular software and applications. Initial clients include Coles Myer, Rabobank and Big Commerce.
Bug-finding is a well-worn track: Google, Facebook, Microsoft and PayPal all have high-profile bug bounty programs that make headlines for shelling out millions of dollars in rewards to those uncovering previously unknown vulnerabilities. The pay-to-hack community is a vibrant one, with events like Pwn2Own, the HP Zero-Day Initiative and other hacking contests attracting healthy competition and big-dollar prizes.
Bugcrowd is taking on a middle-man role, contracting with clients interested in finding vulnerabilities and then deploying its army of Bugcrowders (consisting of hackers, amateurs, and security professionals from around the world – the company doesn’t seem choosy) to scour and poke and code away, looking for holes.
Client companies have an initial consultation to set a budget – the bottom limit is $10,000 – and they’re off to the races. There are 3,400 Bugcrowd Ninjas, as the company affectionately calls them, waiting to get started.
“The way a company traditionally finds security issues is by hiring a consultant, and they get a report or presentation. Instead, we run a contest, everyone’s invited to find issues in the systems we’re testing, and if you find something and are the first to report it, we give you a cash reward and social recognition,” Casey Ellis, Bugcrowd’s CEO, told Forbes. “Instead of a consultant who’s paid for his time, this is much more like how the bad guys are doing it. We invite smart people who can think like bad guys and are only paid when they find something.”
If hackers are motivated by anything beyond money, it’s the sheer props of it all. Bugcrowd’s model wraps in community recognition: registered users can list their bug finds on their profile and compete for rankings.
“We want employers to ask to see applicants’ Bugcrowd profile,” Ellis said. “This is a way for anyone who wants to be part of the security community to go out and prove their skills.”
Bugcrowd isn’t alone in its model: Bugwolf and Synack are direct competitors. And with the list of official bounty programs growing, it’s likely that the space will continue to scale.
“The company’s technology shows considerable potential as a solution to the growing asymmetry between security threats and security testing resources,” said Ken Minihan, a managing director at Paladin. “It allows corporates and governments to access a global, 24×7 resource of trusted security testers.”