BugCrowd – Ethical hacking at scale

By    |   May 16, 2018, 12:00 am EDT

Founded in 2012 by Chairman and CTO Casey Ellis in Australia, BugCrowd is an innovative software security firm in San Francisco. What started as a passion for ethical hacking, soon turned into an organizational approach towards making companies better at security.

Some of the largest companies in the world, including Mastercard, TripAdvisor, Pinterest, Motorola, FitBit, Western Union, OWASP and Fiat Chrysler of America bank on BugCrowd’s security capabilities to stay safe.

Casey Ellis CEO Bugcrowd

Casey Ellis CEO & Founder (Photo via BugCrowd website)

With the rise in hacking and data-breaches happening across the world, companies like BugCrowd are becoming increasingly valuable and in-demand. Backed by leading venture capital firms including Blackbird Ventures, Costanoa Ventures, Industry Ventures, Paladin Capital Group, Rally Ventures and Salesforce Ventures, the company has been flourishing ever since it first started out.

One of the most interesting techniques that BugCrowd figured out early on was to have a rapidly evolving team focusing on finding the bugs in the system. Casey didn’t want to go down the traditional route of finding bugs through service professionals. That model hadn’t worked to protect big brands from network hacks. Instead, BugCrowd focuses on developing a community of white-hat (ethical hackers) specialists to run through a system via a financial incentive.

The cash reward and natural competitiveness creates added motivation for programmers who want to find the holes in the system. Since 2012, it’s run over 700 programs and paid out more than $12 million in bounty winnings. They also have an active leader-board tracking the various programs that their community have successfully pursued.

E.g. hacker ‘todayisnew’ from Canada is ranked #1 for the month of April and has discovered 1204 vulnerabilities during his time at BugCrowd. With a 98% accuracy rate, he’s one of the leading hackers on the platform. Others have a longer lifespan than him and have been around delivering consistent results.

All of this and much more have lead to their recent funding round of $26 million Series C jolt by Triangle Peak Partners. They’ve shown immense strength in the market and have been able to raise capital on the backs of their successful projects and management team.

They’ve brought on leaders from some of the top companies in cyber security and network systems to lead the way for their next stage in growth. The company even brought on Ashish Gupta as CEO of the firm, to bring a more management and sales focus for them. They’re one of the rare companies in Silicon Valley that has leveraged both high-tech, consumer insights and stable management to successfully deliver results.

That’s not all. The company is planning on bringing in AI and automation on-board as well. They’re moving on towards their new chapter in the firm by analysing the 6 years’ worth of data they’ve collected. Casey wants to bring in more automation so that he can help the existing hacking community out better. He’s one of the few founders that believes that automation needs to work alongside human beings to fully show results.

That’s why he’s raised $26 Million. He wants to bring in more analytics, technology and data-mining capabilities to start differentiating their technology further. After this recent capital in-flux their total funding has come quite close to $48 Million overall. They’re leveraging their tech and using all resources necessary to enhance their network portfolio.

They’ve made some great headway into the securities and bug testing industry with their innovative bounty programs. Essentially, what companies like BugCrowd do is that they issue a challenge to their network of hackers who test out a client’s programs. It’s done in a highly structured manner and provides a host of knowledge and insight into all the approaches that hackers can take.

What this does is it opens up the platform for out of the box hacking. Hackers try to break-through a certain barrier within the program or software and find the gaps. They employ all the skills they have to win the final bounty. This continuous process works out better than hiring one security team, as there are more insights provided per campaign. You can learn from the leading minds in data security, rather than having to rely on the competence of one security firm.

With attacks on leading banks and data-focused companies, crowd-testing a bug works out to be that much more effective. While the pay-out for hackers goes from anywhere between $100 – $15000 per bug, it’s a great way for them to earn a keep based on small to large sized projects.

For Casey, it makes sense to scale the model as it has worked well for companies in the past. Not only does the Bug Bounty model work in terms of speed and efficiency, it also works well from a cost perspective. You don’t need to hire a large staff of technicians if you’re getting the same results through the bounty program. In fact, according to their report titled ‘State of Bug Bounty 2017’, they realized that 5 critical vulnerabilities can be found within the first two weeks itself.

It’s a positive sign for the industry in general, with more than 44% of programs being run by companies with more than 500 employees. The enterprise adoption rate has also gone by three times according to Casey.

Pay-outs to hackers have gone up by 200%, along with the average payout increasing by 53% to about $451. This is good news as it’s a strong sign that both the demand and supply side are working well for the bug bounty program in the country. What was once considered to be a small-scale focused operation has been mass adopted by companies that operate around the world.

Casey is confident that the marketplace will continue to evolve, and new data-breaches will emerge as wake-up calls to industries. With more payouts incentivizing more innovation, ethical hackers will find a way to keep evolving their methods. As you consider a marketplace more diverse, you’re going to have more ideas flourishing to the top. That’s what’s needed in this time of hacks, breaches and attacks on some of the most trusted websites we use daily.


Leave a Reply