Crowdsourced bug bounty marketplace Bugcrowd has raised $1.6 million from investors to grow its community of 3,000 vetted security penetration testers who can find vulnerabilities and weaknesses in a new feature or application. The Australian startup is hoping to democratise the models commercialised by Facebook and Google, who have paid out millions of dollars to ethical hackers who find and report bugs in their software — before those vulnerabilities are exposed publicly.
Investors ICON Venture Partners, Paladin Capital Group, and Square Peg Capital, as well as angels, committed the seed round investment to expand its sales and marketing operations and expand the firm’s development team to build out the marketplace.
Bugcrowd and similar marketplaces, such as Danish firm CrowdCurity and Synack, which recently raised $1.5 million from Greylock and Kleiner Perkins, are democratising the crowdsourced penetration testing model which has previously been only available to the biggest software companies that can afford to pay out millions of dollars.
The crowdsourced model allows companies to expose their applications and software to a diverse range of testers, discovering small bugs and vulnerabilities for a fraction of the price compared with contracting a security consulting firm to do the work.
Bugcrowd tailors bug bounty competitions for individual projects, while CrowdCurity says that it only charges for bugs that are found in the application.
The startup, founded by security researchers Casey Ellis, Sergei Belakomen and Chris Raethke, graduated from the Sydney-based Startmate accelerator program in 2011 and has been used by customers such as Australian retail giant Coles Myer, Rabobank and e-commerce platform provider Big Commerce.
Google recently increased the minimum rate it will pay for bugs, from $1,000 to $5,000. It revealed it has paid out almost $2 million to security researchers in the past three years, for discovering 2,000 security holes in its Chromium and web apps. Facebook also announced it had paid out $1 million to 329 security researchers. Earlier this year, Microsoft also (reluctantly) launched its own bug bounty program.