San Francisco, CA-based Bugcrowd was founded in 2012 in Australia by CEO Casey Ellis.
The company raised a $15M Series B round in April 2016, bringing the total funding raised to $22.6m.
Currently the company has around 70 employees with plans to expand to over 100 by the end of the year. With the bulk of growth expected to take place within the engineering and product teams.
Bugcrowd seeks to bridge the gap between security researchers and customers in need of security testing.
From a security researcher perspective, the process is designed to be straightforward. After joining, the researcher can see a list of all public programs in which they can partake.
The programs provide details of what systems and techniques are in scope or of interest. It also lists how much the company is willing to pay for each type of vulnerability.
The company profile also shows how many bugs a company has paid for, the time to pay and the average payout amount.
Research is gamified with a ‘hall of fame’ that lists the most successful researchers.
With 28,000 registered security researchers on the books, Bugcrowd can identify researchers with particular skills. These may be of particular interest to a company and can invite them to partake in private program. The private programs can involve testing systems behind pay walls, pre-production systems, or expanding out to test IoT devices.
Bugcrowd has invested significantly in the company-side interface.
A company running a program sets up the particular parameters such as scope, duration, and budget. Once the program begins and bugs are reported, the Bugcrowd platform streamlines the process by assessing for validity, removing duplicates, and ensuring they are in scope.
Bugs are triaged and criticality suggested – allowing the customer to evaluate and respond. A full work-flow allows customers to assign bugs to developers or other team members. Once a customer accepts a bug, the reward box uses the criticality of the bug to make market rate recommendations on how much to pay.
Breaking the Fourth Wall
Bugcrowd is well-positioned within a growing field. Security is maturing and continually receiving more mainstream attention. Unplanned or uncoordinated public disclosure can also lead to negative PR, and has increased companies’ appetites to running bug bounty programs.
But, running such programs can incur significant overhead. This is where Bugcrowd can make the biggest difference with its streamlined process.
Bugcrowd has done well in understanding and engaging the value of the researcher and hacker community. This has enabled it to build a solid and engaged user-base.
From a pure competitive perspective, HackerOne is the biggest competitor to Bugcrowd. But, extra competition will come in the form of companies wanting to run their own bug bounty program independently. But as long as Bugcrowd can retain a sizeable research population and can streamline the flow for customers, it should remain an attractive option.
Many opportunities exist for Bugcrowd going forward. It can extend its research scope beyond public web applications to areas such as physical testing or social engineering.
Also, the insight that Bugcrowd gleans about its researchers and their skills can position Bugcrowd to group together virtual red-teams of researchers catered to specific customer needs.