When the US Air Force was preparing to launch its cloud-based Common Computing Environment (USAF CCE), they realized that their new system would be a target of choice for large, well-organized criminal gangs and foreign governments—entities that often work closely together. To defend the USAF CCE against these attackers, the Air Force chose to bring in an army of their own. They engaged with Bugcrowd, which has made a business out of crowdsourcing cybersecurity.
“Cybersecurity is much more of a people problem than it is a technology problem,” said Casey Ellis, Bugcrowd’s Chairman, Founder and CTO. “The attackers have a lot of people. They work together. They share their best practices and exploits. On the defense side, there are usually not enough people available to explore vulnerabilities in depth. We address this gap through crowdsourcing.”
“Cybersecurity is much more of a people problem than it is a technology problem,” said Casey Ellis, Bugcrowd’s Chairman, Founder and CTO.
Bugcrowd has more than 150,000 white hat hackers available to attack clients’ applications and discover bugs. The company’s platform enables customers to set up “bug bounties,” where they pay a reward for each security vulnerability uncovered through ethical hacking. The hackers are under NDA and work in carefully controlled trust conditions.
In the case of the USAF CCE, Bugcrowd’s people found 54 vulnerabilities and earned a six-figure payday, collectively. “The advantage of the crowdsourced approach is that you get a huge variety of experiences and perspectives on security coming at the same problem. It’s always amazing to see what our crowdsourced resources can spot when they do their work.”
In the case of the USAF CCE, Bugcrowd’s people found 54 vulnerabilities and earned a six-figure payday, collectively.
One of Bugcrowd’s secrets of success is the culture and tone of its operation. “You can get into an adversarial relationship with the client if you don’t approach the task the right way,” Ellis explained. “System designers are sensitive to having flaws in their work revealed. But, as we explain in our engagement, you would much rather have one of us find a vulnerability than read about it on the front page of the Washington Post. And, as everyone knows, it’s impossible to see all of the vulnerabilities you have created in a system you designed. It’s just the nature of the technology world we live in today.”