Startup Bugcrowd Raises $1.6 Million To Pay Hacker Hordes To Hunt Clients' Bugs

[InfoSec News <alerts () infosecnews org>]

http://www.forbes.com/sites/andygreenberg/2013/09/04/startup-bugcrowd-raises-1-6-million-to-pay-hacker-hordes-to-hunt-clients-bugs/

By Andy Greenberg
Forbes Staff
Security
9/04/2013

Google, Facebook and PayPal offer thousands of dollars in rewards to friendly 
hackers who find and report security bugs in their products. Now a handful of 
venture capital firms are betting that your company will pay to have your 
products hacked, too.

On Wednesday the San Francisco-based startup Bugcrowd announced that it’s 
raised $1.6 million from ICON Partners, Paladin Capital and Square Peg Capital 
to fund its mission to become the security industry’s central hub for 
organizing so-called “bug bounty” programs. Those programs typically offer 
rewards to benevolent hackers who can show evidence of a security flaw in a 
company’s software and help to fix it. In Bugcrowd’s case, it will host and 
organize a bug bounty on behalf of its client companies: Put up as little as 
$10,000, and the thousands of security professionals and amateurs who have 
registered as part of Bugcrowd’s online community will scour a client’s 
website, desktop software or mobile app for bugs in return for bounties that 
Bugcrowd pays out for the most interesting finds.

“The way a company traditionally finds security issues is by hiring a 
consultant, and they get a report or presentation. Instead, we run a contest, 
everyone’s invited to find issues in the systems we’re testing, and if you find 
something and are the first to report it, we give you a cash reward and social 
recognition,” says Casey Ellis, Bugcrowd’s 32-year-old chief executive. 
“Instead of a consultant who’s paid for his time, this is much more like how 
the bad guys are doing it. We invite smart people who can think like bad guys 
and are only paid when they find something.”

Over the last few years, the concept of a bug bounty program has evolved from 
an edgy experiment into something closer to a security best practice. Google 
offers $20,000 for information about bugs found in its web applications and 
holds hacking competitions where it occasionally awards six-figure sums to 
hackers. Facebook and PayPal each hand out thousands of dollars per security 
vulnerability found. And after refusing to pay bug bounties for years, 
Microsoft announced in June that it would begin paying bounties of as much as 
$100,000 for hacking exploits that affect its Windows 8 operating system. A 
study released in June by a group of Berkeley researchers found that running a 
bug bounty program actually cost far less per bug fixed than employing 
full-time security researchers.

[...]

--
Find the best InfoSec talent without breaking your
recruiting budget! Post a Job, $99 for 31 days.
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/