Security startup Bugcrowd on crowdsourcing bug bounties: ‘Cybersecurity is a people problem’

For a cybersecurity company, Bugcrowd relies much more on people than it does on technology.

For as long as humans are writing software, developers and programmers are going to make mistakes, said Casey Ellis, the company’s founder and chief technology officer in an interview TechCrunch from his San Francisco headquarters.

“Cybersecurity is fundamentally a people problem,” he said. “Humans are actually the root of the problem,” he said. And when humans made coding mistakes that turn into bugs or vulnerabilities that be exploited, that’s where Bugcrowd comes in — by trying to mitigate the fallout before they can be maliciously exploited.

Founded in 2011, Bugcrowd is one of the largest bug bounty and vulnerability disclosure companies on the internet today. The company relies on bug finders, hackers, and security researchers to find and privately report security flaws that could damage systems or putting user data at risk.

Bugcrowd acts as an intermediary by passing the bug to the companies to get fixed — potentially helping them to dodge a future security headache like a leak or a breach — in return for payout to the finder.

The greater the vulnerability, the higher the payout.

“The space we’re in is brokering conversations between different groups of people that don’t necessarily have a good history of getting along but desperately need to talk to each other,” said Ellis.

Bugcrowd has some of the largest companies in the world on its books, including Fitbit, Mastercard, and Tesla. With 150 employees in offices dotted across the world, including in the U.K. and Australia, Bugcrowd fields submissions from bug finders at any time of the day.

Key to the business is crowdsourcing, said Ellis. “A lot of the solutions that you see tout automation or technology as the solution,” he said. “The fact that we’re bringing humans back into the middle of the solution is the thing that people are finding quite refreshing.”

With its bug bounty and vulnerability disclosure reaching maturation, the company also expanded its crowdsourcing efforts to penetration testing, allowing companies to hire dedicated specialist security experts to stress-test their systems based off their specifications.

Ellis said it was a natural progression of its crowdsourcing model and the bug bounties and the pen-testing programs will work in symbiosis.

“We’re connecting hard-to-access resources to people that need those resources,” said Ellis. “We’ve been thinking all along how much further can we extend this model.” He said the crowdsourcing model helps to get a diverse set of skills to the people and companies that need it.

Bug finders, hackers, and security researchers often fall in a legal grey area that the law doesn’t fully recognize. U.S. hacking laws are old, outdated, and vague at best and can be weaponized to shut down good-faith security research — particularly by companies that see pro-security work as a threat to their businesses. All too often, bug finders, hackers and security researchers face legal threats by companies unwilling to accept responsibility for the security flaws found in their own products and services. That leads to a chilling effect on bug finders on one hand, but vulnerable software — and customer data — on the other.

By acting as an intermediary, Bugcrowd protects both the bug finders and companies — and sometimes from each other.

Ellis said the company often “plays translator and occasionally diplomat” between the two. “One of our core principles is respect is key,” said Ellis, “and that applies in all directions.”

The company, with insight into both sides of the bug bounty coin, began work on its safe harbor rules in 2016 to further bridge the gap between hackers and companies. aimed to create processes, policies and rules that both bug finders and companies can use as a legal framework in lieu of laws that haven’t caught up with the modern internet. By working with legal experts like Dr. Amit Elazari to build rules of engagement so hackers are not threatened for responsibly disclosing their findings.

Since the rules debuted, other companies have recognized and adopted the measures, promising not to sue or bring legal action against good-faith bug finders for doing their jobs.

Dropbox, Mozilla and Tesla, and the U.S. government’s 18F digital division have all adopted safe harbor provisions along with dozens of other companies.

“From our perspective it’s, ‘how do you reduce the friction — especially for a legal team who’s never had to think about this type of thing before’,” said Ellis. “Just make it simple,” he said. “Clarify what the issues are, then create options and tools for them that make it really simple to implement.”

Ellis has been building Bugcrowd for almost a decade. Since then, the company has raised about $50 million to date in three funding rounds. Ellis said the company is growing and is “well-financed,” despite the fact that cybersecurity “wasn’t dinner table conversation until about five years ago.”

“The net of it over the past eight years is that it’s working,” he said.

His advice to other founders was to never lose sight of a company’s core mission

“The one thing that I find myself saying to a lot of entrepreneurs is if you feel like it’s time to back yourself then do that,” he said. “There’s all sorts of input that will potentially try to derail your confidence at various points in time, but that’s the nature of the game.”

“Part of the role of a founding team is to be, pretty much irrationally pissed off about a problem they think they can solve,” he said. “And that ‘irrational’ part of that is something you should actually codify and make sure it’s clear to everyone, and making sure that everyone you work with understands it,” he said.

“The idea of, you know, having that North Star absolutely clear to everyone who’s working on the problem, I think that’s something that everyone can do at the founding stage, pretty much straight away.

“It’s not something that you need to wait for,” he said.

“It comes back to that confidence and belief in what you’re doing, and making sure that you’re executing against that, but also your team as well,” he said. “Building a startup is hard, but it’s incredibly rewarding.”

Ellis said he’s had no regrets, but if he could go back to his younger self, he’d tell himself one thing: “You’re right, go faster.”

An earlier version of this story said Bugcrowd had two funding rounds. The company had three.

Read more: