We’ve all heard of the healthy rewards available to ethical hackers who report bugs and system vulnerabilities to major corporations like Facebook, Google, Microsoft, and PayPal. But what of the tens of thousands of other corporations behind the software and web applications the world relies on everyday? How do they leverage the wisdom of the crowd to identify bugs before they are exploited maliciously?
Until recently, there wasn’t a great answer. Bug bounty programs are expensive to implement, and only the largest companies have the ability to attract the quality of participants necessary to make the effort worthwhile. But a new category of startup has emerged to change this reality. A handful of crowdsourced penetration-testing startups are reducing the cost of these contests by spreading them across dozens of small companies and recruiting white hat hackers to perform tests on behalf of sponsoring companies.
CrowdCurity is one of these companies, and it’s making a name for itself by focusing heavily on the bitcoin ecosystem. If recent events are any indication, bitcoin startups need all the help they can get to thwart off hacking attempts, and as nascent startups, often lack the resources to give security its appropriate due.
The former Danish company with a team distributed across Dublin, Buenos Aires, and the Bay Area is now based entirely in San Francisco, having graduated from the BoostVC bitcoin accelerator program earlier this year. CrowdCurity is founded by a pair of software consultants from Accenture.
“We saw that there was something wrong with the hourly consulting model,” says CrowdCurity co-founder Esben Friis-Jensen. “We recognized the power of the crowdsourcing concept, and decided to help companies leverage the intelligence of many people to solve problems. Each of our founders owns bitcoin, and we all have been affected by hacked exchanges and wallets so it seemed like a natural area on which to focus.”
CrowdCurity began assembling its community of ethical hackers from the Hall of Fame lists posted by marquee companies like Facebook and Google. The company vets all participants using standard KYC (know your customer) methodologies and relies on the community to be self-policing – after all, no one wants to see the bounty go to someone not playing by the rules.
“The primary benefit to this approach is to access more intellectual horsepower and more diversity than you could otherwise, either through employing your own security professionals or hiring outside consultants,” Friis-Jensen says. “And the best part is, if your site is secure, you pay nothing – although we’ve never had a campaign not pay out a bounty. Plus, companies are always pushing new code, so they should always be testing.”
To date, the company has on-boarded more than 900 penetration testers and run more than 40 bug bounty campaigns. More than 50 percent of those campaigns have been in the bitcoin sector, including those for companies like VaultofSatoshi, BitMe, QuickBT, SpendBitcoins, and others. CrowdCurity recently began issuing a security seal to companies that run a bounty program of at least one month and offering a reward of at least $1,000 per bug identified.
Given its focus on the bitcoin industry, it’s perhaps only natural that CrowdCurity encourages its partner companies to pay out bounties in bitcoin (at the tester’s option). CrowdCurity does not charge companies until a bounty is paid, but then collects a commission.
The natural question to ask is whether hosting a CrowdCurity campaign will attract undue attention to one’s site from potentially unethical hackers. The answer is no. Participating companies are not sharing any back-end code or offering any type of system access to participating testers. In that way, any vulnerability that exists within the testing environment, exists on the open Web. If anything, companies benefit from the attention not only because bugs will be identified (and presumably fixed) but also because it shows a commitment to security.
CrowdCurity has bootstrapped itself to this point, save for the limited cash it received for participating in BoostVC. The company is in the process of raising its seed round, which will allow it to grow beyond the five total employees it currently employs.
Friis-Jensen’s one year old CrowdCurity isn’t the only crowdsourced bug bounty game in town. Competitors include Bugcrowd and Synack, which have raised $1.6 million and $1.5 million respectively and offer comparable platforms. But with millions of small companies needing security support, the market would seem large enough for multiple platforms to coexist.
Google recently announced that it’s paid out nearly $2 million in security bounties, after raising its minimum payout from $1,000 to $5,000. Facebook too is approaching the $1 million mark. If these Internet giants, with all their engineering resources, are releasing code with thousands of bugs, imagine how vulnerable that ten-person bitcoin startup you patron is. There’s little argument around the demand for CrowdCurity’s services
“Penetration testing used to be done behind closed doors and no one knew what was going on,” Friis-Jesen says. “We’re exposing that this type of service is available and that you can do it before you get hacked. We want people to talk about security openly and honestly. We’re starting to see a change in behavior – companies are becoming more proactive.”
[Image via Bethlehem Pest Control]
- CrowdcurityCrowdsourced Application Security
Crowdcurity is an application security marketplace. We crowdsource security researchers and connect them with businesses. We basically do crowdsourced security audits and bug bounty programs as-a-service.
We enable any business to create their own application security program in few easy steps - and discover security vulnerabilities before they are exploited by the bad guys.