Bugcrowd CEO Ashish Gupta on bug bounties and the ‘infinite game’ of crowdsourced security

Seven years since its inception, Bugcrowd has grown from an “idea on a napkin” to become one of the world’s biggest bug bounty and vulnerability disclosure platforms, handing out more than $25 million to researchers through more than 1,000 programs.

Following another successful 12 months for the San Francisco-based company, The Daily Swig caught up with Ashish Gupta, CEO of Bugcrowd, who discussed the changing shape of the bug bounty landscape and outlined his approach to the “infinite game” of crowdsourced security.

Could you provide a brief history of Bugcrowd? What sparked the idea for a crowdsourced security organization?

Ashish Gupta: Bugcrowd started in 2012 as an idea on a napkin. Our founder and CTO Casey Ellis was coming from the world of pen testers and seeing the natural inefficiencies of the pen testing market, which range from a skills gap, to a time limit, to the challenges around finding the right people for the right pen test at the right time.

He said, ‘Why can’t we just bring the creativity of thousands of people to help with this ongoing, highly intuitive problem?’, which is that the world is getting more and more digitally connected and we need to make it that much more secure.

I have to give a huge amount of credit to Casey for his ability to think around corners. He knew that we needed to bring in the right kind of folks who – just like the huge number of developers that are building these new software and hardware solutions for customers – understood how to break things.

So, to that end, you start thinking about it and you say, ‘Look, it’s really an infinite game, instead of a finite game’.

How do you make the distinction between a finite and infinite game in this context?

AG: In a finite game there are very clear rules, there are very clear players, and the end game is to finish with either a win or a loss.

An infinite game is very different. It’s a game where you have known and unknown players; you have ‘black hats’ and ‘white hats’; and you’ve got new developers who bring in new technologies.

Our goal with Bugcrowd is very much that of an infinite game, because the whole industry is very much that of an infinite game.

As a result, the rules of the game are completely changing, and to that end the real goal of this infinite game is to perpetuate how the industry is going. Simon Sinek talks about this a lot, and I give full credit to how he thinks about leadership in the industry and thinking about infinite versus finite.

If you start thinking about infinite games, Bugcrowd becomes really important – and bug bounties become that much more important for our customers, because you want to bring people who can think creatively, you want to be able to find the contextual intelligence, so that in a game of changing rules, you can find the right kind of activity and actionable insight.

Are you picking up on any trends in the bug bounty marketplace that we might not have seen, say, two years ago?

AG: I’m seeing that ‘crowd fear’ is not as substantial as it was before. Crowd fear used to be the case in 2016/17, where our customers might think, ‘Wow, are you really going to allow hackers into our world?’

What we saw in 2018 is that this crowd fear had diminished substantially. Our customers now inherently believe that there are bad actors and good actors, and that some bad actors are going to be at their doorstep anyway, so why don’t we bring in the white hat hackers to ensure that we have our vulnerabilities identified for us?

I think crowd fear has gone down, which is fantastic. More and more companies are opening their doors to ethical hackers. They know the crowd is on their side, and are dedicating budgets to help recognize their brilliant efforts.

Bugcrowd saw a really good 2018. We look at 2019 as taking it to the next stage. We had over 120,000 vulnerabilities submitted. We’ve paid out over $25 million. We’ve got about 1,000 programs, and we see that the payout amounts are increasing, which is great for the supply side, but it’s also great from the customer side because they are seeing that value.

On the subject of ‘crowd fear’, it’s interesting to note the increased adoption of VDPs by governments and public sector organizations. Have we reached a tipping point when it comes to governments realizing the value of crowdsourced security?

AG: This brings me back to the whole ‘infinite game’ idea. If the rules continue to change, what is the tipping point?

We’ve been working with public sector organizations for quite some time – in Australia, in the UK, the US, and all around the world. And what is interesting to me is that there’s a very keen appreciation for the fact that there is a skills gap, not just in the public sector but everywhere in the industry when it comes to security.

The second thing that’s really interesting is that people want to know what they should be working on. I’m not only referring to the skills gap in security – engineers also need to do a whole bunch of other things, so making sure that they prioritize the security side is very important.

To that end, there is an evolution in the public sector, where there’s several public sector entities and departments that have said, ‘Look, we need to bring that human creativity to bear’. And that’s exactly how we go involved with the Hack the Pentagon side of the house, but we’ve been involved in other public sector offerings for quite some time.

