Mixing crowdsourcing and security to help hack for good: Bugcrowd

In a world where online attackers laugh in the face of legislation and jurisdiction, the best way to protect yourself might be to hire someone to identify your problems first. But why hire a single hacker when you can hire a team of them?
Written by Michael Lee, Contributor

We frequently hear of organisation that have been hacked or their security homework done for them. Soon after, when the perpetrator or good-guy hacker (who is often a professional themselves) is "caught," onlookers shake their head and wonder why no one hired them to put their skills to good use. There are challenges to doing so, such as questioning the ethics of these hackers, defining the scope of systems they are allowed to test, and ensuring they don't simply run off and sell their exploits on underground markets.

But two entrepreneurs and former security consultants, Casey Ellis and Serg Belokamen, have found what they think is a way to channel that love for tinkering in the right direction. Founding Bugcrowd last year, the Australian startup combines crowdsourcing with information security, providing businesses with a crowd of well-intending hackers to discover vulnerabilities before more malicious types do.

The hackers, on the other hand, do what they do best, and those that discover the most critical bugs get paid for their efforts, either in money from the client they just saved and/or in the form of kudos--a points-based system that Bugcrowd has established to highlight hackers who are able to prove their mettle.

Over 1200 hackers have already signed up to be a part of the crowd, and they're not necessarily script kiddies either. The duo couldn't share the names of prolific hackers who are keen to take part, but did indicate that the calibre of users was high.

"A lot of the people that are actually participating and disclosing submissions are testers by day. They've either got down time during their day job [...] or they're doing stuff over the weekend because they just love it," Ellis said.

"Some of them are speakers at conferences and well-known published research guys, and so on, which is pretty cool."

That isn't to say that those still learning the ropes can't use Bugcrowd as a tool to show prospective employers what they are capable of. Ellis and Belokamen hope that the reputation system will be used in a similar manner to how discerning employers looking for star developers use GitHub to gauge whether a potential hire is actually contributing to open projects and the community.

For businesses seeking to have their systems tested, there are a number of red flags raised, especially when potentially exposing systems to (up to) thousands of hackers.

Ellis highlights a significant issue that has been brought up with his and Belokamen's discussions with other companies running bug bounties and, unfortunately, in many legal cases--the intent behind a connection is near impossible to determine and attacks on systems for malicious purposes look exactly the same as those made by hackers that are careful not to break anything.

Bugcrowd's answer is to pipe all traffic through its own servers, enabling the client to distinguish what traffic is from the crowd, and what is an outside attack. It also means that Ellis and Belokamen are able to keep an eye on anyone who might be playing against any rules set by the customer, or hindering others from doing their job. A basic version of the system, called "Crowdcontrol," is in place at the moment as Bugcrowd goes through its beta phase, but he and Belokamen hope to add further features in the future.

Another issue is whether hackers will simply sell any discovered exploits on underground markets for more than what the business is offering in the reward pool. However, Ellis and Belokamen said that one of the strengths of a large crowd is that, with so many other testers looking at the same application, it's likely someone else will find it, and once the customer knows it exists, lower the value of such an exploit on underground markets.

Using a crowd also changes the way in which security tests are paid for. Traditionally, an organisation might pay a security firm, consisting of a handful of penetration testers, contracted for a set fee, regardless of the advice provided. However, Bugcrowd's model is outcome-based, meaning that if, for whatever reason, no or very few vulnerabilities are found and the reward pool is not exhausted, the organisation gets that money back.

So far, every bounty that Bugcrowd has run has yielded a zero-day vulnerability.

Organisations are still welcome to go in the opposite direction, however, and restrict who can apply to test their system based on Bugcrowd's kudos system if so desired. While it might address any concerns organisations might have over novice hackers learning on their systems, Ellis and Belokamen said that it's often a fresh set of eyes that make unexpected discoveries.

Ellis and Belokamen have also opened Bugcrowd up to charities, not for profit, and profit for purpose organisations free of charge. In these cases, Bugcrowd manages the bug-hunting process, and while there is no reward pool, hackers are still awarded points towards building their kudos in recognition of their efforts.

"Charities get hacked all the time because they don't have the budget to do app sec, which sucks," Ellis said.

"They're doing good things, and it all works out quite well for everyone."

Bugcrowd's own systems will inevitably become a target, but to eat its own dog food, it too will undergo testing from the very hackers that form part of its community.

Their idea gained the support of not only hackers and a number of businesses, but also of investors, which are betting on Bugcrowd's success.

Bugcrowd was one of the eight startups accepted in Startmate's intake for this year, going up against the hundreds of other Australian startups that applied. As part of the accelerator program, they are now working full-time out of the National Innovation Centre in the Australian Technology Park, and in about two months, will relocate to San Francisco, California. A demo-day in front of our own local investors, will also prep both founders for the bigger players in Silicon Valley.

To get them on their feet, Startmate has already injected $50,000 into Bugcrowd in return for 7.5 percent equity. Startmate alumini include the now Walmart-acquired Grabble, and ScriptRock, which raised AU$1.2 million from investor and PayPal co-founder Peter Thiel.

Editorial standards