How Bugcrowd uses crowdsourcing to uncover security flaws faster than the bad guys do (interview)

Given enough time, the masses on the Internet will find a security flaw in any piece of software.

Smart companies are using this power to their favor. Bugcrowd in particular is marshaling the power of crowdsourcing to fix security flaws for big corporations before the bad guys can exploit them.

The business is the brainchild of Casey Ellis, who figured that companies would pay big bounties to security researchers who fixed potential nightmarish flaws in code before too many people became aware of them. Bugcrowd has signed up more than 10,000 hackers to find bugs. And it has also signed up a bunch of corporations that are willing to pay rewards, or bug bounties, to those who find flaws in software. A hacker can safely approach a company working with Bugcrowd without fear of being ripped off or sued, and a company can rely on the fact Bugcrowd records a hacker’s history of reliability.

This kind of crowdsourcing can be a huge force multiplier for companies that have small resources dedicated to fixing their own security flaws. We interviewed Ellis at the recent Black Hat security conference in Las Vegas. Here’s an edited transcript of our talk.

VentureBeat: Tell me all about Bugcrowd.

Casey Ellis: Bugcrowd runs bug bounty programs on behalf of our customers. We’ve built a platform to make the process efficient and secure. On one side, you have researchers, 10,500 at the moment. On the other side, there’s people who have seen the Facebook or Google bounty programs and like that idea. They want to start to apply it to how they’re doing security. Either in that very open, public way or in a way that’s a bit more private and trusted and so on.

VB: How long did it take to get going?

Ellis: About 18 months ago, at the beginning of 2013. We got accepted in an accelerator program in Sydney and did four months of that. It was working by that point. I came out here, raised a seed round, and relocated to the Bay Area.

Above: Bugcrowd tablet user interface

Image Credit: Bugcrowd

VB: What was involved in making it work technically?

Ellis: In the initial instance it was about proving the concepts. My background prior to this, I ran a penetration testing company, a security services company. It was, okay, can we structure this bug bounty model in a format that people I’ve been selling to already, who are already consuming this type of service, could stomach? Will that model work, in terms of delivering the solution, and will they buy it? That was most of our first four months, proving out that piece.

VB: What sort of activity level is there now? How many people are using it?

Ellis: We launched a program for Medium yesterday. Indeed.com just switched on. We have Pinterest, Heroku, a couple of folks there. They’re the open programs. We also run private programs where it’s just a trusted tier of testers. All in, we’ve run 95 programs so far.

VB: How do you deal with the questions around this whole model?

Ellis: When we started, the concept was seen as an even crazier idea than it is now. You’d come to a place like this and talk to people about the concept of crowdsourcing, being able to find vulnerabilities. It’s taking off in the market. We’re doing our piece to push that, but it’s happening anyway. It’s because software is always going to have security flaws, because people aren’t perfect. And there aren’t enough people to find them all. The demand for the type of people who are able to find these issues before the bad guys do is high.

So the question, where else do we get people who can do this and apply them to the problem? — crowdsourcing is made for this. That’s how the bad guys do it, after all.

VB: How do companies describe their problems so they can get people to solve them?

Ellis: When we engage someone, we find out, do they want to run an open program or a private program? If they want to run an open program, we take them through the process of getting ready for that. We’ll start it off quietly, get them used to dealing with the researchers, and then start to open it up. It’s a matter of, what do you want these guys to test? What do you want them not to test? What things are you most interested in?

The way a bug bounty works, the first person to find each unique issue gets rewarded. The more creative or severe that issue is, the more they’re rewarded. One of the things customers can do is say, “We’re particularly concerned about this thing here as a company. If this was to happen, it would be especially impactful. If you can prove to us that there’s a problem there and that we can fix it, we’ll reward you with more than we ordinarily would.” Oftentimes, if they’ve already been doing things like penetration testing, security testing, they’ll already know about that from the past. They’ll kind of forklift it into this process.

VB: What sort of problems do you get compared to the days of individual negotiations with hackers? A company could rip off the hacker and just take the information and not pay them.