The realization of human creativity coming to bear and the layered security that is required is absolutely here today. Especially with the US government, they are taking a multi-layered approach, which I suggest everybody does.

DNS-based security is one layer of security. Firewalls are another layer of security. Having endpoint protection is another layer of security. But all of this has several hand-offs that might not be taken care of by just one single layer.

Bringing in a bug bounty program allows [an organization] to see any of those hand-off points are protected as well, because that’s exactly how people get in and out of attack surfaces that are vulnerable.

There are a growing number of bug bounty and vulnerability rewards programs around the world – what are your thoughts on competition in this space? Do you expect to see any consolidation in the market over the coming years?

AG: It is important to have competition, and I think that bug bounty or security in general is absolutely like any other market, where competition is good. This is exactly how Bugcrowd looks at how we deliver bug bounties.

The whole idea [of bug bounties] is, ‘How can you find the first vulnerability fast enough so that you can solve your problem?’ Competition is good for this, and I feel that the industry is just going to evolve with new competition.

But, at the same time, I do feel that there is going to be consolidation when we think about this market – not only because of bug bounty as a market by itself, but because security has many subcomponents to it.

Going back to the idea of multi-layered security, there is a need for interaction between those security areas, and bug bounty [platforms have] a fair amount of data that is unavailable to even some of the more robust players because that new way of thinking, and the new vulnerabilities, are still not thought through, which we get to see on a daily basis.

It would be great to hear your thoughts on this blog post from January, which picks up on prior research and paints a not-too-positive picture of the global bug bounty marketplace.

AG: I did take a look through the blog post, and there are a fair amount of good learnings in there. But, at the same time, we should think about how we implement these programs and bring the right crowd to bear that allows some of those findings to be addressed in a meaningful manner.

It really starts from the fact that vulnerabilities are a problem that are [unknowingly] created by millions of developers and engineers, and exploited by many tens of thousands of hackers.

We love the fact that our highest performers on our platform get to do a large number of bounty submissions. But a handful of ‘rockstars’ is not the solution to the problem.

In the long term, it is going to take a crowd, and the incentive model that is required for that crowd needs to be comparative and reward-based, so that it allows hackers to focus their efforts on the right types of bugs and the right types of attacks which they are best at.

To that end, it’s important to get these results to the customers, and that’s where Bugcrowd really does a phenomenal job because we bring a set of experts, who are researchers by themselves, in our own company that help triage and validate things and prioritize things.

We’ve made our Vulnerability Rating Taxonomy (VRT) open to the entire market, and it has set the standard for what vulnerability classes are out there and how they should be paid. This is based on hundreds and hundreds of thousands of vulnerabilities that we have received and paid [for] in the past.

So to that end it really challenges the pieces of the article, because if you think about how our researchers work, there are a large number of researchers who do this in their post-job time.

It’s a social-economic challenge that we are trying to solve – for the customers, for the researchers, and for the industry.

What are Bugcrowd’s main aims for the remainder of 2019?

AG: Going back to this whole idea of infinite versus finite – when you think about an infinite game, there are three things we do really well in this industry. First, we have a researcher community that is vibrant. Two, we take the data that we see, analyze it, and find the right kind of priority in those bugs using our platform and our internal experts. And three, we ensure that the customer gets the highest return on investment.

So when you look at all of this, in 2019 it becomes that much more important to build on all the successes we had last year, when we launched Bugcrowd University.

Bugcrowd University is completely free and has the primary goal of helping all of our researchers to start learning from the best of the best in terms of how they can build their skillset. It’s not going to be done by some certification program – it’s going to be done by them getting this osmosis effect from the rest of the community.

We also want to ensure that our researchers feel secure in what they are doing. And so we’ve been a huge proponent and have been leading the direction with disclose.io, which is, ‘What can we build into our program language so that researchers are protected, so that they feel comfortable providing the kind of feedback that they are providing?’

Finally on the customer side, we feel that just talking about this industry as ‘bug bounty’ is limiting the scope of what our researchers do.

To that end, we launched ‘Next Gen Pen Test’ which is an old idea of solving that first problem of, ‘How do we match the right resources to the right use case?’

Next Gen Pen Test is one of those use cases, and it’s a runaway success product for us.

We’ve seen that customers have been frustrated with traditional pen tests, not because of any other reason than not having the right skills available to them at the right time.

We have a ton of researchers that have a huge amount of skills in pen testing and much more than that. Because we know the curated aspect of that researcher, we can bring those skills to bear.

RELATED SwigCast, Episode 1: HACKERS