Synack, a startup that is attempting to safely crowdsource vulnerability testing for companies, has raised $1.5 million in seed funding from Kleiner Perkins Caufield & Byers, Greylock Partners, Wing Venture Partners, Allegis Capital, and Derek Smith, CEO of Shape Security.
In the current cybersecurity environment, every large corporation is now required to enlist cyber-offense skills helps to find and fix security issues before hackers exploit them. The challenge is finding the vulnerabilities that could be hackable. Synack is betting that crowdsourced programs are more effective in doing this than the typical process of hiring full-time security white-hat researchers. In fact, the startup’s community of researchers have identified vulnerabilities at technology giants like Google, Facebook, and PayPal.
Synack’s founders, who hail from the National Security Agency, are offering a controlled testing marketplace that finds (and vets) the best security researchers to apply their skills to this testing. As the startup explains, this provides the first end-to-end testing environment with massive scalability.
“Synack is developing stealth technologies that will form a new standard for vulnerability discovery. Companies like Google and Facebook have demonstrated that using global white hat researchers is an outstanding way to identify security problems and Synack can deliver this capability to any commercial company without compromising security, privacy, and confidentiality,” said Kleiner partner Ted Schlein.
Here’s how it works. Synack works closely with organizations to create a listing that best fits their budgetary constraints and technical requirements for finding vulnerabilities. Synack will perform an initial assessment of the organization’s security, and then help the company figure out the right vulnerability testing and talent to work on the testing.
On the researcher side, Synack’s community of researchers sign-up for individual listings based on their skillset (and agree to non-disclosure agreements). Synack says that researches test for vulnerabilities in highly efficient virtual private testing environments.
Upon locating a vulnerability, researchers submit a detailed report describing their findings, steps to reproduce, and recommendations for mitigation. In terms of payment, the company says it uses a specific methodology to establish the market value associated with a vulnerability submission and handles payments to researchers. Companies only pay if the vulnerability is found.
The company says that cybercrime may reach $100 billion per year, so clearly this is a lucrative opportunity to reduce costs by large-scale organizations in finding vulnerabilities while still promising high level talent working on the possible issues.