Many firms do not have the resources to continually fend off hackers – at least not successfully. The crowdsourcing model may offer a way to bring a “white hat” community to bear on the problem, with a self-regulating marketplace that exposes vulnerabilities and fixes them before the bad guys do damage, as Bugcrowd CSO David Baker tells PYMNTS.
Penny for your thoughts and a bounty for your bugs.
Or, call it hacking for fun and profit. Depends on whether you wear the white hat or the black hat.
In any battle, there are bad guys and good guys, white hats and black hats, if you want to draw the lines cleanly. In tech, and of course payments, the hackers wear the proverbial black, probing at vulnerabilities that will expose precious data or disrupt services.
In an early March announcement, Bugcrowd, a startup that conducts bug “bounty” programs for enterprises, announced a $26 million capital raise led by Triangle Peak Partners.
The company, which counts Mastercard and Tesla among its customers, said that it is expanding globally with offices in London and Sydney, and will boost the ranks of its executive team. According to the announcement, the capital raised—which brings the total to $50 million—will support expansion efforts.
The capital raise comes against a backdrop where chief information security officers are, according to Bugcrowd, “in a crisis for resources.” Within two short years, there will be 1.5 million security positions left vacant – and, of course, we live in an age of countless data breaches and hacking attempts.
To fill that “talent void,” as Bugcrowd has termed it, turn to the crowd. Literally. The company offers a business model where a crowd of global researchers can step in and help companies beef up security.
Bugcrowd chief security officer David Baker told PYMNTS that the basic premise is to offer bounties for finding bugs, standardizing efforts across a community of researchers.
“The crowd always beats out the individual, every time,” he said.
Thus: crowdsourced security, a model where the gap in security within an organization’s staff is effectively plugged by resources outside of an organization. The company has noted that hack attacks are typically the work of teams of bad actors who pool resources and, crucially, knowledge. The “black hats” innovate, constantly in their efforts to exploit a company’s technological vulnerabilities. So too, then, must the “white hats” innovate in stanching those attacks.
Here, the “white hats” come from a pool of crowdsourced researchers, who use the same wiles – namely, creativity – to defeat the bad guys by helping to identify vulnerabilities.
The process is one where the company defines the “attack surface” that needs defending. The Bugcrowd customer defines whether they want to offer a broad program or limit it to “invitation only” programs. Rewards are paid to researchers privately—or via public “kudos”—as they find vulnerabilities, patch them and verify their elimination.
The economics are such that speed is a hallmark of the crowdsourced approach. After all, it is the first researcher who finds and defeats a vulnerability that is rewarded, and rewards scale according to the threat level of the vulnerability.
Baker said the company has in effect created a marketplace that lets firms get continuous security assessments.
That marketplace plays on some characteristics of white hats that have been around for a while. For a long time, said Baker, white hat hackers have sought out vulnerabilities and reported them. In tight-knit hacking community, the way they facilitated these “responsible disclosures” was to go to conferences and talk about them, illustrating their skillset to peers in the process.
Think of it as analogous to the “publish or perish model” in academia, where participants measure their standing against peers by dint of research and reception.
The problem: There was a lag time between finding those vulnerabilities and presenting them to the public (and to the company that was, well, vulnerable).
Baker noted that the bug bounty program is one that lets enterprises who understand the value of such alerts get continuous security assessments.
And due to the rewards and reporting structure, he added, researchers can compete with each other to show how good they are. Bounty hunters across the platform can see “this person got paid this much, this person got paid this many bounty points … it creates democratized means through which people can show each other what they know.”
How to make sure these are indeed white hats and not black hat hackers in disguise?
“That’s always a question that everyone has,” acknowledged Baker. Regardless of application, say a mobile application offered by a company, “people are always going to be looking at it and poking at it.” And Bugcrowd, he said, helps create a platform that can be deemed trustworthy.
“By gamifying the interaction between researchers who find vulnerabilities and the customers paying” rewards for those actions “it creates a community of self-regulators … we have a large community that is earning money, paying for houses, supporting family,” he noted. “It is in their best interests not to ‘boil the pool’ or get kicked off the platform by going rogue.”
Baker said that Bugcrowd monitors how well the individuals perform, how accurate they are and “we even follow them on social media and Twitter, so we understand what they are doing” and whether they are following the rules of the platform.
Individuals who prove to be especially talented get invited into the private program offered by Bugcrowd, where rewards are more lucrative. Should they excel there, they can get invited into background check activities, which is even more exclusive.
Baker also said the Bugcrowd platform can change how organizations view their staffing models within security departments. Clients such as Mastercard have their own security testers in place and do offer bug bounty programs, but Bugcrowd complements those teams and enables them to be much more specialized.
“It is all about having as many eyes on the problem as possible,” he said. With the adoption of Bugcrowd’s offering, companies are “augmenting their teams, allowing their internal teams to become much more specialized, and they may be using outside consultants to conduct unique review and testing, and the crowd is on top of that, really, providing this continuous eye on assessment.”
The idea, Baker said, is to have more creative people all over the world finding vulnerabilities and fixing them, which only makes it “harder for the bad people out there.”